US bill forces tech companies to disclose foreign software checks

Companies have allowed foreign agencies to scour source code for vulnerabilities.

Technology companies could soon be forced to reveal if they have allowed agencies in countries such as China and Russia to closely examine their software. The legislation -- part of the Pentagon's spending bill -- was drafted in response to a Reuters investigation last year which found that in order to sell to the Russian market, some software makers had allowed a Russian defense agency to hunt for vulnerabilities in software also used by some US government agencies.

The bill -- approved by the Senate in an 87-10 vote and expected to be given the go ahead by President Trump -- is designed to prevent US adversaries discovering vulnerabilities that could be used to attack government systems. In a statement emailed to Reuters, Democratic senator Jeanne Shaheen, who drafted the rules, said that the first-of-its-kind mandate is "necessary to close a critical security gap in our federal acquisition process."

The Reuters investigation found that companies such as Hewlett Packard, SAP and McAfee have previously allowed Russian agencies to scour software source code prior to purchase, in most cases without informing US agencies that it was doing so. However, they all claim that source code reviews were conducted in company-controlled facilities, where there was no chance of the reviewer copying or altering the software.

Nonetheless, some experts say the move could force companies to choose between selling to US and foreign markets. Considering the US government is known to make things hard for a number of software companies, they may end up choosing the latter. As The Software Alliance's senior director for policy, Tommy Ross, told Reuters, "we are seeing a worrying trend globally where companies are looking at cyber threats and deciding the best way to mitigate risk is to hunker down and close down to the outside world."