U.S. tech companies could be required to disclose whether they allowed countries such as Russia and China to review the source code of software that is sold to the American military under a new defense spending bill, Reuters reported May 24.
The disclosure requirements are included in the U.S. Senate version of the National Defense Authorization Act that was approved by the chamber's armed services committee. The bill still needs to pass the entire Senate and be reconciled with a House of Representatives version of the bill, before President Donald Trump can sign it into law.
The proposed legislation, if enacted, would force tech companies to reveal any source code reviews conducted by countries found to be cybersecurity threats to U.S. government systems. Details of such reviews would be stored in a database that can be accessed by military officials.
If the defense department determines a source code review to be a risk, military officials and the tech company would need to agree on measures to control the threat. This may include limiting the use of the software to non-classified areas of government, according to Reuters.
The new source code disclosure rules came after an earlier Reuters report that software makers such as Hewlett Packard Enterprise Co., McAfee LLC and SAP SE had not informed U.S. agencies that they allowed a Russian defense agency to search for vulnerabilities in the source code of their software.
Sen. Jeanne Shaheen, D-N.H., said the disclosures are meant to harden the defense department's stance against cyberattacks, Reuters reported.
In September 2017, Shaheen introduced an amendment to the annual defense policy spending bill that enables a government-wide ban on Kaspersky Lab ZAO products. The U.S. Senate voted in favor of the ban following concerns that the cybersecurity company may be used by the Russian government, thus posing a national security threat.
