This article originally appeared in Journal of Cyber Policy on October 11, 2019.
Executive Order (EO) 13873, entitled “Securing the Information and Communications Technology and Services Supply Chain”, aims to protect national telecommunications infrastructure from foreign manipulation. While many interpret it as a mandate on physical technology equipment, the EO actually encompasses “services designed, developed, manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”. The internet can be viewed as a strategic asset underpinning the operation of the U.S. economy, yet the majority of the code that executes is from third parties, many of them foreign-owned. With binding regulations expected on Oct 12, there’s no word on what technologies it will highlight, but digital assets meet every criterion under this ban, and that includes the third-party code that powers and exploits those assets.
Chris Olson, CEO of The Media Trust explains, “From front-end to back-end, the Internet and digital economy referenced in the President’s executive order is writhe with third-party assets. In our research, we discovered that 80-95% of the code running on top media and eCommerce domains originates from outside the organization. Most enterprises and #government agencies do not realize where their source code originates from, nor do they understand its scale: 3rd party code (3PC) lives in the background, far from any scrutiny or audits. A small percentage of malicious 3PC drives the majority of malware spread today from state actors and organized crime including ransomware, identity theft, keystroke logging, disinformation, botnets, malvertising, and data/IP theft.”
Chris says, “In the past two months alone, more than 25 million Android devices were hijacked in two unrelated malware operations that spread through third-party code and malicious online advertising: one originated in Russia, and the second originated in China. These attacks are just two of thousands of times foreign actors have managed to infiltrate American devices through 3PC just this summer.”