Ordering Technology Off a Government Organization

I guess we all read the news of President Trump ordering governmental organizations to migrate off any Kaspersky security software ASAP. This is basically an interesting move as it highlights the challenges regarding supply chain security, however, is this an effective was to protect an organization? I hope President Trump and/or his advisors consider a few additional questions (most probably not complete):

  • A typical area where foreign technology comes in is in the network. Is he sure that nobody e.g. uses Huawei?
  • I hope that there are no libraries used in the software they run, which leverages technology developed in any other country – e.g. Israel
  • Most big software companies have offshore development centers in India, Philippines, or Israel (for security technology)
  • Do you nowhere use SAP or any other software package developed outside the US?
  • What about the chips built into the hardware? To my knowledge, most chips are produced and products assembled in Asia
  • What about the supply chain? I heard that there are governments who are injecting themselves into the supply chain and inject malware into already produced hardware

Even though I understand the government’s approach to protect the organization from foreign espionage and manage the corresponding risks. That Kaspersky is seen as high-risk here, can be the result of the risk assessment – well, do we really think it is?

When I was working at Microsoft we ran a program called Government Security Program, where we offered source code access for most governments (including Russia, btw) to certify the software for confidential environments. So, some governments intensively looked for backdoors and after that, approved it for use.

So, I do not think that this decision by the US Government does really change the risk exposure – is it more a political one?

Just a final, very personal comment: Eugene Kaspersky’s and my path crossed several times (even though he might not remember) during my time at Microsoft. Let’s say, he has a very special view on the world, which I definitely do not share.

*** This is a Security Bloggers Network syndicated blog from Roger Halbheer on Security authored by Roger Halbheer. Read the original post at: https://www.halbheer.ch/security/2017/09/22/ordering-technology-off-a-government-organization/