All Ahead Full… Bureaucracy: The DoD’s New “Do Not Buy” Software List

Another day, another head scratcher from the DoD regarding cyber security policies. BleepingComputer.com reported on July 30 that the Department of Defense (DOD) has been quietly developing a “Do Not Buy” list of companies known to use Chinese and Russian software in their products. According to Under Secretary of Defense for Acquisition, Technology and Logistics and former CEO of Textron, Ellen Lord, the Pentagon plans to work with three defense industry trade associations —the Aerospace Industries Association, the National Defense Industrial Association, and the Professional Services Council— to alert contractors about problematic products that the Pentagon sees as potential threats.

The program will be voluntary. Lord is quoted as saying, “The Department shared the list with DOD agencies but have not enforced or made it obligatory.” In other words, the threats are serious enough to warrant a “Do Not Buy” list, but the DoD will not actually require its contractors to avoid buying products that may threaten the lives of US service men and women. Got it?

I reached out to the DoD and the Undersecretary’s office for comment, but got no response. Other experts have weighed in on the matter, however. Terry Ray, CTO of attack analytics vendor Imperva, explained, “This really isn’t new. For years all software running in sensitive Federal departments underwent technical scrutiny.  It is common for the US government to scan software used in their environments for backdoors and other imbedded code or configurations that may allow hidden or previously unidentified connections inbound or outbound to the technology.”

So, perhaps the problem is not as severe as it sounds, given that existing procedures mitigate the risks of malware in defense-related code. As Ray shared, “There was a case 15+ years ago against an Israeli security company that prevented that company from selling within certain branches of the US government. That company had failed to document an available connection point within the software sometimes used for support. This connection was picked up through the Federal inspection process and the vendor was effectively prevented from selling into whole departments, primarily in defense.”

Ray then added, “At the moment, I have not seen details on any new inspection processes which makes me think the technical review will utilize existing techniques.  However, it’s important to note that other well-developed countries operate similarly and prefer to purchase and implement, in country, political ally or open source technology in lieu of off-the-shelf products offered by the US or it is allies.”

Johnathan Azaria, security researcher at Imperva noted, “This is not surprising when considering that some software manufactured in China was shipped with out-of-the-box malware. The possible threat from such software ranges from unintentional security issues that simply weren’t patched properly, to a hard coded backdoor that will grant access to the highest bidder. We hope that the news of this list will urge manufacturers to put a larger emphasis on product security.”

Why Are Defense Contractors Vulnerable to Cyber Attack?

Recent incidents have demonstrated how vulnerable defense contractors can be to cyberattack. Jeff Buss, Captain, (USN, Retired) offered a perspective, saying, “Sophisticated actors often hunt like a lion or pack of wolves, targeting the weakest gazelle as their pray.  In the case of cyber security, the weakest gazelle is often a small subcontractor who can’t afford to put the extensive cyber security controls in place that a large company can.  The concept of Lowest Price Technically Acceptable – LPTA contracting exacerbates this issue by having companies do the minimum necessary to be technically acceptable.  Verifying cyber security controls across the entire logistics/supply chain is needed but is costly and takes a significant amount of time, hence the issue.”

Fighting the “Wolf Pack” of Hackers

Noam Erez, CEO and co-founder of XM Cyber, provided some guidance. He said, “Even when a military contractor has deployed and configured modern security controls, applied patches and refined policies, it should still ask, ‘Are my most important assets really secure?’ This question is crucial because there are many ways that hackers can infiltrate a network and compromise critical assets. Contractors must get ahead of the hackers and shore up their networks in advance to prevent any attempted attacks. The most effective method is to take the hacker’s point of view and test security defenses using every possible attack scenario and path.  This will expose all the security holes and blind spots that hackers might leverage, enabling the contractors to shore up their defenses and protect their crown jewels.”

Photo Credit: Michel_Rathwell Flickr via Compfight cc