The last decade has seen a fundamental product development shift — the extensive use of open-source software. This crowd-sourcing effort has made the cost of software development quicker, faster, and potentially riskier. While the rampant use of open-source software (OSS) is a contributor to the problem, this issue extends beyond OSS. The increasing role of Chinese companies in developing software across various sectors, including those deemed critical, raises additional concerns.
In 2023 and 2024, FBI Director Christopher Wray spent considerable time warning the country for over a year that the Chinese government poses a 'broad and unrelenting' threat to U.S. critical infrastructure. A study by Fortress Information Security revealed that a staggering 90% of the software products they reviewed for United States electric power companies (which included information technology (IT) and operational technology (OT) products) contained components developed by individuals from either China or Russia. It is unknown how much of this code is compromised and to what extent. However, the report further stated that software with Russian or Chinese-made code is 2.25 times more likely to have vulnerabilities and that the “software is three times more likely to have critical vulnerabilities.”
This involvement creates worries about potential backdoors being intentionally inserted into the software, data exfiltration, or even the capacity to disrupt these systems, particularly during times of conflict. It also highlights a concern that foreign governments could pressure businesses to compromise their software for nefarious purposes. Additionally, individuals acting independently with malicious intentions could introduce vulnerabilities.
Even when the source of the software is known, ensuring its integrity can be challenging. Sophisticated actors can exploit vulnerabilities to gain unauthorized access or manipulate data, compromising sensitive information and disrupting critical operations. The potential consequences of such breaches, particularly in defense, intelligence, and critical infrastructure, could be catastrophic.
Research from SecurityWeek showed that North Korea (and to some extent China) is using nation-state operatives to pose as fake remote workers to infiltrate US companies. Part of this is to help North Korea fund their nuclear program. However, attackers also performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.
Another SecurityWeek report showed that the incident I just cited above was not an isolated case. There have been hundreds of recent attempts by North Korea to infiltrate US companies with software engineers to steal information and plant malware — all while the engineers are making money to help fund Korea’s nuclear program.
While this blog focuses mainly on the US, this is a global problem. For instance, according to Business Insider, South Korea decided to remove 1,300 cameras from its military bases after discovering that the devices had software designed to send camera feeds back to a Chinese server. Concerns like this are why President Biden sought to enact controls over the sue of software in Chinese manufactured cars. Rear Adm. Jay Vann, commander of Coast Guard’s Cyber Command, has also complained about the use of undocumented “Chinese software” and cellular modems that are installed on approximately 80% of ship to shore cranes used in United States trade ports. The software and modems were undocumented on the bill of sale for the cranes manufactured by a Chinese company called ZPMC.
So, what can be done about the problem? Organizations must prioritize working with companies committed to developing and delivering secure, trustworthy software, including those that:
o Prioritize rigorous security standards and certifications: Look for companies that adhere to internationally recognized security standards like ISO 9001:2015 and possess relevant certifications, such as the DoD Authority to Operate (ATO).
o Focus on domestic development and customization: U.S.-based companies can offer greater transparency and control over the software development process, minimizing reliance on foreign components and reducing potential risks associated with supply chain vulnerabilities. This approach ensures that sensitive code remains within U.S. jurisdiction.
o Reduce the use of open-source software: Organizations should develop software internally (where they know the provenance of the code) or seek partners who can provide customizable solutions that meet security requirements.
So how does the industry move forward? Addressing software supply chain risks requires a multi-faceted approach. We need to implement more rigorous vetting processes, especially for critical systems. Supporting U.S.-based software development for key industries is crucial, as is collaborating to improve security practices. Most importantly, we must raise awareness among decision-makers about the importance of software supply chain security. As we continue to secure our digital infrastructure, we need to remember that the integrity of our software is just as crucial as the hardware it runs on. By prioritizing "Made in America" software and addressing the complex challenges of our global software ecosystem, we can build a more resilient and secure digital future.
If you want additional information, check out this sales brief on the Axellio website. Axellio uses United States citizen workers and does not overly rely on the use of open-source code. Axellio carefully manages its use of open-source components and rigorously tests and evaluates the code used to reduce exposure to vulnerabilities.
About Axellio
Axellio provides extreme high-performance, scalable, compact, economical, and simultaneous time-series data ingest, storage and distribution solutions for the defense and intelligence community at speeds exceeding 200 Gbps. Axellio’s PacketXpress® platform focuses on network traffic packet capture, distribution, and analysis for cybersecurity monitoring and forensic analysis, and is operationally deployed with the US Army worldwide. For intelligence, surveillance, and reconnaissance applications (ISR), Axellio’s SensorXpress offers ingestion and storage of RF data from sensors and distributes it to analysis applications simultaneously at rates exceeding 200 Gbps. Learn more about Axellio at www.Axellio.com.
