The Pentagon is warning the military and its contractors not to use software it deems to have Russian and Chinese connections, according to the U.S. Defense Department’s acquisition chief.
Officials have begun circulating a “Do Not Buy” list of software that does not meet “national security standards,” Ellen Lord, defense undersecretary for acquisition and sustainment, said Friday.
“We had specific issues … that caused us to focus on this,” Lord told reporters at the Pentagon.
“What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” she said. “Quite often that’s difficult to tell at at first glance because of holding companies.”
The Pentagon started compiling the list about six months ago. Suspicious companies are put on a list that is circulated to the military’s software buyers. Now the Pentagon is working with the three major defense industry trade associations — the Aerospace industries Association, National Defense Industrial Association and Professional Services Council — to alert contractors small and large.
“It’s a huge education process,” Lord said.
Lord said defense officials have also been working with the intelligence community to identify “certain companies that do not operate in a way consistent with what we have for defense standard.” Asked if programs and weapons were compromised by foreign software, Lord said, “These are more widespread issues. I don’t think we’re focused on one particular system.”
The IC has grown increasingly concerned about foreign entities compromising U.S. software. This compromising activity can take several forms, as described by a new report from the National Counterintelligence and Security Center, an unclassified version of which was released on Thursday. For example, Chinese businesses have been eagerly investing in American startups that work in artificial intelligence.
The report also notes that U.S. companies that want to sell software abroad are often required to allow foreign intelligence services to examine their source code. This may allow the foreign governments to discover vulnerabilities that can be exploited later on. “Recent Chinese laws—including laws on national security and cybersecurity—provide Beijing a legal basis to compel technology companies operating in China to cooperate with Chinese security services,” notes the new report.
Russia has similar laws. Last June, Reuters reported that IBM, Cisco, and Germany’s SAP had allowed the FSB, a Russian intelligence service, to examine key source code in various software products. In October, Reuters said the scrutiny had been extended to an HP Enterprise product called ArcSight, described as a “cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack.”
“If a U.S.-based company wants to go into China and facilitate and enlarge their business from a global perspective, they have to hand over source code and when they get online, they’re working with not only that company in China, but what — the PLA and the MSS, right?,” said William Evanina, who directs the National Counterintelligence and Security Center.
“So it’s an unfair playing advantage, and the metaphor I would use is: could you imagine if a company coming to do business in the U.S. had to deal with not only our government, but CIA, NSA, the Department of Commerce, Treasury, as well as maybe some U.S.-based oligarchs, right? It’s just foreign to us, but that’s part of the understanding that we need to have, the understanding that when they globalize their goods and services, that we’re at an unfair advantage in those countries,” Evanina said.
Last October, a Pentagon spokesperson told Defense One that there was no specific prohibition to prevent the department from buying software that the Russian intelligence service had looked through.
Said Lord, “It really speaks to cybersecurity writ large…It’s one of our greatest concerns right now. This is a challenge for us in terms of how to deal with the industrial base, particularly small companies that don’t always have the resources. It’s more making sure we have secure systems overall for our data and information.”
The Pentagon has made several moves in recent years to make sure defense firms have adequate cyber defenses for not only themselves, but all suppliers. All supplies, large and small, were supposed meet new, more stringent standards by last January. But after contractors said they would not be able to meet those guidelines, the Pentagon instead required them to submit a plan to meet those benchmarks by January.
“There is an expectation that standards will be met within industry and up to this point in time there’s has really been self reporting, saying ‘Here is my process and here is how we’re complying and here are issues we have,’” Lord said Friday.
In response, the Pentagon has “softened some of our requirements,” Lord said. “I don’t think we can continue to do that moving forward and in fact we’re probably going to have to increase some of those requirements.”
Last week at the Farnborough Air Show in the U.K., Lord’s deputy, Kevin Fahey, warned that the Pentagon could stop awarding contracts to companies if it deems their weapons and products are not cyber hardened.
Lord on Friday said the Pentagon will soon start “red-teaming” companies to “see how robust their systems are.”
“The reality of the world we live in means that cyber security is going to become more and more of a discriminator as we look at our industrial base,” she said.