US Bill Will Force Tech Companies to Disclose China, Russia Software Probes

May 26, 2018 Updated: May 27, 2018

WASHINGTON—U.S. tech companies would be forced to disclose if they allowed American adversaries, like Russia and China, to examine the inner workings of software sold to the U.S. military under proposed legislation, Senate staff told Reuters on Thursday.

The bill, approved by the Senate Armed Services Committee on Thursday, comes after a year-long Reuters investigation found software makers allowed a Russian defense agency to hunt for vulnerabilities in software that was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation (FBI), and intelligence agencies.

Security experts say allowing Russian authorities to conduct the reviews of internal software instructions—known as source code—could help Russia find vulnerabilities and more easily attack key systems that protect the United States.

The new source code disclosure rules were included in Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.

In a statement, Shaheen said that tech companies have a duty to help protect federal software systems.

“This is why the Department of Defense and other federal agencies should know of any potential vulnerabilities relating to a partner company’s business practices overseas,” she said. The language in the bill mandates those disclosures and “ultimately makes overdue reforms to harden the Department against cyber attacks.”

Details of bill, which passed the committee 25-2, are not yet public. And the legislation still needs to be voted on by the full Senate and reconciled with a House version of the legislation before it can be signed into law by President Donald Trump.

If passed into law, the legislation would require companies that do business with the U.S. military to disclose any source code review of the software done by adversaries, staffers for Shaheen told Reuters. If the Pentagon deems a source code review a risk, military officials and the software company would need to agree on how to contain the threat. It could, for example, involve limiting the software’s use to non-classified settings.

The details of the foreign source code reviews, and any steps the company agreed to take to reduce the risks, would be stored in a database accessible to military officials, Shaheen’s staffers said. For most products, the military notification will only apply to countries determined to be cybersecurity threats, such as China and Russia.

Financial Times reported back in March that China’s Ministry of State Security, an intelligence agency, told the state’s hackers to directly report any vulnerabilities they discover to the agency or to the companies themselves.

Cyber security company FireEye discovered that Chinese hackers were behind the discoveries of vulnerabilities at several U.S.-based multinational tech firms such as Google, Apple, and Microsoft.

In addition, in order to sell in the Russian market, tech companies including Hewlett Packard, SAP, and McAfee have allowed a Russian defense agency to scour software source code for vulnerabilities, Reuters found. In many cases, Reuters found that the software companies had not previously informed U.S. agencies that Russian authorities had been allowed to conduct the source code reviews. In most cases, the U.S. military does not require comparable source code reviews before it buys software, procurement experts have told Reuters.

By Joel Schectman. Epoch Times staff member Annie Wu contributed to this report.