The Pentagon has drawn up a “do not buy” list of suppliers, reports the Defense One news site.
Recent hacks of major multinational companies have raised caution levels high, prompting the US Military to warn off installing software believed to have been compromised by foreign sources like state-backed Russian or Chinese hackers.
The US military is being warned off installing software believed to have been compromised by Russian or Chinese state-backed hackers.
Legitimate-looking software developers could be fronts for enemy hacker groups, it was told.
The news follows official warnings about software supply-chain attacks that target widely used programs.
The Pentagon started to draw up the list in early 2018 and it is regularly circulated to procurement chiefs and other teams who source software for the armed forces. No details of which software packages or developers are on the list have been released.
In addition, contractors who work with the US military to provide technology-related services are being ‘educated’ about companies that look suspicious.
Speaking to Defense One, Ellen Lord, US defence undersecretary for acquisition, refused to comment on whether any weapons or projects run by the US military had been infiltrated by compromised software.
Rather than concentrating on individual programs or weapon systems, she said, the Pentagon was concerned with the broader issue of finding and using trustworthy code.
Attempts to subvert code could take several different forms, suggested a report by the US National Counterintelligence and Security Center. It could involve:
- booby-trapped software directly written by developers with surreptitious links to enemy states
- compromising software from US companies via vulnerabilities found when foreign powers vet the code for their own use
- subtler influence such as large-scale Chinese investment in artificial intelligence start-ups
Russia maintains it is not involved in Cyber-espionage, according to Vitaliy Shevchenko. Russia has said sanctions visited on companies such as its homegrown cyber-security company Kaspersky Lab were simply examples of American unfair competitive practices.
Mr. Shevchenko said Russia’s information strategy regarded imported software as a threat in the same way the Pentagon did. However, he added, it was not clear how much success it had in swapping suspect code for native alternatives.
The ‘do not buy’ list comes after several warnings over software and equipment already widely used in the US and UK.
Telecoms hardware and code from Huawei and ZTE have been subjected to intense scrutiny in recent months. Earlier this month, a UK government report said it had ‘only limited assurance’ that Huawei’s kit posed no threat to national security.