A new bill would require U.S. tech companies to disclose if they allowed American adversaries to examine software sold to the U.S. military.
The bill, approved by the Senate Armed Services Committee, comes after Reuters discovered that tech companies including Hewlett Packard, SAP and McAfee have allowed a Russian defense agency to look over software source code for vulnerabilities. In many cases, the companies never informed U.S. agencies that the reviews had been conducted.
In addition, some of the reviewed software was already deeply embedded in some of the most sensitive parts of the U.S. government, including the Pentagon, the Federal Bureau of Investigation and intelligence agencies.
Although both companies said the reviews were carried out in controlled facilities, security experts have warned that the move could help Russia attack key systems that protect the United States.
The new source code disclosure rules were included in the Senate version of the National Defense Authorization Act, the Pentagon’s spending bill, according to staffers of Democratic Senator Jeanne Shaheen.
The bill still needs to be voted on by the full Senate and merged with the House version before it can be signed into law by President Donald Trump.
The legislation would require companies that conduct business with the U.S. military to disclose any source code review of the software done by adversaries. If the Pentagon decides that a source code review would be a risk, military officials and the software company would need to agree on how to handle the threat, such as limiting the software’s use to non-classified settings.
The details of the foreign source code reviews, and the steps that were agreed upon to reduce the risks, would be stored in a database accessible to military officials. For most software, the military notification will only apply to countries seen as a cybersecurity threat, such as Russia and China.