WASHINGTON – The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.
The legislation, part of the Pentagon’s spending bill, was drafted after an investigation last year found that software-makers allowed a Russian defense agency to hunt for vulnerabilities in software used by some agencies of the U.S. government, including the Pentagon and intelligence services.
The final version of the bill was approved by the Senate in a 87-10 vote Wednesday after passing the House last week. The spending bill is expected to be signed into law by Trump.
Security experts said allowing Russian authorities to probe the internal workings of software, known as source code, could help Moscow discover vulnerabilities they could exploit to more easily attack U.S. government systems.
The new rules were drafted by Democratic Sen. Jeanne Shaheen of New Hampshire.
“This disclosure mandate is the first of its kind, and is necessary to close a critical security gap in our federal acquisition process,” Shaheen said in an emailed statement. “The Department of Defense and other federal agencies must be aware of foreign source code exposure and other risky business practices that can make our national security systems vulnerable to adversaries.”
The law would force U.S. and foreign technology companies to reveal to the Pentagon if they allowed adversaries, like China or Russia, to probe software sold to the U.S. military.
Companies would be required to address any security risks posed by the foreign source code reviews to the satisfaction of the Pentagon, or lose the contract.
The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a risk.
It makes the database available to public records requests — an unusual step for a system likely to include proprietary secrets.
Tommy Ross, a senior director for policy at the industry group The Software Alliance, said software companies have concerns that such legislation could force companies to choose between selling to the U.S. and foreign markets. “We are seeing a worrying trend globally where companies are looking at cyberthreats and deciding the best way to mitigate risk is to hunker down and close down to the outside world,” Ross said last week.A Pentagon spokeswoman declined to comment on the legislation.
The Pentagon said last week that is working on a software “do not buy” list to block vendors who use code originating from Russia and China.
Ellen Lord, the undersecretary of defense for acquisition and sustainment, told reporters on July 27 that the list is meant to help the Department of Defense’s acquisitions staff and industry partners avoid buying problematic code for the Pentagon and suppliers.
“What we are doing is making sure that we do not buy software that has Russian or Chinese provenance, for instance, and quite often that’s difficult to tell at first glance because of holding companies.”
The Pentagon has worked closely with the intelligence community, she said. “We have identified certain companies that do not operate in a way consistent with what we have for defense standards.”
In order to sell in the Russian market, technology companies including Hewlett Packard Enterprise Co. and McAfee LLC have allowed a Russian defense agency to scour software source code for vulnerabilities, an investigation found last year.
In many cases, Reuters found that the software companies had not informed U.S. agencies that Russian authorities had been allowed to conduct the source code reviews. In most cases, the U.S. military does not require comparable source code reviews before it buys software, procurement experts have said.
The companies had previously said the source code reviews were conducted by the Russians in company-controlled facilities, where the reviewer could not copy or alter the software. The companies said those steps ensured the process did not jeopardize the safety of their products.
McAfee announced last year that it no longer allows government source code reviews. Hewlett Packard Enterprise has said none of its current software has gone through the process.
SAP SE did not respond to requests for comment on the legislation. HPE and McAfee spokespeople declined further comment.