Pentagon 'do not buy' list says нет to Russia, 不要 to Chinese code The US military is drawing up a list of overseas organizations – primarily in Russia and China, funnily enough – that the Pentagon and its contractors shouldn't buy software from, citing security concerns. In a briefing with journalists on Friday, Ellen Lord, US defense undersecretary for acquisition and sustainment, said …
"[S]ome are going to question if this latest list is really a security issue or just protectionism in the defense industry."
Why not both? I know a lot of commentards will jump on the bandwagon of directing hate towards the US for apparent hypocrisy, but there is no hypocrisy in attempting to protect oneself. Necessary, the desire for self-protection involves both arming oneself and disarming one's enemies.
"Do you like getting handjobs?"
"Yes."
"Do you like giving handjobs?"
"No."
"See, it's not hypocritical."
George W. Bush to Harold and Kumar in "Harold & Kumar Escape from Guantanamo Bay"
If it was protectionism, they would ban all non-US sources rather than just two countries. It isn't as if Russia is a big exporter anyway - their economy is the size of Italy's, so it won't cause any real change in behavior other than no more Kaspersky.
It is the ban on China that will have a big impact, especially since a lot of companies based in other countries are selling stuff with their logo and a few tweaks to firmware to claim it as their own that's just white label Chinese. Try and find IP CCTV cameras that aren't made by Chinese companies like Hikvision and running their firmware, for instance. Even if you "buy American" you still get Chinese.
If it was protectionism, they would ban all non-US sources rather than just two countries.
It's all done in small stages. First Kaspersky (um, surely a globally leading Good Guy). Then various Chinese bigcos on varying pretexts. Now a little more.
For non-US western companies there's a different approach, and it's outsourced. Use bogus patents to cripple Blackberry, leaving it a Suit-dominated company which can no longer innovate and dies a natural death. Lend a helping hand to Nokia's self-immolation.
Tariffs didn't happen all at once either. Divide and rule. If they'd hit their friends and allies (Canada, Mexico, the EU) at the same time as they hit China, the world might've got together and stood more united.
You're conflating stuff that happened with private companies (i.e. Nokia hiring a former Microsoft guy, then getting mostly bought out by Microsoft) and things that are only happening because of Trump (trade battles with Canada)
If you think there's a grand strategy behind all this, you must imagine quite a massive conspiracy - a conspiracy which includes Trump. The only conspiracies Trump is interested in are those that benefit him personally. He's a shitty president and I'd struggle to find anything good to say about him as a man, but I can't see him participating in the type of long term grand conspiracy you envision. There's nothing in it for him, and he switches positions at the drop of a hat so he could claim "he won" the trade war and drop all the tariffs tomorrow. And he will if he thinks it'll benefit him politically.
At this point in the 2008 election cycle no one knew who Obama was, let alone thought he had a chance of being elected president. At this point in the 2016 election cycle everyone assumed the race would be between Hillary and Jeb Bush, and while people knew who Trump was few thought he'd run for president and everyone assumed if he did it would only be for a short time for publicity.
Assuming Trump will win because it isn't clear who will be running against him is foolish. Hell, assuming he will be president in 2020, rather than Pence, is probably foolish...
More than that, what other countries are potential tech sellers to the US, except Russia and China?
Venezuela? Iran? Unlikely they have something the US are interested in. All the other potential sellers can be summed as Five Eyes, NATO members or US "allies" aligned by similar agreements.
Those toe the US line geopolitically anyways and have nothing to gain from pwning or shutting down US infrastructure
An "N.I.H." posture with respect to national defense should be considered 'prudent'.
And open source stuff could simply be 'hardened'. BSD comes to mind, in that regard. Linux too, if the GPL is simply ignored for national security reasons. But if it's kept a secret, nobody would know [or disclose it] so there ya go.
As for anti-virus and security tools, if it's closed source and NOT a U.S. based company, and/or phones home with any data, it's by definition 'insecure' and shouldn't be in use by the military or any government agency that deals with classified information.
To a degree all major militaries like to have as much of their toys, etc. made locally and if they can not keep it local farm it out to a companies in a friendly country. So when the Pentagon says adios to the Russians and Chinese they are in essence saying, somewhat politely, they are potential enemies in real shooting war. So keep your supply chain out of their hands as much as possible. Also, this increases economic leverage against both as the beneficiaries will US and companies in the EU, Canada, etc. as they will not have Russian or Chinese firms allowed to bid.
"Oranges grown in the south are sweet, in the north sour" is an old Chinese reference to nations and supposed differences between them. The most interesting version of the story is all about counting diplomatic coup. So posturing has precedent, yes.
But... the pessimist can imagine four coming developments following from reasonable security worries.
One is that any business or industry that is credibly critical national infrastructure will be required to show not only disaster recovery style duplication of internal infrastructure, but also that one leg of that duplication employs only 'trustworthy' components. Think banks, local governments, energy companies, and the like.
Second is that it might become hard to find everything needed from unassailable sources. And so each state may find it necessary to sponsor and support domestic component development. Quite like China has been doing for the last few decades. Or, hey, like the fallout we've seen lately regarding GPS?
And this might be hard for hardware/software development, since the personnel devoted must also be unassailable (not on visa for instance). And so not only will governments keep winding the STEM, but make it more urgent through national service. "The Marine Corps builds coders!"
And then we'd come full circle. Would a company $here hire someone who has been in national service $there? Y'kno, weaponized?
A pessimist's thoughts are nightmares. I'm not suggesting the above, but am at a loss against the natural progression of ideas. What do you do to guarantee a nation's (or union's) security in the face of a hostile untrustworthy world?
Obviously, a significant chunk of the USA is currently in protectionist mode, for good or bad. However, considering...
A) The long term consistent hacking and IP robbery from both China and Russia
&
B) The long term malware infestations resulting from the installation and use of a lot of Chinese software (check out Android malware infestations specifically within China)
...This 'Do Not Buy' list goes into my #MySmartGovernment column. Ideally, this right good smack at these two criminal nations will convince them to go straight and contribute to the computer community rather than continuing to abuse it. We can dream. (^_^)
When considering A) and B) always be aware of NSA's proven activities.
Excluding the good ol' US of A from your list of 'criminal nations' is blatantly choosing sides. They're all at it, and it's been done in analogue meatspace for a lot longer than it's been going on over the internet.
What's happening now is that their activities are butting up against the complex web of nation inter-dependence that globalisation and manufacturing outsourcing has caused, and the fact that the Internet is a globally shared infrastructure between the largest most powerful nations, militaries and companies as well as great-grandma Elizabeth. Which means it has millions of weak links that can be exploited. Billions once the (id)IoT uptake reaches critical mass.
Too tempting for any government that thinks its spooks are above the law (hint: that's all of them).
This is not new behavior and it is not the whole process. The US government has long taken a prescriptive approach in terms of approving software. There are a variety of lists in fact, from the level this article addresses to the various departments and agencies that make up the government. Each entity reviews each piece of software (including the specific version of each) and creates an approved list that can be used on their systems. At least this is what they are supposed to do - YMMV. This new directive can be best viewed as an additional filter among several already in place.
More telling to me is the statement from the article concerning China and Russia trying to "invest" in American (and I am sure other countries') software companies. There may be perfectly legitimate reasons for making these acquisitions through shell companies and using other methods to obfuscate involvement but that does not mean that the US military should assume the activity is benign.
I can't help wonder what would happen if reports were to leak out that the Russian government has put a ban on certain US IT products because of the risk that the FBI has been adding backdoors.
If this were to happen I wouldn't be surprised if several US companies, or even the US government itself, would try to sue or slander Russia for spreading lies and for discrediting US companies. Because... only Russia and China can be the bad guys I suppose?
I was tempted to note that if they're filtering software by country of origin, and nothing else, they are beyond hope for any kind of security. But I doubt it. I doubt every word they state. This is the military of the Country of Mystery. And Sparkles. Of course they have an ulterior motive. It might as well be the only motive.
They're good at that game. One of the reasons for the Fall of Soviet Communism is that they convinced the rooskies that everything American was shiny and good, so they spent more on industrial spying than they did on R&D. I feel confident that both bogus plans for real cool things, and real plans for bogus cool things, were on offer. I forget which Communist leader said to America "We will buy from you the means of your own destruction", but he must be turning over in his place of rest and possibly display, because the other guys put the pea under a different walnut shell.
One of the reasons for the Fall of Soviet Communism is that they convinced the rooskies that everything American was shiny and good, so they spent more on industrial spying than they did on R&D. I feel confident that both bogus plans for real cool things, and real plans for bogus cool things, were on offer.
Might I suggest that you google "Farewell Dossier" and have a read?
Armed with foreknowledge of what the Soviets were trying to steal it was ensured that they stole "designed to be faulty" processors, control code etc. When this stolen technology was used it screwed with factory output which helped add to the infamous soviet quality problems, and it's claimed that this was directly responsible for the siberian pipeline explosion in 1982.
10: American software, written by Americans using an American written OS, IDE, and Compiler running on an American-built PC using nothing but American designed, built and programmed components that themselves are running ...; GOTO 10
Just because you're paranoid doesn't mean that they're not out to get you.
On the other hand, it's hopeless.
The aim is to stop code with Russian and Chinese origins or connections from being purchased and/or used by America's armed forces and its contractors in case the stuff can be remotely hijacked and spied on.
Is that tantamount to an open admission that Western origin stuff can be remotely hijacked and spied on ....... although to be honest, you'd need to be living the life of a hermit on another planet to not realise that is the universal default norm situation for Spooksvilles.
The really sad part though is, and the great opportunity that IT presents to significant relatively unknown and practically autonomous others, is that there is so much unintelligence in both simple and complex SCADA systems proving themselves spectacularly to be unable to effectively use mined/pilfered/phished/stolen information in an orderly timely fashion.
The Current Machine is a Dumb Ass of a Pack Horse rather than SMARTR Future Almighty Virtual Being.
You might like to think that all of that is now changed with many more future great changes to come.
What would you like to do about it with IT. Are you suitably enabled to be an effective AIgent of Future Events? Or be you disabled and confined and restrained and defined as a paying and baying spectator to the Greater IntelAIgent Games in the Fields of Live Operational Virtual Environment Play.
Be honest with yourself. Are you just a shadow of what you would like to be just doing mainly what others want and/or need and expect of you? That makes you both a virtual and practical slave. Just a Number amongst Billions.
This move sparked some serious concerns, not least because some of these companies are major suppliers to America's military. Exposing the source code to Moscow's agents would show Russian spies where to attack installed equipment and software to eavesdrop on the US administration.
Rank paranoia.
We know what source code is.
It is not a magical black liquid that sloshes at the bottom of circuit boards that allows one to "eavesdrop" from across the world one it has been seen unbottled.
But it's good that I don't need to read about "Soviet spies" as seems to crop up from time to time in The Meedja.
Actually, I'm starting to wonder whether he's actually some sort of novel number station...
This post has been deleted by its author
This post has been deleted by its author
As was mentioned above...and there's no proof that the binary you actually run came from that source code, that the compilers (or interpreters) are the same or produce the same results (Trusting trust...), or that even with the code in hand, you can find any actual backdoors - look at many of the flaws that have been discovered in open source that were around for years, and even in code that WAS looked at (not heartbleed which evidently wasn't looked at much). Even if you got it right once, are you never going to accept an update? Or go through the whole process again every time?
And then there are all the "obfuscated C" types of competitions, or perl golf, stuff almost no one can really read. And in general programmers way too impressed with an opaque bit of cleverness on their part.
I think much of this is futile anyway - it only takes one breach to get some kind of "root" in a network as things are - you probably can't stop them all, as mentioned above, by "buying local".
Security isn't an add on and you're not getting there with ad hoc systems built like legos from approved pieces. The devil can hide easily in interactions...
You have to design it in.
That's expensive and would cut into those expensive toilet seat budgets, or arming our supposed enemies in the middle east, you know.
DCF mentioned "obfuscated".
Crikey. Back in the very early 1980s, I was packing backspaces (^h) into BASIC along with REM statements so that what was displayed (LIST) and what was actually run (RUN) could be completely (100%) independent of each other.
LIST
10 PRINT "NO NO NO!!!"
RUN
YES YES YES!!!
These days, one might (for example) reprogram a USB Controller that is actually based on an Arm processor to do whatever you like. Precisely undetectable.
Allowing military supplies to be sources from a potentially hostile actor is just stupid. This has been known for...a while.
First Samuel 13:19-22: "Not a blacksmith could be found in the whole land of Israel, because the Philistines had said, 'Otherwise the Hebrews will make swords or spears!'
So all Israel went down to the Philistines to have their plow points, mattocks, axes and sickles sharpened.
The price was two-thirds of a shekel for sharpening plow points and mattocks, and a third of a shekel for sharpening forks and axes and for repointing goads.
So on the day of the battle not a soldier with Saul and Jonathan had a sword or spear in his hand; only Saul and his son Jonathan had them."
If you consider the US (my government) a potentially hostile actor, then urge yours to act accordingly.
"If you consider the US (my government) a potentially hostile actor, then urge yours to act accordingly."
I do not consider your government much more hostile than I consider my own current one. I note that it seems to have some very similar aims for the UK as Russia though and for compoarable historical reasons. The terminally stupid in the US fear a return of king George III who was usurped by their own wealthy middle class. Russiand rulers feel similarly about the UK playing a part in attempts to oust the Bolsheveiks following that takover. Both are happy with current political trends here that seem possible to impoverish the country and, even better in their opinion, break it to its component parts.
?Do I need to be wary of Russian software? Yes. ?Do I need to be aware of US software? Yes, to an equal degree. There is not much possibility of getting software that has not passed its way through some lever of US control at some point but at least Kaspersky might keep an eye on it .
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
