Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code
from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept
American tech companies don’t want to give up their cut of a $20 billion Russian software/hardware market, so they’ve been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn’t exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries’ backdoors pre-installed. American companies don’t necessarily like having entities linked to Russia’s government vetting source code, but the market is too big to be ignored.
Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency’s exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who’s been poking around in their products.
The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.
To help ease its passage, the law isn’t being allowed to stand up by itself. It’s attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn’t be popular at this time. It doesn’t forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren’t going to be happy with this new development. If these customers in these lucrative markets decide they’re no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.
What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies’ secrets being publicly outed.
The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.
It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.
The Business Software Alliance notes that the law is pretty much a ban, even if there’s no ban on sales. The reporting requirements won’t affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.
And, of course, there’s a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government’s demands for source code and device access. The US government already does this — repeatedly — with court orders obtained from federal courts, including the NSA’s home turf, the FISA court.
This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.
What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world’s exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.
Filed Under: backdoors, breaches, china, cybersecurity, russia, security, source code, transparency
Comments on “Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code”
Gotta love the (blatantly sleazy) classics
To help ease its passage, the law isn’t being allowed to stand up by itself. It’s attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments.
Because if you want to know when even a bill’s supporters don’t think a particular bill would stand up under scrutiny you need look no farther than which ones are attached to unrelated ‘must pass’ bills like budget ones.
Re: Gotta love the (blatantly sleazy) classics
Each bill should stand upon its own merits.
Re: Gotta love the (blatantly sleazy) classics
…there may be another reason why someone might think a bill that targets Russian surveillance might not pass right now.
cyber Cold War
Yeah, I can also imagine the government turning the information on the companies and prosecuting them for "aiding the enemy" if they don’t like what they hear.
I know! As its relative common knowledge, why not just assume they are? No extra expenditures or extra loop holes the congress can use to use to prosecute average people in the name of the law.
What will you do to a company that does not properly comply? Have them finance your next re-election?
How many laws have been broken by large companies in the last 30 years? How many of those company leaders have gone to jail? How many have gotten more than a wrist slap?
Then, lets go to the fact that you feel the law can’t stand on its own so you attach it to a bill that “has to be passed” by default?
Re: prosecute average people
Tsk, Tsk — U make it sound like our beloved U.S. Congress is stocked with unhinged, narrow minded fools
But of course it’s of critical importance that our expert representatives in Congress regulate & supervise all businesses & commerce, especially those businesses engaged in foreign trade. Congress must be obeyed and disobedient Americans punished.
Who are we to criticize and second guess official actions of the United States Congress? Do U not understand how government regulation works? …/S
Maybe not the first priority?
This is probably not even about NSA back doors. It’s probably about that idiotic encryption export restriction. Can’t allow other countries to see/steal our super-super-secret encryption that any foreign national can just buy a book about.
Maybe instead we should be worrying about what is in some of the foreign products that we incautiously use here in the United States.
Cyber Security Risk huh? Does that mean if the government gets their way and mandated backdoors are installed in devices, that all those devices will get put on the list?
Seriously, the goal seems reasonable somehow but couldn’t it be better executed? And hitching a hike in a budget bill. Seriously this should be unconstitutional.
but but T-bonds
Feds:
Don’t let foreign companies mess with your source code. They could undermine our national security!
Common sense guy:
Buy you sell Treasury Bonds to foreign countries; even enemy foreign countries like China. They could cash those in and bankrupt us!
Feds:
Shut up! Do as I say, not as I do.
What's missing?
This sounds to me like a list of titles that have been examined. What company ‘secrets’ would be included? That they have been examined? So what, they got examined.
Now, that examination might give the examiners a leg up on creating something they will inject later, but again, so what?
Re: What's missing?
Sounds like Tim got a little excited in his post and started making some assumptions. But he may have some factual backing he forgot to add.
Re: Re: What's missing?
That was a quote in the story Tim wrote, he did not write the quote. It seems like the quote is attributed to The Business Software Alliance but that isn’t entirely clear. It still appears to be a function of FUD.
Re: Re: Re: What's missing?
My bad on missing who said it.
Re: Re: Re: What's missing?
The idea that it’s a "ban" is definitely FUD. Nothing here is remotely a ban.
Or we could just apply Kerckhoffs's principle
One of the most fundamental rules of security is Kerckhoffs’s principle: "[assume that] the enemy knows the system." It states that a system must be secure even if the entire design (source code, in the case of software) is in the hands of the adversary, and for this to happen, the only part of the system that needs to be kept secret is the cryptographic key.
Kerckhoff’s principle tells us that any system that can’t be considered secure if everything but the key is publicly known cannot be considered secure, period. Therefore, if any vendor claims that letting the public look at their source code could compromise their product’s security, your default assumption should be to consider their product compromised already.
Re: Or we could just apply Kerckhoffs's principle
Yes – but then they would have to do real work ‘n stuff.
Re: Why is this not an established thing?
Years of Techdirt articles about the failure after failure of security-though-obscurity have shown us that Linus’ law works better, especially when white hats are paid a proper bounty rather than demonized.
Ultimately, every secure system is penetration tested, whether the hats are white or not.
Re: Re: Why is this not an established thing?
That’s “given enough eyeballs, all bugs are shallow”. Better, but obviously not good enough. We’ve had bad bugs survive a long time; maybe we’ve never had enough eyeballs, or some areas have escaped their glaze.
Re: Re: Re: "Not good enough"
Well that raises the question, what is good enough? We’ll never get perfect, but we can get to were successful hacks by day-zero exploit are sufficiently rare. And in the meantime, it’s hard to disguise intentional back doors as an unintentionally exploitable bug.
To be fair, we haven’t fairly tried a robust bounty system to encourage white-hats to quash exploits without national agencies subverting the system and offering to pay for exploits to go unreported and added to their spycraft library.
I think open source would be pretty durned effective, especially if industries and government are using the code, they might get invested in keeping an eye on it. That’s the sort of thing the NSA was supposed to do before it went completely espionage.
Re: Re: Re:2 "Not good enough"
One exploited security bug can be devastating, so… zero.
"day-zero" or not makes little difference when, say, the data of 145.5 million people gets leaked.
That’s the idea. But then there was Heartbleed, when we learned OpenSSL had 4 funded developers; it still runs on less than a million dollars a year. It protects protects billions, maybe trillions of dollars in financial transactions, and none of the interested parties noticed for 2 years. Or look at NTP: one guy, meager budget, but used by everyone.
Open-source is absolutely necessary, but not sufficient. We don’t even know what would be sufficient. So-called "software engineering" isn’t; could you imagine if bridges had the reliability of software? I look toward formal verification with cautious optimism, but feel we’re several disasters away from an era where we’ll recoil with horror when someone suggests a development strategy with the typical circa-2018 lack of rigor.
Re: Re: Re:3 "Not good enough"
Even mechanical design suffers from bugs, what are else are vehicle recall than fixing bugs discovered during their everyday use. A few aircraft disasters have been due to bugs in the design, like the Lockheed Electra, which once the bugs was has continued in service, as does its derivative the Orion.
Bridges in comparison to aircraft (and software) are simple systems, for which an thorough mechanical analysis is possible. It should be noted however that some of that analysis comes from failure analysis of the few bridges, like the Tacoma bridge, that failed in service.
A few minutes on a super computer will carry out a detailed stress analysis of a bridges, while no computer exists which can do the same for software.
Software reliability is improving, via the use of various design techniques, unit testing and static analysis tools. It does take time to go back over the huge volume of old code that is still in use. Just to add to the fun of software reliability, there are some old programs, where the source decks were destroyed by mice decades ago, but the software is still in use, and effectively unmaintainable.
Re: Re: Re:3 On"exploited security bug can be devastating, so... zero."
You’re going to have a better chance, I think, of curing the Earth of hurricanes. A non-zero degree of risk, even devastating risk will have to be acceptable, unless you want to forbid the state from using software at all.
I observe even imperfect software provides fewer errors than humans doing the same job. Though better than their human counterparts is a rather low bar.
Re: Re: Re:4 On"exploited security bug can be devastating, so... zero."
I would say, then, that the humans aren’t good enough either. I suppose we have to go with the best option we have at any given time, but I hope we don’t at some point declare it "good enough" and stop trying to improve things.
Re: Re: Re:5 good enough to stop trying to improve
I was thinking of good enough to utilize.
Yeah, we want errors in the system to approach zero over time, even if we can’t reasonably expect it ever to get there. There will always be room for improvement.
And also, yes, it’s sad our government isn’t really trying that hard to make things better.
Re: Re: Re:2 were-hacks
I’m pretty sure I was talking about lycanthropic hacking at the time. I should have been referring to all day-zero-exploit attacks, whether by shapeshifting hackers or not.
Sorry about any confusion.
citation needed
Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.
Can you add a source for this? Because that seems like a lie based on the current publicly available regulations for military procurement.
Dont care if local or Foreign..
Love this idea..
Install software and NOT know everything its doing??
Go install ‘Discord’ or Many other chat programs and see what happens..
How many run threw your HD and find every game you own and tell OTHERS what you are playing?? Which channel you are on, and how to directly connect TO YOU..
With current programming, it takes only a few lines hidden in Parts of the program..
How many games, browsers, KNOW your location? Its not hard to send a Note to the creator of YOU and your location.
Having a remote location and getting the info FROM your program isnt hard…BUT them insert/inject a small Bot/virus/tracker?? Anything..
Re: Dont care if local or Foreign..
Well, there’s long been a movement saying that everyone should be free to “poke around” in the source code of the software they use. Foreign militaries have decided it’s important, while the public has, by its actions, thoroughly voted against it (excepting a small minority of “extremists”). If we could get people to care enough to push a law forward, we wouldn’t need that law.
Or....
Maybe they should all just start using open source code.
I do and its nice to know that I can vet everything I’m using if I want to. Can check for backdoors, security holes, etc. Can customize according to my needs. Plus it’s free, does all I want and more, with no need to kowtow to the BSA, Microsoft, Apple et al.
Hey! We don't like it when they do it...
It is not that I think it is a bad idea that this information would be publicly available, but I can’t help but connect it to backdoors in encryption.
By this law it is expressed that we should be watchful when the source is inspected by foreign countries. At the same time, people pretty high up the food chain is expressing a desire to open for the possibility to look at the data generated, which is far more valuable and far more dangerous than mere source code.
The people who want this access have never provided any good reasons or evidence that this access wouldn’t at the same time be granted to every foreign country that now would feel emboldened with precedent to demand it too.
But we sent a man to the moon, right? So who cares.
Kerckhoff's principl
Just require all software sold with critical hardware-weather to a government or a utility – to be open source!
Re: Kerckhoff's principl
Whether*
Your point is good but confusing with the misspelled word.