When the Government Buys Software and Hardware, It Does Not Check It and it Mostly Does Not Vet Its Cyber Contractors


by Stephen Bryen

Except in certain cases where the government checks classified products under an NSA international program, the government does not check software for vulnerabilities, backdoors or the presence of malware or bugs.  It does not matter if the software or hardware is made outside the U.S. or not.  

The truth is that our government, critical infrastructure and military are loaded with highly suspect products.  If the products are computers or tablets or smartphones, these products generally are made in Asia, most of them produced in China. If the products are software, they may be “assembled” in the United States by U.S. companies, including really big ones, but they use blocks of code that are produced by so-called community-sourced groups, meaning that the members of the group are likely to be from around the globe and no one vouches for any of them. In fact, that is exactly how the infamous Heartbleed bug came to be.

The bottom line is that the U.S. government is no more secure than computer systems in Nigeria, Yemen or Bangladesh or, if you like than in Taiwan, Fiji, the Philippines and Australia.

In fact if the latest reports are true, it is even worse because the government does not do any background checks on the people it lets work on its computer networks and electronic systems.

The above observation holds even where some U.S. government agencies check computer systems more rigorously, at least on paper.  DOD, for example works with an extensive checklist of vulnerabilities (called STIGs for Security Technical Implementation Guide) which it tries to mitigate. But DOD is never up to date on its checks, and the system anyway only find what is known, not what is unknown.  For example, if the Air Force is using Kaspersky antivirus software or Windows XP it won’t take any action even though both are big security risks.  They just are not on any checklist, although soon the Kaspersky system will start to be be removed from use.  Even here and yet again, there are no standards for removal and no way to check if any components are left behind after they are supposedly removed.   In the Kaspersky case the Department of Homeland Security “ordered” U.S. government agencies to “begin to remove”  remove Kaspersky software “within 90 days” from the date of the order, which was September 13th.  DHS did not say how to determine if the software actually was on a computer or computer network, nor did it set any end-time for the software to be eradicated or any test to make sure it was gone. Beyond that it is not even clear DHS has any authority to make any such order, or whether the military and DOD were obliged to follow any such “order.”  Indeed it is most interesting that the President did not issue an Executive Order complete with removal standards.  It was left to the DHS, a peculiar decision indicating it was anything but serious.

Yevgeny Kaspersky
( Евгений Валентинович Касперский)

The problems of the government and the military multiply when we come to the so-called critical infrastructure of the United States.  While there are different definitions of what is included in the critical infrastructure, it includes backbone systems like power production and transmission, water purification and delivery systems, transportation, banking and finance and communications.  In the United States much of the critical infrastructure is in the hands of private owners and investors or, in a limited number of cases like the Tennessee Valley Authority the government owns it but it is described as an independent corporation.  While the U.S. government in past years had ample opportunity to put in place strong security measures in the critical infrastructure, instead it has simply urged critical infrastructure elements to follow computer security guidelines, leaving them on their own to decide what to do and when to do it.  In any case, the problem of a mainly independent critical infrastructure at the moment does not loom large because the government has made such a mess of its own, that the critical infrastructure players probably can’t do any worse.

The “mess” can be defined in the following way.  For software and hardware (1) there is no testing system or certification method to provide assurance that the product is safe; (2) there is no apparent interest in shutting down product procurement from potential adversaries, especially Russia and China.  The U.S. won’t move on China for political and economic reasons, meaning that China remains the number one supplier of electronics to the U.S. government, this year well over 80% for hardware.  While DOD tries to sources key components for weapons from U.S. suppliers, the entire network infrastructure of the department is dominated by Chinese equipment.  Assuming that China has not shown its real hand (and probably won’t unless there is a real crisis), DOD is sitting on a sort of time bomb.  Russia is less of a problem in the software space because outside of Kaspersky and a few other smaller players, it is not a big player.  On the other hand, Russian hackers are constantly hitting the government, military and critical infrastructure segments.

There is –despite these big flays and holes in the system– room for a solution even though the tea leaves are highly negative.  Nothing would prevent the government from setting up a solid software verification and validation system.  If a product slips through and then is found defective and the assessment is it was deliberately infected or bugged by the maker, the offending company would lose its license and its right to sell to the government.  Such a vetting system would also act to a degree as a deterrent because it would carry a significant economic cost.  Kaspersky, for example may be losing half its overall business which comes from the United States, even without a formal vetting system.

A related step is for DOD to build its own operating system and platforms and replace the equipment it now has.  This has many benefits because not only will it stop a hostile party from shutting down vital security systems, but it will defeat the constant nuisance of hackers disrupting current-day computer systems and networks.  Building a unique government-sponsored operating system and secure networking means an investment in American software and hardware, probably on the order of $2 to $4 billion.  That sounds like a lot, but we are spending much more on computer security that fails to deliver results.