Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Passes Bill Forcing Tech Companies To Disclose Foreign Software Probes (reuters.com)

Posted by BeauHD on from the publicly-available dept.

An anonymous reader quotes a report from Reuters: The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military. Companies would be required to address any security risks posed by the foreign source code reviews to the satisfaction of the Pentagon, or lose the contract. The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk. It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets. The final version of the bill was approved by the Senate in a 87-10 vote on Wednesday after passing the House last week. The spending bill is expected to be signed into law by Trump.

61 comments

  1. Linux Distros by Muckluck · · Score: 2

    So how might this affect the companies like RedHat, Debian and the other Linux distros that are open source based? Even Mozilla and Android are largely publicly available. It is clear that their source is available for all to peruse. Is this going to add a bunch of paperwork overhead to these companies so they can continue developing and providing software to the US government?

    --


    --I like turtles...
    1. Re:Linux Distros by Jaime2 · · Score: 3, Insightful

      Seems unlikely. A foreign government would never need to ask to review public source code, so there would never be an approval for which paperwork would be necessary.

    2. Re:Linux Distros by Anonymous Coward · · Score: 0

      Unless they have defense contracts, I don't think they need to be concerned.

    3. Re:Linux Distros by mark-t · · Score: 1

      Seems obvious that the tech company would only have to disclose what portions of their software are open (or for that matter, not under their direct control in general) and so have the potential to be reviewed by foreign agents without the company's involvement. The military could then make an informed decision to evaluate the severity of any threat to their nation if those specific portions of the software were the subjhect of a a foreign agent probe.

      --
      File under 'M' for 'Manic ranting'
    4. Re:Linux Distros by oh_my_080980980 · · Score: 2

      That's the point Potsy, government contacts. Depending on the details that could preclude government agencies from using Linux and other open source tools.

    5. Re:Linux Distros by AHuxley · · Score: 2

      AC it wont just be the distro. It will be the people who are part of any international project in any way.
      Any computer work by a company with mil/gov contracts will have to be report what their staff do.
      Work for a big company and that work on any "open source" project gets banned.

      People are the "security risks" not just the distro.

      --
      Domestic spying is now "Benign Information Gathering"
    6. Re:Linux Distros by Anonymous Coward · · Score: 0

      The summary talks about software **sold** to the government. If RedHat/Debian/Mozilla sell software to the government it will usually involve a written contract anyway. So they just add one line saying that "due to this software's license foreign powers have probably examined its inner workings".

    7. Re:Linux Distros by Anonymous Coward · · Score: 2, Informative

      So how might this affect the companies like RedHat, Debian and the other Linux distros that are open source based?

      In all the DoD work I've been exposed to, open source was prohibited altogether. So no Redhat at all, but a 20 year old unpatched Solaris 7 OS was okay.

    8. Re:Linux Distros by Anonymous Coward · · Score: 0

      as you said "largely publicly available"

      not everything is.

    9. Re:Linux Distros by Anonymous Coward · · Score: 0

      So very true. Same experience. I was a Unix admin back in the late 90s'/early 2000s and worked with Red Hat, Solaris, as well as Check Point firewalls. Zero Check Point firewalls allowed on a government installation because they are an Israeli product. Best firewall for control. Ever. I've used them all, PA, Watchguard, Sonic Wall. Nothing touches Check Point.

    10. Re:Linux Distros by grep+-v+'.*'+* · · Score: 1

      so there would never be an approval for which paperwork would be necessary.

      Remember: this is the government -- logic doesn't apply here.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  2. And now? by bickerdyke · · Score: 1

    So what if there is a law that prohibits government source probes from being disclosed?

    --
    bickerdyke
    1. Re:And now? by DarkOx · · Score: 1

      Simple than the US based software company can either not do business there or pay whatever fines etc might be levied if that is a choice. Or said company can leave the US and be prevented from doing business here... (yeah right like any sane org would give up this market).

      If places like China want to make rules like that they simply risk cutting themselves off from the technology the rest of the world is using - to friggen bad.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:And now? by bickerdyke · · Score: 1

      Ok, so basically you think it's ok to make laws that allow you to do things that you don't allow for others.

      --
      bickerdyke
    3. Re:And now? by Anonymous Coward · · Score: 0

      Wont Happen.
      Firstly US software is rarely owned by the US listed company, but actually owned in Ireland, Netherlands or Cayman Islands etc. Lawyers will tell you they are not US based (else the IRS will nail em) and Chinese walls mean the US parent will NOT know what its licencing subsisudary did (hand on heart).

      US companies also help foreign antaganists by hiding CVE's and hiding multiple revisions of the same patch. Sad but true.

      Source Code. Is worthless. Simple decompiles reveal failure to code checks, failure to check string lengths, and failure to check compile options - hey lets include debug+obj+trace+on-error plus variable offsets.

      The best for last: Indians and Chinese are writing chunks of code globally, and checked-in. They actually see the code first as they actually wrote it. It wont matter a tinkers because the firmware and OEM box was made in China. And would a foreign company really trust what the US shows them - haha. Ask Cisco.

    4. Re:And now? by DarkOx · · Score: 1

      Yes - that's called being a sovereign nation.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:And now? by bickerdyke · · Score: 1

      so just don't throw a fit if other sovereign countries do the same.

      --
      bickerdyke
    6. Re:And now? by Anonymous Coward · · Score: 0

      Then they would be bound by law to tell the US Gov, "We can't sell this to you."

      Gov: "Why?"

      "We can't tell you."

  3. Let's start cracking the whip by MikeRT · · Score: 4, Interesting

    I am a lot less concerned about the PRC being allowed to view the code for Oracle DB or Windows than I am about allowing Chinese citizens to be employed to work on them. The human intelligence network run by PRC intelligence puts anything the US or Russians have ever had to shame because they can rely on Chinese nationalism in the civilian population to get part-time assets in places we never could. It should be taken as a given that the PRC has agents in Microsoft and Oracle because that's how they roll.

    If any of that sounds outlandish, read this. As just one example, in terms of influencing public policy, the PRC is way worse than anything most liberals believe about Russia.

    1. Re:Let's start cracking the whip by Anonymous Coward · · Score: 1

      ... the PRC is way worse than anything most liberals believe about Russia.

      It took Trump only a few months to turn an entire fucking century of "progressive" love for the Soviet Union/Russia into something Ronald "Evil Empire" Reagan would approve of.

      LOL.

    2. Re:Let's start cracking the whip by Anonymous Coward · · Score: 2

      I am a lot less concerned about the PRC being allowed to view the code for Oracle DB or Windows than I am about allowing Chinese citizens to be employed to work on them

      Why stop here?

      Why not throwing all Chinese out of USA?

      That'll sure cure your anxiety.

      He/she only identified the particular risk, did not hint at your proposed solution. Do you not agree that the fact that many Chinese citizens come to work for these companies, then return to China, is a risk? Or are you just jumping to some kind of divisive rant because that is what you do?

    3. Re:Let's start cracking the whip by Jzanu · · Score: 0

      You are in bad company with those kinds of irrational beliefs. Especially given your obsession with labeling, segregating yourself from others, and casting dispersions about evilness about without actually demonstrating any harm done.

    4. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      So we should be happy that its the Russians taking over the government and not the Chinese? It's amazes me how easily people will sell out their country so cheaply. With false dichotomy and distraction. Saying PRC is bad does not make Russia good, and your claim they are far worse seems unlikely given the reality.

      There's a good article on Putin's takeover of Ukraine that's worth reading. You're in it too, well not you personally, but Ukrainian people like you.
      https://www.reuters.com/article/us-wade-manafort-commentary/commentary-manaforts-trial-is-about-putin-not-tax-evasion-idUSKBN1KL2G4

      "Putin’s choice to run Ukraine was a burly former coal-miner named Viktor Yanukovych, whom Putin bankrolled against pro-Western rival, Viktor Yushchenko. For the crime of opposing Putin’s favored candidate, Yushchenko was not-so-mysteriously poisoned. [dioxin left him nearly dead and badly scared skin] While Yushchenko bested Yanukovych at the ballot box, Putin sowed division in Ukraine. Putin attacks democracies with a well-honed strategy; methodically, with incredible calculation. Putin orchestrated a Yanukovych comeback as prime minister in 2006 and president in 2010, masterminded by American campaign consultant Manafort. Putin vowed never to lose control of Ukraine again. Manafort airbrushed Yanukovych’s record of corruption, mismanagement and alleged ties to Russia’s KGB [see Fox and Friends for Trump]. The campaign came from Washington, but the money came from Moscow. "

      "For more than a decade before joining Trump’s election effort in 2016, Manafort’s Kremlin ties deepened. There was no daylight between Yanukovych and Putin, and no daylight between Yanukovych and Manafort. Until he was forced to flee to Moscow in 2014 following a popular revolution, Yanukovych kept Ukraine exclusively allied with Russia. He was responsible (purportedly at Manafort’s suggestion) for a 2012 law allowing the adoption of Russian as one of Ukraine’s official languages and for barring Ukraine’s potential entry into NATO. Ultimately, Ukrainians got tired of Moscow’s heavy hand, and the last straw was Yanukovych signing an exclusive trade agreement with Russia and eschewing a broad trade regime with Europe and the United States. For more than a decade of service to a Putin puppet, Manafort reportedly collected $60 million. "

      You understand don't you, that all the people around Trump are like this. All approved by Moscow, a banker for Russian half owned Cyprus bank, an oil man from Russia, lawyers that are Moscow approved, even the latest, a lawyer for Alfa bank as the FBI head of criminal investigations.. despite never being in the FBI, and never having an criminal prosecution experience, his only reason for being there, is he's a lawyer employed by a Russian bank under investigation for funding Russian spies. All of Trump's people are Moscow approved.

      Manafort isn't special in this respect, all of them are very very similar.

    5. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      hey can rely on Chinese nationalism in the civilian population to get part-time assets in places we never could.

      That coin has another, unfortunate side: they'll think that the foreigners are spies by default and that the companies in another countries are controlled by their respective governments. [insert term]ist thinks everybody else is a [insert term]ist as well.

    6. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      You are in bad company with those kinds of irrational beliefs. Especially given your obsession with labeling, segregating yourself from others, and casting dispersions about evilness about without actually demonstrating any harm done.

      LOLWUT?!?!

      There's even a fucking Wikipedia page on Chinese spy cases in the US.

      And ANOTHER one covering Chinese espionage in the US in general.

      Is your phone ringing? That would be Planet Earth calling.

    7. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      ... PRC is way worse than anything most liberals believe about Russia.

      Let me tell you how Russia rolls. They send in an asshole to point finger at someone else which somehow makes whatever they are doing ok.

      Not that I am promoting PRC. Fuck em both.

    8. Re: Let's start cracking the whip by Anonymous Coward · · Score: 0

      You can actually get better security if you have multiple parties that all hate each other looking at the same open source.

    9. Re:Let's start cracking the whip by drinkypoo · · Score: 2

      in terms of influencing public policy, the PRC is way worse than anything most liberals believe about Russia.

      Worse how? More influential? Because they are both up to the same kinds of tactics.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      You're assuming that's not a member of the 10 cent party employed by the Chinese government. We don't know that...

    11. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      They can rely on Chinese nationalism? If so, perhaps it's because the US doesn't treat Chinese people, Chinese American included as full citizens. This mistrust shows that.

      The PRC, Russia and THE US all try to influence foreign countries public policy that's a given. It's just that in the US, the news media almost NEVER focuses on US efforts. So people have a misguided notion that we are some kind benevolent player out there.

    12. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      fuck off ivan

    13. Re:Let's start cracking the whip by JackieBrown · · Score: 0

      You understand that all of what you wrote happened under Obama, not Trump, right?
      https://www.politico.com/story...
      https://wilsonquarterly.com/qu...

    14. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      You understand that all of what you wrote happened under Obama, not Trump, right?

      And your point is? If the Ukraine wanted to arrest Manafort for collusion with a foreign power (Russia), hey had plenty of time. When Manafort did the same in the US, now we have reason to go after him. Seems like you'd want to make sure the person you're hiring, who has a history of working with Russia to support their own puppet candidate that you're not their next puppet. Of course, maybe Trump didn't care.

    15. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      Here's what this "liberal" "believes" about Russia.

      Russia has no Second Amendment, Butina was a ruse, Putin doesn't want a 2A. Russia has the most abortions of any country. Russia is run by a former KGB agent as a kleptocracy. The GDP of Russia is less than New York City's. It's got oil and nukes, and beyond that it's a literal shithole.

      Non of these things would seem to be in line with what we always thought were "conservative" ideals.

      I know there are alt-right folks in the US that think Russia is like minded, Russia is not, but Russia doesn't mind you thinking so if it helps prove democracy is bad and America sucks.

    16. Re:Let's start cracking the whip by Highdude702 · · Score: 1

      Probably one of the people that doesn't believe the USA should protect their interests. Also probably not American.

    17. Re:Let's start cracking the whip by Anonymous Coward · · Score: 0

      I am a lot less concerned about the PRC being allowed to view the code for Oracle DB or Windows than I am about allowing Chinese citizens to be employed to work on them

      Why stop here?

      Why not throwing all Chinese out of USA?

      That'll sure cure your anxiety.

      He/she only identified the particular risk, did not hint at your proposed solution. Do you not agree that the fact that many Chinese citizens come to work for these companies, then return to China, is a risk? Or are you just jumping to some kind of divisive rant because that is what you do?

      Give a easy path to US citizenship. China doesn't allow dual citizenship. Problem solved.

      Or is this Trump-speak? Mexicans are rapists. Chinese are this and that.

  4. This is so obvious I'm shocked it isn't already by Anonymous Coward · · Score: 0

    ditto dotta title see?

    1. Re:This is so obvious I'm shocked it isn't already by Anonymous Coward · · Score: 0

      No shit. WTF is wrong when a system like one of the biggest military/gov't in the world hasn't been checking for this shit in the last 50 years? They might as well buy/use software from Putin.

  5. Missed chance by Anonymous Coward · · Score: 0

    to title the submission "Congress Passes Bill Forcing Tech Companies to Disclose Foreign Probes".

  6. usless distractions by Anonymous Coward · · Score: 0

    us empire has already failed just like ottoman

    1. Re:usless distractions by Anonymous Coward · · Score: 0

      us empire has already failed just like ottoman

      Says the guy posting in US English to a US website...

    2. Re:usless distractions by Anonymous Coward · · Score: 0

      except it is run by indian editors working for a saudi arabian company

      us claim to internet ownership failed 30 years ago

  7. Russia - Trump by Anonymous Coward · · Score: 0

    Russia -> Trump; only probe which needs disclosing at the moment.

  8. Get good by Anonymous Coward · · Score: 0

    Maybe the US should get good at finding the vulnerabilities that Russia and China might be looking for.
    If we can't assess the quality of the software/hardware that is purchased with taxpayer money, we should learn how to do so or not be in the business of buying it.
    Relying on security through obscurity to make up for our lack of ability to assess quality will only lead to a false sense of security.

  9. Dumb as a Post by oh_my_080980980 · · Score: 2



    https://www.reuters.com/articl...

    "In order to sell in the Russian market, technology companies including Hewlett Packard Enterprise Co, SAP SE and McAfee have allowed a Russian defense agency to scour software source code for vulnerabilities, the Reuters investigation found last year."

    Senator Jeanne Shaheen is dumb as a post. Foreign governments are purchasing American technology. It would be in their best interests to see if there are backdoors put in there by the NSA or CIA. This has happened before. Senator Biden talked about how the US put backdoors into pipeline controls sold to the Soivet Union. So this type of thing happens.

    1. Re:Dumb as a Post by ediron2 · · Score: 1

      Just because there are benign reasons for inspection doesn't invalidate the reasons she states. In fact, counterintelligence has uncovered plenty of evidence of Chinese penetration teams, secrets 'sent home' by foreign nationals, etc.

      It's a central concept for engineering: if a competitor is making a better product, reverse engineer it, look for papers/reports about it, or (best of all) get the design documents and source code.

    2. Re:Dumb as a Post by Anonymous Coward · · Score: 0

      The pipeline control infiltration story could be just that, a story. Instead, the Soviets could have botched up the installation of the pipeline, causing a failure that resulted in an explosion.

    3. Re:Dumb as a Post by Anonymous Coward · · Score: 0

      Yeah but Congress isn't concerned about companies that voluntarily allow the Chinese to plunder their secrets. Reverse engineering or competing with these products isn't even on the table here. This is (allegedly) about foreign teams finding vulnerabilities in the source that they can then exploit, to the detriment of the US government and military.

  10. How is this going to be enforced? by Anonymous Coward · · Score: 0

    Thug boots incoming.

    1. Re:How is this going to be enforced? by PPH · · Score: 1

      No. The Defense Department just won't buy your stuff.

      --
      Have gnu, will travel.
  11. Disclosure from my firm will only happen â by Anonymous Coward · · Score: 0

    ⦠when they outlaw FISA courts and gag orders on national security letters and pass laws that outlaw even discussion of bringing anything like them back.

  12. Will NOT comply by Anonymous Coward · · Score: 0

    My company will not comply. It's our private network and we won't be reporting on anything about it unless we want to.

    1. Re:Will NOT comply by BlueStrat · · Score: 1

      My company will not comply. It's our private network and we won't be reporting on anything about it unless we want to.

      That's fine, your company is perfectly free to not comply. The DoD doesn't care (nor does anyone else, TBH),

      The DoD just won't buy/use your company's shit. Nobody has a right to a DoD contract.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  13. Naive much by Anonymous Coward · · Score: 0

    Nothing irrational about acknowledging on-going spying from a foreign power. Maybe I'm missing some history between you and Mike.

  14. Bullshit link. I will block all ads by Anonymous Coward · · Score: 0

    Don't post links to bullshit websites like that. Ever. I WILL NOT BE A PART OF MALWARE ADS

  15. Foreign. by Anonymous Coward · · Score: 0

    Says it right there doesn't it.

  16. sounds familiar by Anonymous Coward · · Score: 0

    you know, like a certain restriction on exportation of secure encryption. This will definitely get some American companies to think about selling on foreign soil as they will have to weigh the balance between selling on foreign soil and selling to the us government. In the end i expect most of them to pick the biggest return and for a few of them (Microsoft) to not care. It would be amusing to see the interaction between the government and Microsoft.

    In the end i think things like this have no teeth because companies like Microsoft will always be sourced for government contracts, (like the gov will ever switch to linux) and others just wont care enough about the US government contracts if they are making more money off of foreign contracts.

  17. So Intelligent! So Wise! by Anonymous Coward · · Score: 0

    You are comparing one dictatorship (Russia) to another (China), and in your "opinion" China is worse. Then to compound your head-slapper, you suggest that liberals (I'm guessing you aren't one, and you also aren't likely very qualified to make good assessments of them) like China and don't like Russia.

    Way to go, Einstein. I learned nothing except how stupid and parochial you are.

  18. Pfft by Anonymous Coward · · Score: 0

    Should be: anything revealed to anyone outside the company must be revealed to the public.