For years, it has been clear that code written by the United States’ foreign adversaries executes across millions of our computers and mobile devices via websites and mobile Apps. This code, many linked to critical infrastructure and communication technologies, ensures a backdoor for cyberattacks, IP and data theft, and subversion of the political process.
Now, (former) President Trump’s Executive Order (EO) 13873, titled Securing the Information and Communications Technology and Services Supply Chain, provides us with an opportunity to take back control of our digital ecosystem. Enterprises, government agencies, and elected officials can get ahead of our adversaries by knowing who they are and their offensive and defensive digital combat strategies.
Cracking Down on Foreign Technology
For more than a decade, lawmakers and intelligence agencies have warned about Chinese digital espionage, much of it originating through technology companies including Huawei, ZTE and Lenovo. After a long history of tit-for-tat, the fight is heating up: signed into law four months ago, EO 13873 targets foreign-originating IT that threatens national security. But unlike past regulations, this order is broad enough to include digital third-party code (3PC) that makes up the majority of executing code in today’s websites and mobile apps – and remains the largest and continuously growing vector of malware attacks and data privacy violations.
The order – which prohibits technology transactions that pose a risk to national security or the digital economy – is seen by many as a blanket ban on Huawei’s products in the United States. But the actual language of EO 13873 encompasses a much broader landscape – and applies in many more contexts – than the media coverage has so far suggested.
Organizations and enterprises operating in the U.S. that do not take advantage of the mandate are missing perhaps the best opportunity we have ever had to actively enable a strong country-wide defense against foreign actors using 3PC to target our institutions with malware, data exfiltration, and disinformation. Put simply, there is no “narrow” way to interpret President Trump’s executive order, which states:
“Foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions…”
The order defines regulated assets as any “information and communications technology or services” owned, developed, or controlled by American adversaries. If there was ever a time to demand scrutiny towards foreign-originating technology, it’s now: but the inventory of today’s enterprise and Federal IT departments extends far beyond the scope of traditional hardware vendors like Huawei.
The State of Digital Threats
The Commerce Department – which is responsible for defining what constitutes a “national security risk” under the new executive order – has until October 12 to issue binding regulations, and organizations have until then to prepare. As of yet, there’s no word on what technologies it will highlight, but digital assets meet every criteria under this ban, and that includes the third-party code that powers and exploits those assets.
Since the Cloud First initiative was announced in 2011, digital has been the driving force behind modernization throughout the private sector and federal government. Departments, agencies and even contractors have been racing to virtualize as much of their architecture as possible, and FedRAMP-approved cloud service providers (CSPs) are gladly filling the need.
Unfortunately, digital comes with significant risk, as organizations have been continually reminded for the past several years: speed of deployment drives the demand for third-party code (3PC), much of it originating from foreign sources. With the past as our guide, we can be certain that this invisible Shadow IT is the ideal backdoor for bad actors of every stripe to attack U.S. infrastructure and abuse U.S. citizens.
The Threat of Third-Party Code
From front-end to back-end, the Internet and digital economy referenced in the President’s executive order is writhe with third-party assets. In our research, we discovered that 80-95% of the code running on top media and eCommerce domains originates from outside the organization. These dependencies largely drive the little things we take for granted about the modern web, such as data management, CRM, content recommendation, social widgets, and programmatic advertising.
Most enterprises and government agencies do not realize where their source code originates from, nor do they understand its scale: 3PC lives in the background, far from any scrutiny or audits. On the one hand, most of it is benign – on the other hand, much of it is not. A small percentage of malicious 3PC drives the majority of malware spread today from state actors and organized crime: ransomware, identity theft, keystroke logging, disinformation, botnets, malvertising, and data/IP theft. It is a problem that U.S agencies and organizations must not ignore.
In the past two months, more than 25 million Android devices were hijacked in two unrelated malware operations that spread through third-party code and malicious online advertising: one originated in Russia, and the second originated in China. These attacks are just two of thousands of times foreign actors have managed to infiltrate American devices through 3PC just this summer.
According to the Department of Homeland Security, the notorious Russian-based BlackEnergy 2 rootkit managed to evade firewall detection with the help of 3PC in 2014. A year later, XcodeGhost – which took over host machines through remote command line – was discovered in numerous third-party applications originating from Chinese developers.
Since 2014, the number of malware incidents has more than quadrupled – we see more than 1,000 concurrent third-party code attacks every day. Concurrently, the amount of data that feeds directly into federal databases – in which both the infrastructure and code base may come from foreign entities – storing classified or unclassified but sensitive information has increased exponentially. Until government agencies and corporate America take a careful look at their third-party assets and develop a risk management strategy, they will remain wide open to foreign sabotage they can’t even see.
How to Prepare for a Foreign Adversary 3PC Ban
Until the Commerce Department releases its national security guidelines in the coming months, U.S agencies, enterprises, schools, service providers and other organizations can only guess at what they’ll be asked to suppress. But we know that third-party code fits all the criteria spelled out by President Trump:
- It’s an IT service
- It’s involved with the storage and transmission of sensitive information
- It facilitates the digital economy and supports critical infrastructure
- It is used by foreign nations to commit cybercrime
Most organizations will have more third-party assets than they can easily assess or monitor directly. As an initial alternative, agencies can work towards trust-based relationships by implementing a Digital Vendor Risk Management Strategy (DVRM). Simply identifying 3PC vendors with overt foreign ties or a bad track record is the first step towards breaking up Shadow IT throughout the government and the country.
As a society, we depend on the World Wide Web to stay informed and connected, conduct business, access vital services and much more. Ahead of the 2020 elections, fixing the Web’s source code is a critical priority to protect democracy by eliminating fake news, preventing data breaches, and reducing the exposure of U.S citizens to foreign spying. Ensuring the continued safety of our digital economy is an investment in the future: let’s start now.
NOTE: article edited to reflect the change in executive leadership