Tech companies to disclose foreign software probes under US Bill: Report

New source code disclosure rules could force US tech companies to reveal whether they allowed Chinese or Russian examination of software sold to the US military, Reuters has reported.
Written by Corinne Reichert, Contributor

A piece of proposed legislation reportedly facing the United States Senate would force US tech companies to divulge whether they permit nations including China and Russia to examine the source code of software they sell to the US military, a report has said.

According to Reuters, the Bill was approved 25-2 on Thursday by the Senate Armed Services Committee, with the new source code disclosure rules making up part of the National Defense Authorization Act.

Being able to search and find such vulnerabilities could make it easier for nations that are a "cybersecurity threat" to attack US systems, according to Reuters.

The Bill still needs to pass the full Senate and be reconciled with the House of Representatives version of that legislation before being signed by US President Donald Trump, Reuters added.

Under the Bill, tech companies may have to limit the use of the software to non-classified areas of government if its source code has been reviewed by a foreign nation, the report said, with the details of such reviews and the steps taken by the tech company to then be "stored in a database accessible to military officials".

The publication pointed out that the Bill's drafting followed Reuters' discovery that software makers including McAfee and HPE were permitting a Russian-based defence agency to search for vulnerabilities in the source code of software already being used by the Pentagon and the Federal Bureau of Investigation (FBI), among other intelligence agencies.

The US government has been cracking down on tech and software from Russia and China, with the Department of Homeland Security (DHS) last year ordering federal agencies to stop using Kaspersky security products after removing the Russian company from its list of approved vendors.

"This action is based on the information security risks presented by the use of Kaspersky products on federal information systems," DHS said at the time.

"Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems."

Earlier this month, legislation barring the sale of national security-sensitive technology to China was also introduced to the US Senate, with the proposed Fair Trade with China Enforcement Act blocking government or contractors from buying telecommunications equipment and services from Chinese tech giants ZTE and Huawei.

Read more: Paranoia will destroy us: Why Chinese tech isn't spying on Americans

In addition, the draft legislation imposes higher taxes on any income from China being made by US multinational companies, as well as levelling duties and caps on shares held by Chinese investors in some US companies.

"How America responds to the growing threats posed by China is the single most important geopolitical issue of our time, and will define the 21st century," Republican Marco Rubio said at the time.

The heads of the CIA, FBI, NSA, and the director of national intelligence to the Senate Intelligence Committee had also recommended in February that Americans not use products from Huawei and ZTE.

After ZTE was issued with an export ban last month by the US Department of Commerce, the Chinese company said "the major operating activities of the company have ceased"; however, Trump then said he would speak to the department on reversing this, with Reuters earlier this week reporting the ZTE deal is close to being reached.

US President Donald Trump had started his trade war with China in March.

Security Coverage

T-Mobile bug let anyone see any customer's account details

Exclusive: The exposed lookup tool let anyone run a customer's phone number -- and obtain their home address and account PIN, used to contact phone support.

GDPR: Transparency, innovation, and adoption across borders and organizations

Part two: Auditing data on premise and in the cloud, spurring innovation in machine learning and interpretable AI, and influencing organizations, consumers, and legislation all over the world, GDPR is here to stay.

We're all a bit of Trump when it comes to cybersecurity

President Trump reportedly sees security procedures as too inconvenient. Unfortunately, he's not alone.

Hiring kit: IT audit director (Tech Pro Research)

Security measures and other IT controls don't work unless they're implemented consistently, predictably, and with integrity.

An average data breach will cost an enterprise $1.23M and an SMB $120K (TechRepublic)

With data breaches rapidly becoming multi-million dollar events, could the only solution be increasing IT budgets and giving tech leaders a bigger voice in organizational decision making?

Microsoft EnclaveDB can defend against malicious database admins, compromised OS (TechRepublic)

EnclaveDB is a research project from Imperial College London and Microsoft that uses trusted hardware to protect that data.

Editorial standards