Pentagon creates a software ‘do not buy’ list to keep out code from China and Russia
The list is meant to help the Department of Defence limit its supply chain for problematic software code
The Pentagon is working on a software “do not buy” list to close its supply chain to software code originating from Russia and China, a top Pentagon acquisitions official said on Friday.
Ellen Lord, the undersecretary of defence for acquisition and sustainment, said the Pentagon has been working for six months on a “do not buy” list of software vendors.
The list is meant to help the Department of Defence’s acquisitions staff and industry partners avoid purchasing problematic code for the Pentagon and suppliers.
“What we are doing is making sure that we do not buy software that Russian or Chinese provenance for instance, and quite often that’s difficult to tell at first glance because of holding companies,” she told reporters at the Pentagon office.
The Pentagon has worked closely with the intelligence community, she said, adding “we have identified certain companies that do not operate in a way consistent with what we have for defence standards.”
Lord did not provide any further details on the list.
Lord’s comments were made ahead of the likely passage of the Pentagon’s spending bill by Congress as early as next week. The bill contains provisions that would force technology companies to disclose if they allowed countries such as China and Russia to examine the inner workings of software sold to the US military.
The legislation was drafted after a Reuters investigation found that software makers allowed a Russian defence agency to hunt for vulnerabilities in software used by some agencies of the US government, including the Pentagon and intelligence agencies.
Security experts said allowing Russian authorities to look into the internal workings of software, known as source code, could help adversaries like Moscow or Beijing to discover vulnerabilities they could exploit to more easily attack US government systems.
Lord added an upcoming report on the US military supply chain will show that the Pentagon depends on foreign suppliers, including Chinese firms, for components in some military equipment.
She said the Pentagon also wants to strengthen its suppliers’ ability to withstand cyberattacks and will test their cybersecurity defences by attempting to hack them.
The Pentagon disclosed the measures as the federal government looks to bolster cyber defences following attacks on the United States that the government has blamed on Russia, North Korea, Iran and China.
The Department of Homeland Security this week disclosed details about a string of cyberattacks that officials said put hackers working on behalf of the Russian government in a position where they could manipulate some industrial systems used to control infrastructure, including at least one power generator.