Questionable loyalties: the cybersecurity implications of buying system software from foreign companies

Questionable loyalties: the cybersecurity implications of buying system software from foreign companies

Summary: Do you trust commercial programs made in foreign nations, particularly those nations with authoritarian regimes or a history of cyberattack?

TOPICS: Security

At the very same time we are concerned about cyber-attacks, phishing attacks, botnet invasions, and other penetrations of our personal, industrial, and national defense systems and networks, we're turning over the protection of those systems to foreign companies with possibly questionable loyalties.

This is becoming a national security issue. We may need to establish defensive strategies that include blocking (or at least shining a light on) security products we rely on, produced by foreign agents or agencies.

See also: North Korea ships malware-infected games to South Korean users, uses them to launch DDoS attacks

Anti-malware company Kaspersky Lab is Russian. Disk imaging heavyweight Acronis has Russian developers (I know, because I talked with them while doing a product evaluation). Antivirus maker Panda Software is headquartered in Spain. AVG Technologies (makers of the free antivirus software many of us use) is located in the Czech Republic. Antivirus maker Avira is German. Antivirus maker F-Secure is based in Finland. Trend Micro is Japanese, and the list goes on and on.

See also: Technology policy challenges faced by the U.S. Federal Government (video seminar)

Then there's our computer hardware. We're all intimately familiar with the iPhone and iPad. Those, along with most of our desktop motherboards and laptops, are made in China. Yes, China, the very same country that has been disturbingly comfortable probing our network defenses.

See also: Welcome to the new Cold War: China vs. the United States U.S. finally acknowledges Chinese and Russian cyberthreat

Of course, we're not without culpability here in America, ourselves.

Many of the largest software makers are American, and so -- especially in the light of the Stuxnet allegations raised by The New York Times -- we shouldn't be too surprised if foreign buyers show some reticence to trust American-made goods.

See also: Breaking news: NY Times claims US released Stuxnet with Israel and it accidentally escaped Microsoft turns over all Win7 and server source code to Russia's new KGB

Globalization has always been a double-edged sword. The world is a big place, and there are huge markets outside of the United States. That's good, because -- in theory -- it brings money into the US. I say "in theory," because, as we've seen, most of that money really stays outside our borders, to avoid paying Uncle Sam his fair share.

See also: Apple: made in China, untaxed profits kept offshore

But there are also people in third-world countries willing to work for a fraction of what we need to get paid. So while we can buy our consumer goods for less money than they'd cost if made in America, we have less buying power, because so many manufacturing jobs have gone overseas.

See also: How To Save Jobs

We're seeing the double-edged sword with cybersecurity as well. There are talented developers all over the world, and we'd like to be able to benefit from their fine programming chops.

But in the same countries where programming skills are being used to write seemingly excellent software, there are authoritarian regimes also willing to attack us over the Internet, and penetrate our not-as-secure-as-they-should-be systems.

See also: The Threat of "Sleeper" Software

Do you trust commercial programs made in foreign nations, particularly those nations with authoritarian regimes or a history of cyberattack? TalkBack below and let me know whether you trust foreign software and hardware?

Topic: Security


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The other way round...

    it is the same for non-Americans, they have to trust Microsoft or Apple for their operating systems for most desktops, if Linux is not a practicable solution.

    Likewise using cloud services in Europe is a nightmare, because most cloud services are American or have offices in America, which leaves the cloud open to invasion from the US Feds, without notification to the data owner and without a valid warrant being necessary - thus leaving the data owner open to local prosecution, because they "allowed" (by using a cloud service with an office in the USA) personally identifiable data to be handed to a third party without the written permission of those whose personal information is being handed to the Feds...
    • Worse than that

      It's far worse than that. Regardless of where a hosting provider is located, most of them use servers located in the US, even if it means outsourcing. The reason is that US-located servers are considered far more reliable. I recently used a hosting company in Argentina and was surprised to find out they were using servers in Texas.

      In fact, it's so common that some foreign hosting companies specifically mention in their advertising that they only use servers located in their own country or the customer can specify that its content will only be hosted on in-country servers.
    • RE: open to invasion from the US Feds,

      You mean like Megaupload???

      I truly feel for anyone who had [b]legitimately acquired data[/b] stored there, and lost it to the hands of a tyrannical government acting as the proxy of the MAFIAA.

      Which is why I tell people: [i]NEVER put your business critical data in the cloud[/i]. Yet, these stupid PHB's only see the cost savings; and not the risks. Clueless dumb f---s!!!
      • No, not Megaupload

        I'm talking about BAE Systems, small companies that outsource their Apps and storage to Google, Amazon or Microsoft Clouds.

        If the FBI turns up at Microsoft's door, they have already said that they will hand over our (Europeans) data to the FBI, no questions asked, leaving the data owner open to prosecution in Europe...
  • What's the difference?

    They're all basically code and whether the regulator is American or not, you will have to apply the same monitoring mechanism. You search for bugs, report any suspicious activity, analyse how they send data over network, etc. The idea that a product's sincerity is suspect because its origin is foreign is just silly. Also, it is naive to think that a product is trustworthy just because it's made in whatever country you're in. The rules of competition work roughly the same everywhere. Sure you may have to watch out for a few cases, but that's it.
  • Kind of a stupid question

    Of course not! But then again one would assume the same applies to foreign governments/ countries not to trust products and services from American companies. Maybe the solution is for each country to develop its own hardware, software, networks and services. But that would mean the collapse of the (primarily) American driven global IT industry. Mr. Gewirtz, you'd like that wouldn't you?
  • do you trust anything you dont understand??

    not me really, taking anything on faith is somewhat difficult if I have to depend on it, trust it, and ultimately trust my life and welfare to it. The computer and internet is mostly unknown, even to those who concieved it, and build it every day. there's just too much information.

    That leaves the empirical data to really determine what's going on, data compiled over long periods of time that point out the realities (unless the numbers have been skewed, check out data from the music industry on what downloading has cost them this year).

    So who or what can you trust?? The food supply?? Genetic modified food?? Food packaged overseas, say in China where chemistry is unregulated.

    So in the end, we are far from kansas at this point. If an Indian company made a software product, like an OS, then perhaps it would be a good thing, and if it's cheaper than Windows (or it is windows, created in india) then who's to say. I do know one thing, that we can't compete with third world nations unless we become one ourselves. So buy American, even if it's riddled with our own brand of spyware.
    sparkle farkle
    • Cross your fingers and ....

      [b]So who or what can you trust?? ... Food packaged overseas, say in China where chemistry is unregulated. [/b]

      Couple of years ago Wife brought home two packages of frog legs. I asked her where they came from, she didn't know. I looked at the label. China. Those frog legs are still in the freezer.

      Far as trusting that which we don't understand, that is a human condition, with irony.

      People don't understand a thing about the function of a computer but they'll get on one that has an outdated OS that hasn't been maintained for years and do their on-line banking, check all their finances, open themselves to all forms of nastiness.
      Rob Berman
  • Is this really what keeps you up at night?

    I've been dealing with foreign software developers for decades. None of them are from countries we are currently at war with -- Russia, China, Taiwan, Japan, Czech Republic, France, Great Britain, Germany, Holland, Israel, Canada, Ukraine, Lithuania, Croatia, South Korea, The Philippines, Spain, and others that don't immediately come to mind. They all have one thing in common -- an appreciation for having their products available in the US market. Not a single one (well, okay, one -- Sony) would be willing to jeopardize their company's reputation by trying to sneak something that nasty into the code.

    I would probably not buy software from a state-owned company (and certainly nothing from North Korea), but I'm not sure if there even is any -- at least at a consumer/corporate level. But the rest of them are competing in a capitalist marketplace, and aren't run by people stupid enough to bite the hand that feeds them.
  • Even friends are suspect

    It seems warring Israeli politicians are deploying cyberwarfare against one another:

    "Our source also confirms that Flame is the first cyber weapon used by Israeli intelligence to target its own citizens also. For example, Haaretz reports (Hebrew) on the gargantuan power struggle between the former IDF chief of staff Gaby Ashkenazi and Defense Minister Ehud Barak, which involved charges of spying, counter-spying and forged memos investigated by the security services. Our Israeli source tells us that the Shin Bet installed Flame on the computer of Barak's chief of staff after Ashkenazi complained the former was spying on him."

    Joseph Kony, the African warlord (or whatever) has so far evaded capture by eschewing the use of computers, phones and radios, and relying on prearranged meeting places and word of mouth information relays. Spy satellites fly uselessly above him, radio listening posts eat static. Maybe there's a lesson here.
    marc van hoff
    • Flame fighting Israeli internecine war

      "Koren believes his computer was compromised a number of times. The first time he confirmed this through the IT department of the defense ministry. The second time, he reported it to the Shin Bet and they attempted to identify the method of the hack. The Shin Bet at first refused to get involved saying there was no external intrusion it could find. Then it said the problem wasn???t ???aggressive??? and that he therefore shouldn???t worry. But he was certain that a Trojan virus had hacked his computer and could extract data from it.

      You???ll recall that when I first posted about Flame, I mentioned that my Israeli source confirmed this was the first time an Israeli cyberweapon was used against a domestic target. Now he has further confirmed that when Ashkenazi complained to the Shin Bet that he suspected that the Koren was spying on him, it hacked into Koren???s computer using Flame. Though Koren didn???t know it, he became one of the first known Israeli victims of Israel???s latest cyberweapon, Flame.

      Of course, the reason the security service told Koren first that there was no external intrusion and then that the virus wasn???t ???aggressive??? was that it was the Shin Bet itself which had hacked his computer. Naturally, they couldn???t find a virus they themselves had implanted! This means as well that the Shin Bet was taking the IDF/Ashkenazi???s side in its confrontation with Barak???s defense ministry, as it has as well in fighting against Barak???s putative attack on Iran."

      Point being - mistrusting software based on its national origin is far too coarse of a judgement. You've got to worry about this partisan faction in a government conducting cyberwarfare against that one. For that matter, one company conducting espionage against another, or even interdepartmental conflicts in a single organization.

      "Never trust anyone" - 'Popeye' Doyle
      marc van hoff
  • Government Shill

    "That???s good, because ??? in theory ??? it brings money into the US. I say ???in theory,??? because, as we???ve seen, most of that money really stays outside our borders, to avoid paying Uncle Sam his fair share."

    David --

    Funny how whatever the feds unilaterally decide they want to take from peoples' (or companies') incomes is their "fair share" and you go right along with it. Typical leftist, always willing to throw other peoples' money at the problem of the day. Are you really surprised that corporations seek to keep their money out of the country which will pillage the biggest chunk of it from them? Why should the folks running a company that manufactures and sells stuff that people actually want enough to part with their own money to get it, get the same warm fuzzy feeling that you apparently do at the prospect of paying the highest corporate taxes on the planet and then watching gobs of it go to propping up businesses whose products nobody seems to want, but whose massive bundling campaign-contributions was immensely useful to getting Obama &co. elected. (Solyndra, anyone?) Or any of the other rat-holes this government has seen fit to pour our money down. But then, you are ZDNet's _Government_ shill. (As opposed to some of your colleagues who seem to be ZDNet's corporate shills.)

    -- Paul
    rocket ride
    • We've come to eat your lunch

      David hails from the days of predatory Mercantilism, when you sent the Great Atlantic and Pacific Tea Company to extract money from the colonies and bring it back home. These days, a lot of third, second, and even first-world countries frown on that practice. If you sell widgets to the Parthegans, the government in Parthega expects you to open an office or two, or even a couple of factories, and hire some Parthegans. If you come just to haul Parthega's money to the U.S., they don't even want you around,
      Robert Hahn
  • Implications of buying system SW & HW, Foreign or Domestic.

    FYI ??? Once had a senior VP of the largest global IT Company, with responsibilities for system development and security, tell me that trust was a cost of doing business in today???s market if they were to stay competitive and that for them to reverse engineer all of the sys level firmware (HW/SW) would take too long. So we have the situation where Problems are address as an exception after the fact.
    Bottom Line: Never trust a system built by someone other than yourself with components (HW/SW) you have verified as safe and meeting Your Security Requirements.
    • rolling my eyes

      I think our own military does not even follow those simple rules.
      • ....

        Only 1 A....
  • Do You....

    "Do you trust commercial programs made in foreign nations, particularly those nations with authoritarian regimes or a history of cyberattack?"

    Do you mean the United States or Israel? Stuxnet or Flame anyone? Or Japan perhaps with Sony's DRM Root Kit?

    Perhaps the problem isn't that there are nations making use of the existing vulnerabilities, but rather the existence of persistently vulnerable Windows systems.

    To answer the question: YES I am averse to purchasing software from nations with authoritarian regimes. NSA, TSA, whatever the "A" it sucks.
  • Nationalist claptrap

    What extraordinary nationalist claptrap. What is more, David Gewirtz displays the no-significant-world-outside-the-USA attitude many European think are exhibited by quite a few Americans.

    As for detailed points, the posters before me have said it all.

    Does he not understand he is broadcasting to a global audience ("global" includes a lot of territory outside the USA!)?

    What is "foreign"?

    To me (in the EU), Apple is more 'foreign' than AVG!

    • short sighted David

      I agree that as far as I am concerned Apple, google and many other products are indeed foreign and send back 'data' to the homeland...the good ol us of a.
      Does david have a passport?
  • Short answer: yes

    Several commercial software vendors have been caught "phoning home" data that could constitute a security risk to our company including a couple of big names. One of our affiliates accidentally found and triggered a remote "kill switch" in some commercial software that they were using, and the vendor had categorically denied that it existed until provided with the logs. Vendors are not above sneaking things into their software, especially if they can justify it to themselves as telemetry, remote diagnosis, DRM, or "improving user experience".

    The fact that such hooks can be used for espionage or cyberwar is conveniently overlooked, often on both sides. Vendors simply refuse to acknowledge the fact, while many customers look the other way. I've sat in risk management meetings where user try to downplay known security issues simply because they don't want to abandon the software or look for an alternative.
    terry flores