The United States Department of Defense (DOD) has been silently working on a “Do Not Buy” list of companies known to use the Chinese and Russian software in their products, the Pentagon’s acquisition chief confirmed at a press conference, according to Reuters.
Ellen Lord, the defense undersecretary for acquisition and sustainment, said the Pentagon started compiling the list about six months ago. She said the Department shared the list with DOD agencies but have not enforced or made it obligatory. The Pentagon hopes these contractors will switch to products deemed safe for supplying the Pentagon with equipment and services for future contracts.
“What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” Lord said, as cited by Defense One. “Quite often that’s difficult to tell at first glance because of holding companies.”
In the past year, U.S. officials have banned the use of products from Russian antivirus vendor Kaspersky Lab and Chinese hardware vendor ZTE on government networks, citing national security concerns. U.S. officials claim that the foreign intelligence agencies of those countries have used data gathered by these two companies to spy on America.
Lord also said that they’ve also been looking into the actions of U.S. companies abroad. The official was referring to U.S. companies which agreed to allow foreign intelligence agencies to review the source code of their software in order to be granted the permission to sell products in that country.
Back in June 2017, it was reported that tech firms such as IBM, Cisco, SAP, HPE, and McAfee had agreed to let a Russian government agency review the source code of their products.
HPE, in particular, let Russian investigators analyze the source code of ArcSight, a software deeply integrated within the DOD’s network.
Chinese officials are also conducting similar code reviews, albeit to a lesser degree, as Western companies have a smaller presence in China’s crowded internal market, where local companies reign undisputed.
U.S. officials fear that Russia and China might use the knowledge they gained from analyzing these products to mount cyber-attacks on U.S. companies and government networks where products are deployed.