WASHINGTON (Reuters) – U.S. tech companies would be forced to disclose if they allowed American adversaries, like Russia and China, to examine the inner workings of software sold to the U.S. military under proposed legislation, Senate staff told Reuters on Thursday.
The bill, approved by the Senate Armed Services Committee on Thursday, comes after a year-long Reuters investigation found software makers allowed a Russian defense agency to hunt for vulnerabilities in software that was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation and intelligence agencies.
Security experts say allowing Russian authorities to conduct the reviews of internal software instructions — known as source code — could help Russia find vulnerabilities and more easily attack key systems that protect the United States.
The new source code disclosure rules were included in Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.
Details of bill, which passed the committee 25-2, are not yet public. And the legislation still needs to be voted on by the full Senate and reconciled with a House version of the legislation before it can be signed into law by President Donald Trump.
If passed into law, the legislation would require companies that do business with the U.S. military to disclose any source code review of the software done by adversaries, staffers for Shaheen told Reuters. If the Pentagon deems a source code review a risk, military officials and the software company would need to agree on how to contain the threat. It could, for example, involve limiting the software’s use to non-classified settings.
The details of the foreign source code reviews, and any steps the company agreed to take to reduce the risks, would be stored in a database accessible to military officials, Shaheen’s staffers said. For most products, the military notification will only apply to countries determined to be cybersecurity threats, such as Russia and China.