Software is the invisible underpinning for much of our digital world. At its core is source code: the lingua franca that allows software-based technology systems to operate and evolve. Typically, source code is the very embodiment of a particular innovation. It is intellectual property that defines the software-based innovation, its properties and its functions. In a software-defined world, source code is the key to nearly every technology solution and innovation.
Now, China and Russia want direct access to those keys.
In June, China enacted a new cybersecurity law that requires foreign providers of IT hardware and software to allow their solutions to undergo inspection so as to be verified by the Chinese authorities as “secure and controllable” before companies can deploy them in the Chinese market.
Then, at the beginning of last month, it was reported that a technology vendor allowed a contractor for a Russian defense agency to review the inner workings of commercial cyber defense software used by many in the United States, including the Pentagon, to guard its computer networks. According to the story, the vendor allowed the source code “inspection” as part of its effort to win a certification required to sell the product in the Russian marketplace.
Rob Joyce, the cybersecurity coordinator at the White House, later weighed in, saying, “letting countries inspect source code, the closely guarded internal instructions of software, as a condition for entry into foreign markets was a protectionist effort by certain regimes that threatened a ‘free and open internet’ and could ‘hobble’ a product’s security and privacy features.”
These inspections, thinly veiled as processes designed to ensure vendors’ technology products won’t undermine the importing country’s cybersecurity protections, provide ample opportunity for countries like China to continue its rapacious theft of intellectual property under the guise of “protecting national interests.”
China’s exploits in IP theft against American companies are well documented: some experts believe IP theft costs America up to $600 billion a year, with most of it attributable to the Chinese. Software thus joins a long list of industries impacted by Chinese IP theft, including aviation, automobiles, consumer electronics, biotech and pharmaceuticals.
But there’s more to this than IP theft. When foreign governments have access to the source code of American software products, it makes it easier for them to develop tools and techniques that allow them to hack into those very same products in the future, after the products have been sold to other users worldwide. They can identify vulnerabilities and exploit them to their own advantage. Thus, the source code inspections can expose more cybersecurity vulnerabilities to the disadvantage of any company or organization using the products whose source code has been previously “inspected.”
All is not lost, however. There are a number of steps that both vendors and users of Information & Communication Technology (ICT) products and platforms can take to help reduce the inherent risks of mandatory source code inspections. Several of these are also good security practice to help reduce overall risk and should be widely employed in any situation.
First and foremost, users of hardware, software and services can become more active in working with their vendors to see to it that the latest software updates and other vendor-recommended security fixes or settings are completed as rapidly as possible. Network security controls and other partitioning can be used as additional layers of security and to minimize exposure of vulnerabilities to adversaries.
And, of course, good security programs start with the premise that even the best hardware and software solutions contain security flaws from the get-go, no matter who built them. No I.T. professional worth his salt would deploy software “out of the box” without fulsome security testing first. There will be inherent vulnerabilities; measures must always be taken to prevent unnecessary exposure.
On the vendor side, there is a natural opportunity to proactively protect solutions before their source code inspections. Vendors always have to customize, to some degree, their products before selling them to international markets. The customization is necessary to address a set of attributes that will be unique to each target market, like language, culture, legal and regulatory issues, and technology infrastructure and capabilities. As part of the market customization process, vendors can add features and capabilities that mitigate the ability of adversaries to use source code as a basis for tools and techniques that support cyber security tradecraft. These might include: capabilities that help ensure the integrity of the software and updates; features to detect intrusion attempts into or through the platform; and locking down certain user programmable features and thresholds that could introduce vulnerabilities.
Then there are the software tools that are built for the purpose of detecting and managing cyber security attacks. These tools can be outfitted with customized settings to help prevent future exploitation by adversaries.
Common Criteria-based testing is another tool to mitigate software vulnerabilities. The Common Criteria for Information Technology Security Evaluation is a testing model first introduced back in the 1990’s to unify the security integrity of software products in the international marketplace and is now recognized via the International Standards Organization. If the product has undergone Common Criteria-based (CC) testing by a certified lab, then the user should see to it that all vulnerabilities identified by the testing are addressed in the respective installation and configuration settings for the user’s implementation. This should include information from subsequent updates to the software baseline as part of the CC testing process.
Over the longer term, vendors should be encouraged to use an open-source model for the core of their products and platforms more frequently. Use of open-source software from a highly active and engaged community can help to significantly reduce the risk of source code inspection by other nations. While it may sound counter-intuitive, open source code historically has delivered improved security through the many developer contributions and inspections. This “wisdom-of-the-crowd” approach makes it less likely to have significant residual vulnerabilities in the first place. Product differentiation in the marketplace can still take place through the platform architecture and security features, settings and thresholds, product installation and maintenance, and local support: none of which have to be shared back to the open source community.
Also, as part of the long term strategy, the U.S. government and ICT vendor community should jointly explore whether arrangements such as the Common Criteria mentioned above and the use of formally-certified testing labs can be expanded and adopted globally.
In-depth security testing and source code inspections of technology solutions are here to stay. In fact, we can expect they will expand globally. They offer the opportunity for competitive advantages, and it is likely there is little downside to the country making the demands.
We can expect competition in the global ICT marketplace to increase, particularly from China, as they execute their strategy to make their companies the dominant suppliers for technologies like 5G wireless infrastructure.
The United States needs a coherent overall strategy to respond to this situation: one that brings U.S. trade and economic policy in the ICT market together with the technology providers and innovators in the U.S. private sector.
The United States continues to be the global leader in technology and innovation. Yet, much of its historical, current and future technology leadership relies on source code that is now being laid bare as a condition of global commerce.
We should be doing everything possible to thwart the potentially darker endgame of these inspections.
