For years, it has been clear that code written by the United States’ foreign adversaries executes across millions of our computers and mobile devices via websites and mobile Apps. This code, many linked to critical infrastructure and communication technologies, ensures a backdoor for cyber attacks, IP and data theft, and subversion of the political process.
Now, President Trump’s Executive Order (EO) 13873, titled Securing the Information and Communications Technology and Services Supply Chain, provides us with an opportunity to take back control of our digital ecosystem. Enterprises, government agencies, and elected officials can get ahead of our adversaries by knowing who they are and their offensive and defensive digital combat strategies.
For more than a decade, lawmakers and intelligence agencies have warned about Chinese digital espionage, much of it originating through technology companies including Huawei, ZTE and Lenovo. After a long history of tit-for-tat, the fight is heating up: signed into law four months ago, EO 13873 targets foreign-originating IT that threatens national security. But unlike past regulations, this order is broad enough to include digital third-party code (3PC) that makes up the majority of executing code in today’s websites and mobile apps – and remains the largest and continuously growing vector of malware attacks and data privacy violations.
The order – which prohibits technology transactions that pose a risk to national security or the digital economy – is seen by many as a blanket ban on Huawei’s products in the United States. But the actual language of EO 13873 encompasses a much broader landscape – and applies in many more contexts – than the media coverage has so far suggested.
Organizations and enterprises operating in the U.S. that do not take advantage of the mandate are missing perhaps the best opportunity we have ever had to actively enable a strong country-wide defense against foreign actors using 3PC to target our institutions with malware, data exfiltration, and disinformation. Put simply, there is no “narrow” way to interpret President Trump’s executive order, which states:
“Foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions…”
The order defines regulated assets as any “information and communications technology or services” owned, developed, or controlled by American adversaries. If there was ever a time to demand scrutiny towards foreign-originating technology, it’s now: but the inventory of today’s enterprise and Federal IT departments extends far beyond the scope of traditional hardware vendors like Huawei.
From front-end to back-end, the Internet and digital economy referenced in the President’s executive order is writhe with third-party assets. In our research, we discovered that 80-95% of the code running on top media and eCommerce domains originates from outside the organization. These dependencies largely drive the little things we take for granted about the modern web, such as data management, CRM, content recommendation, social widgets, and programmatic advertising.
Most enterprises and government agencies do not realize where their source code originates from, nor do they understand its scale: 3PC lives in the background, far from any scrutiny or audits. On the one hand, most of it is benign – on the other hand, much of it is not. A small percentage of malicious 3PC drives the majority of malware spread today from state actors and organized crime: ransomware, identity theft, keystroke logging, disinformation, botnets, malvertising, and data/IP theft. It is a problem that U.S agencies and organizations must not ignore.
In the past two months, more than 25 million Android devices were hijacked in two unrelated malware operations that spread through third-party code and malicious online advertising: one originated in Russia, and the second originated in China. These attacks are just two of thousands of times foreign actors have managed to infiltrate American devices through 3PC just this summer.
According to the Department of Homeland Security, the notorious Russian-based BlackEnergy 2 rootkit managed to evade firewall detection with the help of 3PC in 2014. A year later, XcodeGhost – which took over host machines through remote command line – was discovered in numerous third-party applications originating from Chinese developers.
Since 2014, the number of malware incidents has more than quadrupled – we see more than 1,000 concurrent third-party code attacks every day. Concurrently, the amount of data that feeds directly into federal databases – in which both the infrastructure and code base may come from foreign entities – storing classified or unclassified but sensitive information has increased exponentially. Until government agencies and corporate America take a careful look at their third-party assets and develop a risk management strategy, they will remain wide open to foreign sabotage they can’t even see.
Until the Commerce Department releases its national security guidelines in the coming months, U.S agencies, enterprises, schools, service providers and other organizations can only guess at what they’ll be asked to suppress. But we know that third-party code fits all the criteria spelled out by President Trump:
Most organizations will have more third-party assets than they can easily assess or monitor directly. As an initial alternative, agencies can work towards trust-based relationships by implementing a Digital Vendor Risk Management Strategy (DVRM). Simply identifying 3PC vendors with overt foreign ties or a bad track record is the first step towards breaking up Shadow IT throughout the government and the country.
As a society, we depend on the World Wide Web to stay informed and connected, conduct business, access vital services and much more. Ahead of the 2020 elections, fixing the Web’s source code is a critical priority to protect democracy by eliminating fake news, preventing data breaches, and reducing the exposure of U.S citizens to foreign spying. Ensuring the continued safety of our digital economy is an investment in the future: let’s start now.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.