Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Passes Bill Forcing Tech Companies To Disclose Foreign Software Probes (reuters.com)

Posted by BeauHD on from the publicly-available dept.

An anonymous reader quotes a report from Reuters: The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military. Companies would be required to address any security risks posed by the foreign source code reviews to the satisfaction of the Pentagon, or lose the contract. The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk. It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets. The final version of the bill was approved by the Senate in a 87-10 vote on Wednesday after passing the House last week. The spending bill is expected to be signed into law by Trump.

21 of 61 comments (clear)

  1. Linux Distros by Muckluck · · Score: 2

    So how might this affect the companies like RedHat, Debian and the other Linux distros that are open source based? Even Mozilla and Android are largely publicly available. It is clear that their source is available for all to peruse. Is this going to add a bunch of paperwork overhead to these companies so they can continue developing and providing software to the US government?

    --


    --I like turtles...
    1. Re:Linux Distros by Jaime2 · · Score: 3, Insightful

      Seems unlikely. A foreign government would never need to ask to review public source code, so there would never be an approval for which paperwork would be necessary.

    2. Re:Linux Distros by mark-t · · Score: 1

      Seems obvious that the tech company would only have to disclose what portions of their software are open (or for that matter, not under their direct control in general) and so have the potential to be reviewed by foreign agents without the company's involvement. The military could then make an informed decision to evaluate the severity of any threat to their nation if those specific portions of the software were the subjhect of a a foreign agent probe.

      --
      File under 'M' for 'Manic ranting'
    3. Re:Linux Distros by oh_my_080980980 · · Score: 2

      That's the point Potsy, government contacts. Depending on the details that could preclude government agencies from using Linux and other open source tools.

    4. Re:Linux Distros by AHuxley · · Score: 2

      AC it wont just be the distro. It will be the people who are part of any international project in any way.
      Any computer work by a company with mil/gov contracts will have to be report what their staff do.
      Work for a big company and that work on any "open source" project gets banned.

      People are the "security risks" not just the distro.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:Linux Distros by Anonymous Coward · · Score: 2, Informative

      So how might this affect the companies like RedHat, Debian and the other Linux distros that are open source based?

      In all the DoD work I've been exposed to, open source was prohibited altogether. So no Redhat at all, but a 20 year old unpatched Solaris 7 OS was okay.

    6. Re:Linux Distros by grep+-v+'.*'+* · · Score: 1

      so there would never be an approval for which paperwork would be necessary.

      Remember: this is the government -- logic doesn't apply here.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  2. And now? by bickerdyke · · Score: 1

    So what if there is a law that prohibits government source probes from being disclosed?

    --
    bickerdyke
    1. Re:And now? by DarkOx · · Score: 1

      Simple than the US based software company can either not do business there or pay whatever fines etc might be levied if that is a choice. Or said company can leave the US and be prevented from doing business here... (yeah right like any sane org would give up this market).

      If places like China want to make rules like that they simply risk cutting themselves off from the technology the rest of the world is using - to friggen bad.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:And now? by bickerdyke · · Score: 1

      Ok, so basically you think it's ok to make laws that allow you to do things that you don't allow for others.

      --
      bickerdyke
    3. Re:And now? by DarkOx · · Score: 1

      Yes - that's called being a sovereign nation.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:And now? by bickerdyke · · Score: 1

      so just don't throw a fit if other sovereign countries do the same.

      --
      bickerdyke
  3. Let's start cracking the whip by MikeRT · · Score: 4, Interesting

    I am a lot less concerned about the PRC being allowed to view the code for Oracle DB or Windows than I am about allowing Chinese citizens to be employed to work on them. The human intelligence network run by PRC intelligence puts anything the US or Russians have ever had to shame because they can rely on Chinese nationalism in the civilian population to get part-time assets in places we never could. It should be taken as a given that the PRC has agents in Microsoft and Oracle because that's how they roll.

    If any of that sounds outlandish, read this. As just one example, in terms of influencing public policy, the PRC is way worse than anything most liberals believe about Russia.

    1. Re:Let's start cracking the whip by Anonymous Coward · · Score: 1

      ... the PRC is way worse than anything most liberals believe about Russia.

      It took Trump only a few months to turn an entire fucking century of "progressive" love for the Soviet Union/Russia into something Ronald "Evil Empire" Reagan would approve of.

      LOL.

    2. Re:Let's start cracking the whip by Anonymous Coward · · Score: 2

      I am a lot less concerned about the PRC being allowed to view the code for Oracle DB or Windows than I am about allowing Chinese citizens to be employed to work on them

      Why stop here?

      Why not throwing all Chinese out of USA?

      That'll sure cure your anxiety.

      He/she only identified the particular risk, did not hint at your proposed solution. Do you not agree that the fact that many Chinese citizens come to work for these companies, then return to China, is a risk? Or are you just jumping to some kind of divisive rant because that is what you do?

    3. Re:Let's start cracking the whip by drinkypoo · · Score: 2

      in terms of influencing public policy, the PRC is way worse than anything most liberals believe about Russia.

      Worse how? More influential? Because they are both up to the same kinds of tactics.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Let's start cracking the whip by Highdude702 · · Score: 1

      Probably one of the people that doesn't believe the USA should protect their interests. Also probably not American.

  4. Dumb as a Post by oh_my_080980980 · · Score: 2



    https://www.reuters.com/articl...

    "In order to sell in the Russian market, technology companies including Hewlett Packard Enterprise Co, SAP SE and McAfee have allowed a Russian defense agency to scour software source code for vulnerabilities, the Reuters investigation found last year."

    Senator Jeanne Shaheen is dumb as a post. Foreign governments are purchasing American technology. It would be in their best interests to see if there are backdoors put in there by the NSA or CIA. This has happened before. Senator Biden talked about how the US put backdoors into pipeline controls sold to the Soivet Union. So this type of thing happens.

    1. Re:Dumb as a Post by ediron2 · · Score: 1

      Just because there are benign reasons for inspection doesn't invalidate the reasons she states. In fact, counterintelligence has uncovered plenty of evidence of Chinese penetration teams, secrets 'sent home' by foreign nationals, etc.

      It's a central concept for engineering: if a competitor is making a better product, reverse engineer it, look for papers/reports about it, or (best of all) get the design documents and source code.

  5. Re:How is this going to be enforced? by PPH · · Score: 1

    No. The Defense Department just won't buy your stuff.

    --
    Have gnu, will travel.
  6. Re:Will NOT comply by BlueStrat · · Score: 1

    My company will not comply. It's our private network and we won't be reporting on anything about it unless we want to.

    That's fine, your company is perfectly free to not comply. The DoD doesn't care (nor does anyone else, TBH),

    The DoD just won't buy/use your company's shit. Nobody has a right to a DoD contract.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.