Steals the Deal: Source Code Inspections Herald New Risks for Tech Vendors

| Jill Singer
Jill Singer
Vice President, National Security, AT&T Public Sector

Software is the invisible underpinning for much of our digital world. At its core is source code: the lingua franca that allows software-based technology systems to operate and evolve. Typically, source code is the very embodiment of a particular innovation. It is intellectual property that defines the software-based innovation, its properties and its functions. In a software-defined world, source code is the key to nearly every technology solution and innovation.

Now, China and Russia want direct access to those keys.

In June, China enacted a new cybersecurity law that requires foreign providers of IT hardware and software to allow their solutions to undergo inspection so as to be verified by the Chinese authorities as “secure and controllable” before companies can deploy them in the Chinese market.

Then, at the beginning of last month, it was reported that a technology vendor allowed a contractor for a Russian defense agency to review the inner workings of commercial cyber defense software used by many in the United States, including the Pentagon, to guard its computer networks. According to the story, the vendor allowed the source code “inspection” as part of its effort to win a certification required to sell the product in the Russian marketplace.

Rob Joyce, the cybersecurity coordinator at the White House, later weighed in, saying, “letting countries inspect source code, the closely guarded internal instructions of software, as a condition for entry into foreign markets was a protectionist effort by certain regimes that threatened a ‘free and open internet’ and could ‘hobble’ a product’s security and privacy features.”

These inspections, thinly veiled as processes designed to ensure vendors’ technology products won’t undermine the importing country’s cybersecurity protections, provide ample opportunity for countries like China to continue its rapacious theft of intellectual property under the guise of “protecting national interests.”

China’s exploits in IP theft against American companies are well documented: some experts believe IP theft costs America up to $600 billion a year, with most of it attributable to the Chinese. Software thus joins a long list of industries impacted by Chinese IP theft, including aviation, automobiles, consumer electronics, biotech and pharmaceuticals.

But there’s more to this than IP theft. When foreign governments have access to the source code of American software products, it makes it easier for them to develop tools and techniques that allow them to hack into those very same products in the future, after the products have been sold to other users worldwide. They can identify vulnerabilities and exploit them to their own advantage. Thus, the source code inspections can expose more cybersecurity vulnerabilities to the disadvantage of any company or organization using the products whose source code has been previously “inspected.”

All is not lost, however. There are a number of steps that both vendors and users of Information & Communication Technology (ICT) products and platforms can take to help reduce the inherent risks of mandatory source code inspections. Several of these are also good security practice to help reduce overall risk and should be widely employed in any situation.

First and foremost, users of hardware, software and services can become more active in working with their vendors to see to it that the latest software updates and other vendor-recommended security fixes or settings are completed as rapidly as possible. Network security controls and other partitioning can be used as additional layers of security and to minimize exposure of vulnerabilities to adversaries.

And, of course, good security programs start with the premise that even the best hardware and software solutions contain security flaws from the get-go, no matter who built them. No I.T. professional worth his salt would deploy software “out of the box” without fulsome security testing first. There will be inherent vulnerabilities; measures must always be taken to prevent unnecessary exposure.

On the vendor side, there is a natural opportunity to proactively protect solutions before their source code inspections. Vendors always have to customize, to some degree, their products before selling them to international markets. The customization is necessary to address a set of attributes that will be unique to each target market, like language, culture, legal and regulatory issues, and technology infrastructure and capabilities.  As part of the market customization process, vendors can add features and capabilities that mitigate the ability of adversaries to use source code as a basis for tools and techniques that support cyber security tradecraft. These might include: capabilities that help ensure the integrity of the software and updates; features to detect intrusion attempts into or through the platform; and locking down certain user programmable features and thresholds that could introduce vulnerabilities.

Then there are the software tools that are built for the purpose of detecting and managing cyber security attacks. These tools can be outfitted with customized settings to help prevent future exploitation by adversaries.

Common Criteria-based testing is another tool to mitigate software vulnerabilities. The Common Criteria for Information Technology Security Evaluation is a testing model first introduced back in the 1990’s to unify the security integrity of software products in the international marketplace and is now recognized via the International Standards Organization.  If the product has undergone Common Criteria-based (CC) testing by a certified lab, then the user should see to it that all vulnerabilities identified by the testing are addressed in the respective installation and configuration settings for the user’s implementation. This should include information from subsequent updates to the software baseline as part of the CC testing process.

Over the longer term, vendors should be encouraged to use an open-source model for the core of their products and platforms more frequently. Use of open-source software from a highly active and engaged community can help to significantly reduce the risk of source code inspection by other nations. While it may sound counter-intuitive, open source code historically has delivered improved security through the many developer contributions and inspections. This “wisdom-of-the-crowd” approach makes it less likely to have significant residual vulnerabilities in the first place. Product differentiation in the marketplace can still take place through the platform architecture and security features, settings and thresholds, product installation and maintenance, and local support: none of which have to be shared back to the open source community.

Also, as part of the long term strategy, the U.S. government and ICT vendor community should jointly explore whether arrangements such as the Common Criteria mentioned above and the use of formally-certified testing labs can be expanded and adopted globally.

In-depth security testing and source code inspections of technology solutions are here to stay. In fact, we can expect they will expand globally. They offer the opportunity for competitive advantages, and it is likely there is little downside to the country making the demands.

We can expect competition in the global ICT marketplace to increase, particularly from China, as they execute their strategy to make their companies the dominant suppliers for technologies like 5G wireless infrastructure.

The United States needs a coherent overall strategy to respond to this situation: one that brings U.S. trade and economic policy in the ICT market together with the technology providers and innovators in the U.S. private sector.

The United States continues to be the global leader in technology and innovation. Yet, much of its historical, current and future technology leadership relies on source code that is now being laid bare as a condition of global commerce.

We should be doing everything possible to thwart the potentially darker endgame of these inspections.

The Author is Jill Singer

Jill Singer leads AT&T business activities serving the Intelligence Community, overseeing the delivery of strategic technology solutions and services to national security agencies throughout the global public sector marketplace. Before joining AT&T, Ms. Singer was a partner with Deep Water Point and CEO of Tummler Singer Associates consulting firm. Her senior government experience includes Chief Information Officer (CIO) for the National Reconnaissance Office (NRO), Deputy CIO for the... Read More

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

One Reply to “Steals the Deal: Source Code Inspections Herald New Risks for Tech Vendors”
  1. Sovereign countries have the right and the duty to manage events, equipment, software, communications traffic, etc. within their borders. That they can do so in ways that advantage themselves is unavoidable. Whether we like it or not, it is a part of the international business environment.

    Ms. Singer’s suggestion of the use of open source, among others, are apt. However, not everybody wants to use an open source model. Her suggestion that companies modify software prior to review by particular countries, however, is not so apt. Good software is expensive to produce. Sometimes that expense can be shared, open source works this way, sometimes not. Secondly, modifying software provides new opportunities to introduce errors. Programming is hard. Mistakes are easy. Mistakes are also often exploitation opportunities. Thirdly, if a product provides unique functionality that is its selling point, that functionality must be present for authorities to examine. This renders code obfuscation moot.

    What to do? I certainly have no easy answers. I don’t think any exist. Companies should include these concerns in their due diligence and market evaluation processes. Factor some estimate of risk into business decisions. If a company declines to participate in a country’s national market, they clearly forego possible revenue. They also encourage competitors to participate by reducing the competitive risk. They also encourage potential competitors in those countries by reducing their competitive risks.

    As the glib saying goes: “It is what it is.” And there is not a lot we can do about it. So, we have to figure out how to live with it.