Defense bill imposes disclosure mandate for software makers on source code requests by Russians
Congress approved legislation Wednesday forcing tech companies to tell the Pentagon if foreign adversaries have sought access to the source code of any software those firms have sold to the U.S. military.
Passed in the Senate by a vote of 87-10, the final version of the 2019 National Defense Authorization Act contains language added by Sen. Jeanne Shaheen, New Hampshire Democrat, subjecting software makers to new requirements in response to concerns raised by companies previously giving Russian authorities inside knowledge of products used by U.S. military and intelligence agencies.
Software is run by its internal source code, and individuals with access to that data can potentially find flaws to weaponize against users.
“This disclosure mandate is the first of its kind, and is necessary to close a critical security gap in our federal acquisition process,” Ms. Shaheen said in a statement, Reuters first reported.
The bill would prompt the Pentagon to establish a list of nations that pose a significant cybersecurity risk and require companies working with the military to reveal any instances where they were asked to share source code with those countries, Ms. Shaheen’s office said in a statement.
Companies that fail to address any security risks raised by foreign disclosures could be penalized in the form of having their Pentagon contract terminated, Reuters reported.
Tech companies including including Hewlett Packard and SAP SE both allowed a Russian defense agency to examine its source code, effectively giving Moscow intimate knowledge to their product’s inner workings, a Reuters investigation revealed last year,
“The Department of Defense and other federal agencies must be aware of foreign source code exposure and other risky business practices that can make our national security systems vulnerable to adversaries,” Ms. Shaheen added.
Ms. Shaheen led a separate effort last year aimed at cutting the government’s ties to Kaspersky Lab, a Moscow-based software vendor, that culminated in a prohibition against its products in this year’s defense spending bill. That ban is currently being appealed in D.C. federal court.
The pending bill including Ms. Shaheen’s disclosure mandate was approved in the House last week and expected to be signed by President Trump.