Trump administration confirms 'Do Not Buy' list of companies using Chinese and Russian software in their products

US authorities now blacklisting tech companies products by source code origin

The US has been quietly working on a ‘Do Not Buy' list of companies that use software of Russian and Chinese origin, Ellen Lord, the under secretary in charge of procurement in the Department of Defense, has admitted.

The Department has been working on the list for the past six months or so, following the federal ban on Kaspersky security software, signed by President Trump. The list has been compiled in conjunction with US intelligence agencies, according to Bloomberg.

"What we are doing is making sure that we do not buy software that is Russian or Chinese provenance, for instance, and quite often that is difficult to tell at first glance because of holding companies," said Lord.

She added: "We have identified certain companies that do not operate in a way consistent with what we have for defence standards."

Lord didn't disclose which companies made its ‘Do Not Buy' list, nor whether the list might be shared outside of the US defence and security communities - with power and other critical infrastructure companies, for example. She hinted, though, that the Pentagon had some evidence backing up its move.

"We had specific issues … that caused us to focus on this," Lord said at a press conference on Friday at the Pentagon.

The US Department of Defense has now started circulating the list to defence contractors, large and small, via a number of defence industry trade associations. "It's a huge education process," Lord said.

The list comes at the same time that governments across the world are starting to demand access to source code of software, whether packaged or embedded in hardware, citing their own security concerns. Last year, for example, IBM, Cisco and SAP were all compelled to open up their code to the scrutiny of Russia's intelligence service, the FSB, according to Reuters.

In addition, HPE had also revealed the source code for its ArcSight security product - widely used by the US military - to Russia's FSB.

Recent IT security laws in China also compel companies operating in the country to reveal their source code to the authorities.

Lord, whose official title is Under Secretary of Defense for Acquisition, Technology and Logistics assumed office in August 2017. She was previously CEO of aerospace and defence company Textron Systems and, hence, brings with her defence and technology domain knowledge.

Lord has also served as vice chair of the US National Defense Industrial Association and as a member of the Center for a New American Security's task force on strategy, technology, and the global defense industry.