Regulation

Bill: Tech Firms Must Disclose US Adversaries’ Software Reviews

software

A new bill would require U.S. tech companies to disclose if they allowed American adversaries to examine software sold to the U.S. military.

The bill, approved by the Senate Armed Services Committee, comes after Reuters discovered that tech companies including Hewlett Packard, SAP and McAfee have allowed a Russian defense agency to look over software source code for vulnerabilities. In many cases, the companies never informed U.S. agencies that the reviews had been conducted.

In addition, some of the reviewed software was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation and intelligence agencies.

Although both companies said the reviews were carried out in controlled facilities, security experts have warned that the move could help Russia attack key systems that protect the United States.

The new source code disclosure rules were included in the Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.

The bill still needs to be voted on by the full Senate and merged with the House version before it can be signed into law by President Donald Trump.

The legislation would require companies that conduct business with the U.S. military to disclose any source code review of the software done by adversaries. If the Pentagon decides that a source code review would be a risk, military officials and the software company would need to agree on how to handle the threat, such as limiting the software’s use to non-classified settings.

The details of the foreign source code reviews, and the steps that were agreed upon to reduce the risks, would be stored in a database accessible to military officials. For most software, the military notification will only apply to countries seen as a cybersecurity threat, such as Russia and China.

——————————

PYMNTS LIVE ROUNDTABLE: TUESDAY, JULY 14, 2020 AT 12:00 PM (ET)

Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.

TRENDING RIGHT NOW