The news this week from Reuters about Pushwoosh should have every organization thinking about the security and the authenticity of their software vendors. We now know that a mobile SDK company with deep ties to Russia deceived both commercial and governmental app developers.
Because of Reuters’ reporting, we now know that a Russian software vendor created an SDK installed within thousands of iOS/Google apps and created fake employees in Washington, D.C. in order to sell services to government agencies, the military and countless commercial entities.
As the article brings to light, this is a material threat, and the process to discover the true ownership of an entity trying to hide that information can be challenging to unravel.
For mobile app developers, this should be a wakeup call for “trusting that someone else did their due diligence” on software installed within your app, and we need all companies within mobile app supply chains mapping all companies who receive data within an app and also disclosing apps with dynamic advertising data flows that can change at a moments notice.
Mobile app developers need to know exactly who created all of the code/SDKs within their apps, and this vetting process needs to determine the true owners of SDK vendors who receive user data. People should be able to see this information before installing any apps.
From an internal policy perspective, we recommend that insider threat teams re-audit and vet their own existing software partners and require current and new vendors to submit to new questionnaires and responses leveraging a robust “Know Your Customer” (KYC) process. But most importantly, businesses must create processes to “confirm questionnaires were accurately submitted” and work under the assumption that onboarding questionnaires are sometimes the first place a new client could be deceptive.
Externally, it’s crucial for U.S. policy makers and lawmakers to understand that multiple U.S. government agencies and the U.S. Army unknowingly worked with an organization that had Russian-aligned interests, who could track their users and create extremely dangerous technical flows, which could have allowed targeted attacks to VIP members of the US government who had installed any of those apps.
It’s overdue for Congress to pass a law that requires the Department of Defense to conduct annual audits about current risks from foreign ad tech and non-US software vendors, and the proposed text of “H.R.8367 - Intelligence Authorization Act for Fiscal Year 2023” introduced by Rep. Adam B. Schiff [D- CA-28] specifically would require the Director of National Intelligence/ODNI to investigate these risks.
The current proposed text to require a foreign ad tech audit:
Over the coming weeks and months, there will be significant questions that need answers about Pushwoosh, including figuring out why federal agencies and the military kept this software for years, without seemingly anyone inside the government conducting any audits on the risks from this vendor.
It’s important to recognize that a Russian firm deceived U.S. government agencies into installing potentially dangerous software that wasn’t removed for more than 5 years. The persistence of this software without it being flagged as a risk, is a core concern.
We need Congress to address these risks with utmost urgency and the first step in doing so is a requirement for the ODNI to annually audit the risks of foreign ad tech and software vendors.
