In response to the news that the Department of Defense (DOD) has confirmed it has been silently working on a “Do Not Buy” list of companies known to use Chinese and Russian software in their products, security experts commented below.
Johnathan Azaria, Security Researcher Specialist at Imperva:
“This is not surprising when considering that some software manufactured in China was shipped with out-of-the-box malware. The possible threat from such software ranges from unintentional security issues that simply weren’t patched properly, to a hard-coded backdoor that will grant access to the highest bidder. We hope that the news of this list will urge manufacturers to put a larger emphasis on product security.”
Terry Ray, CTO at Imperva:
“This really isn’t new. For years all software running in sensitive Federal departments underwent technical scrutiny. It is common for the US government to scan software used in its environments for backdoors and other imbedded code, or configurations that may allow hidden or previously unidentified connections, inbound or outbound to the technology.
At the moment, I have not seen details on any new inspection processes which makes me think the technical review will utilize existing techniques. However, it’s important to note that other well-developed countries operate similarly and prefer to purchase and implement in country or open source technology, in lieu of off-the-shelf products offered by the US or it is allies.”