Exclusive: U.S. bill would force tech companies to disclose foreign software probes

By Joel Schectman WASHINGTON (Reuters) - U.S. tech companies would be forced to disclose if they allowed American adversaries, like Russia and China, to examine the inner workings of software sold to the U.S

Reuters May 25, 2018 06:05:12 IST
Exclusive: U.S. bill would force tech companies to disclose foreign software probes

Exclusive US bill would force tech companies to disclose foreign software probes

By Joel Schectman

WASHINGTON (Reuters) - U.S. tech companies would be forced to disclose if they allowed American adversaries, like Russia and China, to examine the inner workings of software sold to the U.S. military under proposed legislation, Senate staff told Reuters on Thursday.

The bill, approved by the Senate Armed Services Committee on Thursday, comes after a year-long Reuters investigation https://reut.rs/2kgSpjW found software makers allowed a Russian defence agency to hunt for vulnerabilities in software that was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation and intelligence agencies.

Security experts say allowing Russian authorities to conduct the reviews of internal software instructions -- known as source code -- could help Russia find vulnerabilities and more easily attack key systems that protect the United States.

The new source code disclosure rules were included in Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.

In a statement, Shaheen said that tech companies have a duty to help protect federal software systems.

"This is why the Department of Defense and other federal agencies should know of any potential vulnerabilities relating to a partner company’s business practices overseas," she said. The language in the bill mandates those disclosures and "ultimately makes overdue reforms to harden the Department against cyber attacks."

Details of bill, which passed the committee 25-2, are not yet public. And the legislation still needs to be voted on by the full Senate and reconciled with a House version of the legislation before it can be signed into law by President Donald Trump.

If passed into law, the legislation would require companies that do business with the U.S. military to disclose any source code review of the software done by adversaries, staffers for Shaheen told Reuters. If the Pentagon deems a source code review a risk, military officials and the software company would need to agree on how to contain the threat. It could, for example, involve limiting the software’s use to non-classified settings.

The details of the foreign source code reviews, and any steps the company agreed to take to reduce the risks, would be stored in a database accessible to military officials, Shaheen's staffers said. For most products, the military notification will only apply to countries determined to be cybersecurity threats, such as Russia and China.

Shaheen has been a key voice on cybersecurity in Congress. The New Hampshire senator last year led successful efforts in Congress to ban all government use of software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations the company is linked to Russian intelligence. Kaspersky denies such links.

In order to sell in the Russian market, tech companies including Hewlett Packard Enterprise Co , SAP and McAfee have allowed a Russian defence agency to scour software source code for vulnerabilities, Reuters found. In many cases, Reuters found that the software companies had not previously informed U.S. agencies that Russian authorities had been allowed to conduct the source code reviews. In most cases, the U.S. military does not require comparable source code reviews before it buys software, procurement experts have told Reuters. (Graphic: https://tmsnrt.rs/2J0Mf2C)

The companies have said the source code reviews were conducted by the Russians in company-controlled facilities, where the reviewer could not copy or alter the software. McAfee announced last year that it no longer allows government source code reviews. Hewlett Packard Enterprise has said none of its current software offerings have gone through the process.

(Reporting by Joel Schectman; Additional reporting by Jack Stubbs in Moscow; Editing by Damon Darlin and Lisa Shumaker)

This story has not been edited by Firstpost staff and is generated by auto-feed.

Updated Date:

TAGS:

also read

Guinea president 'captured', govt dissolved, claim army putschists'; attack on presidential palace repulsed, say authorities
World

Guinea president 'captured', govt dissolved, claim army putschists'; attack on presidential palace repulsed, say authorities

Reports suggest that they captured President Alpha Conde and dissolved the government, bust the ground situation remains unclear

Cryptocurrency prices tumble and exchange trading falters as snags crop up
News & Analysis

Cryptocurrency prices tumble and exchange trading falters as snags crop up

NEW YORK (Reuters) -The price of cryptocurrencies plunged and crypto trading was delayed on Tuesday, a day in which El Salvador ran into snags as the first country to adopt bitcoin as legal tender. Shares of blockchain-related firms also fell as crypto stocks were hit by trading platform outages. But the major focus was on El Salvador, where the government had to temporarily unplug a digital wallet to cope with demand.

Ford poaches Apple's car project chief Doug Field
News & Analysis

Ford poaches Apple's car project chief Doug Field

By Joseph White and Sanjana Shivdas (Reuters) -The head of Apple Inc's car project, Doug Field, is going to work for Ford Motor Co to lead the automaker's advanced technology and embedded systems efforts, a hiring coup for Ford Chief Executive Jim Farley.