By Joel Schectman
WASHINGTON (Reuters) – U.S. tech companies would be forced to disclose if they allowed American adversaries, like Russia and China, to examine the inner workings of software sold to the U.S. military under proposed legislation, Senate staff told Reuters on Thursday.
The bill, approved by the Senate Armed Services Committee on Thursday, comes after a year-long Reuters investigation https://reut.rs/2kgSpjW found software makers allowed a Russian defense agency to hunt for vulnerabilities in software that was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation and intelligence agencies.
Security experts say allowing Russian authorities to conduct the reviews of internal software instructions — known as source code — could help Russia find vulnerabilities and more easily attack key systems that protect the United States.
The new source code disclosure rules were included in Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.
In a statement, Shaheen said that tech companies have a duty to help protect federal software systems.
“This is why the Department of Defense and other federal agencies should know of any potential vulnerabilities relating to a partner company’s business practices overseas,” she said. The language in the bill mandates those disclosures and “ultimately makes overdue reforms to harden the Department against cyber attacks.”
Details of bill, which passed the committee 25-2, are not yet public. And the legislation still needs to be voted on by the full Senate and reconciled with a House version of the legislation before it can be signed into law by President Donald Trump.
If passed into law, the legislation would require companies that do business with the U.S. military to disclose any source code review of the software done by adversaries, staffers for Shaheen told Reuters. If the Pentagon deems a source code review a risk, military officials and the software company would need to agree on how to contain the threat. It could, for example, involve limiting the software’s use to non-classified settings.
The details of the foreign source code reviews, and any steps the company agreed to take to reduce the risks, would be stored in a database accessible to military officials, Shaheen’s staffers said. For most products, the military notification will only apply to countries determined to be cybersecurity threats, such as Russia and China.
Shaheen has been a key voice on cybersecurity in Congress. The New Hampshire senator last year led successful efforts in Congress to ban all government use of software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations the company is linked to Russian intelligence. Kaspersky denies such links.
In order to sell in the Russian market, tech companies including Hewlett Packard Enterprise Co <HPE.N>, SAP <SAPG.DE> and McAfee have allowed a Russian defense agency to scour software source code for vulnerabilities, Reuters found. In many cases, Reuters found that the software companies had not previously informed U.S. agencies that Russian authorities had been allowed to conduct the source code reviews. In most cases, the U.S. military does not require comparable source code reviews before it buys software, procurement experts have told Reuters. (Graphic: https://tmsnrt.rs/2J0Mf2C)
The companies have said the source code reviews were conducted by the Russians in company-controlled facilities, where the reviewer could not copy or alter the software. McAfee announced last year that it no longer allows government source code reviews. Hewlett Packard Enterprise has said none of its current software offerings have gone through the process.
(Reporting by Joel Schectman; Additional reporting by Jack Stubbs in Moscow; Editing by Damon Darlin and Lisa Shumaker)