Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code

from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept

American tech companies don’t want to give up their cut of a $20 billion Russian software/hardware market, so they’ve been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn’t exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries’ backdoors pre-installed. American companies don’t necessarily like having entities linked to Russia’s government vetting source code, but the market is too big to be ignored.

Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency’s exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who’s been poking around in their products.

The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.

To help ease its passage, the law isn’t being allowed to stand up by itself. It’s attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn’t be popular at this time. It doesn’t forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren’t going to be happy with this new development. If these customers in these lucrative markets decide they’re no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.

What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies’ secrets being publicly outed.

The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

The Business Software Alliance notes that the law is pretty much a ban, even if there’s no ban on sales. The reporting requirements won’t affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.

And, of course, there’s a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government’s demands for source code and device access. The US government already does this — repeatedly — with court orders obtained from federal courts, including the NSA’s home turf, the FISA court.

This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.

What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world’s exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code”

Subscribe: RSS Leave a comment
33 Comments
That One Guy (profile) says:

Gotta love the (blatantly sleazy) classics

To help ease its passage, the law isn’t being allowed to stand up by itself. It’s attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments.

Because if you want to know when even a bill’s supporters don’t think a particular bill would stand up under scrutiny you need look no farther than which ones are attached to unrelated ‘must pass’ bills like budget ones.

Berenerd (profile) says:

I know! As its relative common knowledge, why not just assume they are? No extra expenditures or extra loop holes the congress can use to use to prosecute average people in the name of the law.
What will you do to a company that does not properly comply? Have them finance your next re-election?
How many laws have been broken by large companies in the last 30 years? How many of those company leaders have gone to jail? How many have gotten more than a wrist slap?
Then, lets go to the fact that you feel the law can’t stand on its own so you attach it to a bill that “has to be passed” by default?

Anonymous Coward says:

Re: prosecute average people

Tsk, Tsk — U make it sound like our beloved U.S. Congress is stocked with unhinged, narrow minded fools

But of course it’s of critical importance that our expert representatives in Congress regulate & supervise all businesses & commerce, especially those businesses engaged in foreign trade. Congress must be obeyed and disobedient Americans punished.

Who are we to criticize and second guess official actions of the United States Congress? Do U not understand how government regulation works? …/S

Coyne Tibbets (profile) says:

Maybe not the first priority?

This is probably not even about NSA back doors. It’s probably about that idiotic encryption export restriction. Can’t allow other countries to see/steal our super-super-secret encryption that any foreign national can just buy a book about.

Maybe instead we should be worrying about what is in some of the foreign products that we incautiously use here in the United States.

Anonymous Anonymous Coward (profile) says:

What's missing?

The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

This sounds to me like a list of titles that have been examined. What company ‘secrets’ would be included? That they have been examined? So what, they got examined.

Now, that examination might give the examiners a leg up on creating something they will inject later, but again, so what?

Mason Wheeler (profile) says:

Or we could just apply Kerckhoffs's principle

One of the most fundamental rules of security is Kerckhoffs’s principle: "[assume that] the enemy knows the system." It states that a system must be secure even if the entire design (source code, in the case of software) is in the hands of the adversary, and for this to happen, the only part of the system that needs to be kept secret is the cryptographic key.

Kerckhoff’s principle tells us that any system that can’t be considered secure if everything but the key is publicly known cannot be considered secure, period. Therefore, if any vendor claims that letting the public look at their source code could compromise their product’s security, your default assumption should be to consider their product compromised already.

Uriel-238 (profile) says:

Re: Why is this not an established thing?

Years of Techdirt articles about the failure after failure of security-though-obscurity have shown us that Linus’ law works better, especially when white hats are paid a proper bounty rather than demonized.

Ultimately, every secure system is penetration tested, whether the hats are white or not.

Uriel-238 (profile) says:

Re: Re: Re: "Not good enough"

Well that raises the question, what is good enough? We’ll never get perfect, but we can get to were successful hacks by day-zero exploit are sufficiently rare. And in the meantime, it’s hard to disguise intentional back doors as an unintentionally exploitable bug.

To be fair, we haven’t fairly tried a robust bounty system to encourage white-hats to quash exploits without national agencies subverting the system and offering to pay for exploits to go unreported and added to their spycraft library.

I think open source would be pretty durned effective, especially if industries and government are using the code, they might get invested in keeping an eye on it. That’s the sort of thing the NSA was supposed to do before it went completely espionage.

Anonymous Coward says:

Re: Re: Re:2 "Not good enough"

Well that raises the question, what is good enough?

One exploited security bug can be devastating, so… zero.

we can get to were successful hacks by day-zero exploit are sufficiently rare.

"day-zero" or not makes little difference when, say, the data of 145.5 million people gets leaked.

if industries and government are using the code, they might get invested in keeping an eye on it.

That’s the idea. But then there was Heartbleed, when we learned OpenSSL had 4 funded developers; it still runs on less than a million dollars a year. It protects protects billions, maybe trillions of dollars in financial transactions, and none of the interested parties noticed for 2 years. Or look at NTP: one guy, meager budget, but used by everyone.

Open-source is absolutely necessary, but not sufficient. We don’t even know what would be sufficient. So-called "software engineering" isn’t; could you imagine if bridges had the reliability of software? I look toward formal verification with cautious optimism, but feel we’re several disasters away from an era where we’ll recoil with horror when someone suggests a development strategy with the typical circa-2018 lack of rigor.

Anonymous Coward says:

Re: Re: Re:3 "Not good enough"

Even mechanical design suffers from bugs, what are else are vehicle recall than fixing bugs discovered during their everyday use. A few aircraft disasters have been due to bugs in the design, like the Lockheed Electra, which once the bugs was has continued in service, as does its derivative the Orion.

Bridges in comparison to aircraft (and software) are simple systems, for which an thorough mechanical analysis is possible. It should be noted however that some of that analysis comes from failure analysis of the few bridges, like the Tacoma bridge, that failed in service.

A few minutes on a super computer will carry out a detailed stress analysis of a bridges, while no computer exists which can do the same for software.

Software reliability is improving, via the use of various design techniques, unit testing and static analysis tools. It does take time to go back over the huge volume of old code that is still in use. Just to add to the fun of software reliability, there are some old programs, where the source decks were destroyed by mice decades ago, but the software is still in use, and effectively unmaintainable.

Uriel-238 (profile) says:

Re: Re: Re:3 On"exploited security bug can be devastating, so... zero."

You’re going to have a better chance, I think, of curing the Earth of hurricanes. A non-zero degree of risk, even devastating risk will have to be acceptable, unless you want to forbid the state from using software at all.

I observe even imperfect software provides fewer errors than humans doing the same job. Though better than their human counterparts is a rather low bar.

Anonymous Coward says:

Re: Re: Re:4 On"exploited security bug can be devastating, so... zero."

I observe even imperfect software provides fewer errors than humans doing the same job.

I would say, then, that the humans aren’t good enough either. I suppose we have to go with the best option we have at any given time, but I hope we don’t at some point declare it "good enough" and stop trying to improve things.

Uriel-238 (profile) says:

Re: Re: Re:5 good enough to stop trying to improve

I was thinking of good enough to utilize.

Yeah, we want errors in the system to approach zero over time, even if we can’t reasonably expect it ever to get there. There will always be room for improvement.

And also, yes, it’s sad our government isn’t really trying that hard to make things better.

bob says:

citation needed

Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.

Can you add a source for this? Because that seems like a lie based on the current publicly available regulations for military procurement.

ECA (profile) says:

Dont care if local or Foreign..

Love this idea..
Install software and NOT know everything its doing??
Go install ‘Discord’ or Many other chat programs and see what happens..
How many run threw your HD and find every game you own and tell OTHERS what you are playing?? Which channel you are on, and how to directly connect TO YOU..

With current programming, it takes only a few lines hidden in Parts of the program..

How many games, browsers, KNOW your location? Its not hard to send a Note to the creator of YOU and your location.

Having a remote location and getting the info FROM your program isnt hard…BUT them insert/inject a small Bot/virus/tracker?? Anything..

Anonymous Coward says:

Re: Dont care if local or Foreign..

Well, there’s long been a movement saying that everyone should be free to “poke around” in the source code of the software they use. Foreign militaries have decided it’s important, while the public has, by its actions, thoroughly voted against it (excepting a small minority of “extremists”). If we could get people to care enough to push a law forward, we wouldn’t need that law.

Anonymous Coward says:

Hey! We don't like it when they do it...

It is not that I think it is a bad idea that this information would be publicly available, but I can’t help but connect it to backdoors in encryption.
By this law it is expressed that we should be watchful when the source is inspected by foreign countries. At the same time, people pretty high up the food chain is expressing a desire to open for the possibility to look at the data generated, which is far more valuable and far more dangerous than mere source code.
The people who want this access have never provided any good reasons or evidence that this access wouldn’t at the same time be granted to every foreign country that now would feel emboldened with precedent to demand it too.

But we sent a man to the moon, right? So who cares.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...