The Pentagon has created a “Do Not Buy” list of primarily Chinese and Russian software makers the U.S. Department of Defense and its contractors shouldn’t buy software from due to security concerns.

First reported by Defense One, the list has been compiled with the assistance of the Aerospace Industries Association, the National Defense Industrial Association and the Professional Services Council and aims to highlight not only obvious foreign software providers but also those who offer software where the origin is not immediately apparent.

“We had specific issues … that caused us to focus on this,” Ellen Lord, U.S. defense undersecretary for acquisition and sustainment, told reporters at a press conference. “What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance. Quite often that’s difficult to tell at first glance because of holding companies.”

Lord added that defense officials have also been working with the intelligence community to identify “certain companies that do not operate in a way consistent with what we have for defense standards.”

Terry Ray, chief technology officer at Imperva Inc. told SiliconANGLE that “this really isn’t new” because for years all software running in sensitive federal departments underwent technical scrutiny.

“It is common for the U.S. government to scan software used in their environments for backdoors and other embedded code or configurations that may allow hidden or previously unidentified connections inbound or outbound to the technology,” Ray explained. “At the moment, I have not seen details on any new inspection processes which makes me think the technical review will utilize existing techniques. However, it’s important to note that other well-developed countries operate similarly and prefer to purchase and implement, in country, political ally or open source technology in lieu of off-the-shelf products offered by the US or its allies.”

Johnathan Azaria, security researcher at Imperva, noted that some software manufactured in China was shipped with out-of-the-box malware. “The possible threat from such software ranges from unintentional security issues that simply weren’t patched properly, to a hard-coded backdoor that will grant access to the highest bidder.” he said. “We hope that the news of this list will urge manufacturers to put a larger emphasis on product security.”

The move to ban Russian and Chinese software makers from being used by the U.S. military comes on top of claims from the Central Intelligence Agency, the Federal Bureau of Investigation and the National Security Agency that devices from Huawei Technologies Co. Ltd. could be used by the Chinese government to spy on users.

Photo: gregwest98/Flickr