The U.S. government is stepping up its sensitivity to foreign governments insisting on reviews of software company's source code.
A provision in the defence spending bill that passed on Wednesday will require companies to disclose if they have allowed other governments to review the code of any software that is used in U.S. military systems.
The section of the bill that passed the Senate with an 87-10 vote stipulates that the Department of Defence cannot use any software product in a range of its systems unless the manufacturer fully discloses the software reviews by foreign governments that it has previously allowed or is under obligation to allow in the future. The language of the order is typically convoluted, and it does not include all foreign governments, only governments that are placed on a forthcoming list of cyber threats that is due within 180 days after the bill is signed. The president still has to sign off on the legislation, something he's expected to do, but you never know with this guy.
It appears that the section was prompted by a Reuters investigation from last year that found Hewlett Packard Enterprise permitted a company to review its source code for a piece of cyber defence technology on the behalf of the Russian government. The software is also used by the Pentagon. A subsequent report found that SAP, Symantec, and McAfee had also given the Russian government permission to dig through their code for software that's also used by the DOD.
The worry is that an adversary like Russia could find security holes that they don't reveal to the private company and exploit the vulnerabilities to penetrate U.S. government systems. Kind of like when the U.S. didn't report vulnerabilities in Microsoft products so that it could take advantage of them, putting everyone at risk of hacking.
This new policy follows a series of measures to limit the potential of foreign government hacking like the banning of Kaspersky's anti-virus software from government systems and restrictions on Huawei phones.
Senator Jeanne Shaheen drafted the legislation. Reached by Gizmodo for comment, her spokesperson sent us the following statement:
This disclosure mandate is the first of its kind and is necessary to close a critical security gap in our federal acquisition process. The Department of Defence and other federal agencies must be aware of foreign source code exposure and other risky business practices that can make our national security systems vulnerable to adversaries.
Shaheen is among a contingent of lawmakers who have stepped up calls for aggressive action to prevent cyberattacks in the U.S. by hackers from Russia. On Thursday, she joined several senators in co-sponsoring bipartisan legislation to impose even more sanctions on the Russian government as a response to new accusations from the U.S. intelligence community about continued Russian efforts to interfere with U.S. elections. That legislation is likely to be more controversial than the new software policies, as the president has been reluctant to do anything to anger the Russian government.