It should not bear repeating that cybersecurity is national security, but after a string of China-linked breaches, the Pentagon has gone on high alert to safeguard its software supply chain from foreign influence.
The past 10 days have been cyber hell for the Pentagon:
- A ProPublica investigation found that Microsoft has been hiring China-based engineers to maintain critical DoD computer systems with pretty hands-off supervision from US “digital escorts.”
- A Chinese spy pleaded guilty to stealing 3,600 files detailing US missile tracking systems while working at an undisclosed R&D company in California.
- To top it off, Chinese state-backed hackers exploited a zero-day vulnerability in Microsoft’s SharePoint software to hack the National Nuclear Security Administration and at least 400 other victims.
It’s been the kind of week that underscores why the ODNI has called China the “most active and persistent cyber threat to US Government, private-sector, and critical infrastructure networks.”
Wake-Up Call: In response to those blaring alarm bells, Defense Secretary Pete Hegseth released a memo Tuesday revamping the department’s software protocols. The memo states that the DoD “will not procure any hardware or software susceptible to adversarial foreign influence” and “must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department.”
That’s no small task, given the scale of software in the DoD’s ecosystem, but the memo directs the CIO to:
- Fortify existing software used in the defense industrial base against “adversarial foreign influence.”
- Bolster frameworks like the Cybersecurity Maturity Model Certification, Software Fast Track Program, Authority to Operate (ATO) process, and FedRAMP.
- Tighten the vetting process and review “personnel security practices and insider threat programs of the DIB and cloud service providers.”
- Provide additional guidance within 15 days.
To those tracking cyber threats, Hegseth’s memo is a much-needed push to secure the Pentagon’s software supply chain, especially as the government and defense industry become more software-driven.
Accelerant: Hayden Smith, the co-founder of Hunted Labs—a startup made up of DoD and intelligence alums focused on rooting out threats from foreign influence in software supply chains—told Tectonic that the SharePoint hack and ProPublica report “poured accelerant on a raging brush fire of foreign influence on the hardware and software that ends up in the DOD.” However, he added that Hegseth’s memo is “the first step” in developing “ironclad solutions as we’re building our future of warfare.”
“I can say this because I worked on some of the biggest programs in DoD,” Smith said. “They all rely on open-source software.” And some of that software, he added, is fully controlled by adversaries like China and Russia—including one Russian intelligence-linked open-source package Hunted recently discovered embedded across government and commercial platforms.
As the Pentagon shifts toward commercial software and defense companies double down on software-defined hardware, the memo’s timing couldn’t be better.
“As we look at autonomous submarines, autonomous UAVs, and everything we see in Ukraine, we’re receiving signals here that we need to adapt how we’re fighting,” Smith said. “But if we’re doing software-enabled warfare, we need to make sure that the software that we’re running on is free of foreign influence.”