Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code
from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept
American tech companies don’t want to give up their cut of a $20 billion Russian software/hardware market, so they’ve been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn’t exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries’ backdoors pre-installed. American companies don’t necessarily like having entities linked to Russia’s government vetting source code, but the market is too big to be ignored.
Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency’s exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who’s been poking around in their products.
The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.
To help ease its passage, the law isn’t being allowed to stand up by itself. It’s attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn’t be popular at this time. It doesn’t forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren’t going to be happy with this new development. If these customers in these lucrative markets decide they’re no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.
What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies’ secrets being publicly outed.
The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.
It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.
The Business Software Alliance notes that the law is pretty much a ban, even if there’s no ban on sales. The reporting requirements won’t affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.
And, of course, there’s a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government’s demands for source code and device access. The US government already does this — repeatedly — with court orders obtained from federal courts, including the NSA’s home turf, the FISA court.
This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.
What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world’s exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.