Fri, Aug 03, 2018 - Page 7 News List

US passes bill on foreign software probes

CRITICAL SECURITY GAP:Allowing countries such as Russia to examine source code would help them discover vulnerabilities to more easily attack US systems, experts said


The US Congress is sending US President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the US military.

The legislation, part of the Pentagon’s spending bill, was drafted after a Reuters investigation last year found software makers allowed a Russian defense agency to hunt for vulnerabilities in software used by some agencies of the US government, including the Pentagon and intelligence services.

The final version of the bill was on Wednesday approved by the US Senate in a 87-10 vote after passing the US House of Representatives last week. The spending bill is expected to be signed into law by Trump.

Security experts said allowing Russian authorities to probe the internal workings of software, known as source code, could help Moscow discover vulnerabilities it could exploit to more easily attack US government systems.

The new rules were drafted by Democratic Senator Jeanne Shaheen of New Hampshire.

“This disclosure mandate is the first of its kind, and is necessary to close a critical security gap in our federal acquisition process,” Shaheen said in a statement.

“The Department of Defense and other federal agencies must be aware of foreign source code exposure and other risky business practices that can make our national security systems vulnerable to adversaries,” she said.

The law would force US and foreign technology companies to reveal to the Pentagon if they allowed cyberadversaries, like China or Russia, to probe software sold to the US military. Companies would be required to address any security risks posed by the foreign source code reviews to the satisfaction of the Pentagon, or lose the contract.

The legislation would also require the creation of a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cybersecurity risk. It would make the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

Tommy Ross, a senior director for policy at the industry group The Software Alliance, said software companies have concerns that such legislation could force companies to choose between selling to the US and foreign markets.

“We are seeing a worrying trend globally where companies are looking at cyberthreats and deciding the best way to mitigate risk is to hunker down and close down to the outside world,” Ross said last week.

A Pentagon spokeswoman declined to comment on the legislation.

In order to sell in the Russian market, technology companies including Hewlett Packard Enterprise, SAP and McAfee allowed a Russian defense agency to scour software source code for vulnerabilities, the Reuters investigation found last year.

In many cases, it found that the software companies had not informed US agencies that Russian authorities had been allowed to conduct the source code reviews.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top