Pentagon creating software 'do not buy' list to keep out Russia, China

Chinese and Russian flags are arranged in Beijing ahead of a visit by Russian President Vladimir Putin.
Chinese and Russian flags are arranged in Beijing ahead of a visit by Russian President Vladimir Putin.PHOTO: REUTERS

WASHINGTON (REUTERS) - The Pentagon is working on a software "do not buy" list to block vendors who use software code originating from Russia and China, a top Defence Department acquisitions official said on Friday (July 27).

Ellen Lord, the under secretary of defence for acquisition and sustainment, told reporters the Pentagon had been working for six months on a "do not buy" list of software vendors.

The list is meant to help the Department of Defence's acquisitions staff and industry partners avoid buying problematic code for the Pentagon and suppliers.

"What we are doing is making sure that we do not buy software that has Russian or Chinese provenance, for instance, and quite often that's difficult to tell at first glance because of holding companies," she told reporters gathered in a conference room near her Pentagon office.

The Pentagon has worked closely with the intelligence community, she said, adding "we have identified certain companies that do not operate in a way consistent with what we have for defense standards."

Identifying these companies has meant that they are put on a list that is shared with the Pentagon's acquisitions staff.

Lord did not provide any further details on the list.

Lord's comments were made ahead of the likely passage of the Pentagon's spending Bill by Congress as early as next week. The Bill contains provisions that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the US military.

The legislation was drafted after a Reuters investigation found that software makers allowed a Russian defence agency to hunt for vulnerabilities in software used by some agencies of the US government, including the Pentagon and intelligence agencies.

Security experts said allowing Russian authorities to look into the internal workings of software, known as source code, could help adversaries like Moscow or Beijing to discover vulnerabilities they could exploit to more easily attack US government systems.

She also said in the briefing that an upcoming report on the US military supply chain will show that the Pentagon depends on Chinese components for some military equipment.

The industrial base report will show "there is a large focus on dependency on foreign countries for supply, and China figures very prominently".