We asked the US military for its 'do not buy' list of Russian, Chinese gear. Surprise: It doesn't exist
El Reg drills into banned technology with Freedom-of-Info request
The US Department of Defense's "do not buy" list of foreign software and equipment turns out to be about as long as the list of bug-free Windows releases or privacy-focused Facebook apps.
In other words, it doesn't exist.
According to news reports in July, there is such a list, and the Pentagon has been adding to it in an effort to eliminate the presence of potentially compromised Chinese and Russian tech gear in the US military.
Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment (USDA&S) which buys most of the DoD's weapons and other defence kit, told reporters at the Pentagon as much at the time. Back then she declined to name and shame the companies included on that list.
So The Register filed a Freedom of Information Act (FOIA) request with the Department of Defense to see the list. To our shock – given our experience with denied requests and requests answered with documents redacted to the point of uselessness – we received an actual response in a reasonable amount of time.
And it turns out there's not really a list of banned vendors, though one could make one by scouring US federal regulations for scorned companies.
"After thorough searches of the electronic records and files of the USDA&S, no records of the kind you describe could be identified," said Stephanie L. Carr, chief of the DoD's Freedom of Information Office, in a letter responding to our FOIA request. "Further, the USDA&S advises, 'The "do not buy" list referenced by Ms. Lord was a misuse of the phrase "do not buy." A "do not buy" list does not exist.'"
The letter explains that vendor bans follow from the implementation of Section 806 of the FY2011 National Defense Authorization Act (NDAA) and Sections 881 and 889 of the FY2019 NDAA.
Section 889 (Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment) of the FY2019 NDAA lists five Chinese companies the DoD should avoid – Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Technology Company, and Dahua Technology Company – but it's not a list per se.
US military base stores pull Huawei, ZTE kit off the shelvesREAD MORE
"These drastic restrictions have been enacted or contemplated on the basis of fear and other irrational and unfounded considerations, with no credible evidence that Huawei or others pose any real national security risk," the Chinese telecom company complained.
Allegations about compromised technology affect not just foreign companies but those based in the US. A separate Bloomberg report last month said Chinese spies had compromised the server supply chain, resulting in backdoored gear at Amazon, Apple and Super Micro Computer.
All three companies have denied that claim. On its conference call for investors on Thursday, Super Micro CEO Charles Liang reiterated previous assertions that no such spy chips exist in Super Micro products.
The Register asked the Department of Defense if anyone cared to elaborate on the criteria for being added to the non-existent list. We've not heard back. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust