Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code

from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept

American tech companies don't want to give up their cut of a $20 billion Russian software/hardware market, so they've been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn't exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries' backdoors pre-installed. American companies don't necessarily like having entities linked to Russia's government vetting source code, but the market is too big to be ignored.

Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency's exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who's been poking around in their products.

The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.

To help ease its passage, the law isn't being allowed to stand up by itself. It's attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn't be popular at this time. It doesn't forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren't going to be happy with this new development. If these customers in these lucrative markets decide they're no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.

What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies' secrets being publicly outed.

The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

The Business Software Alliance notes that the law is pretty much a ban, even if there's no ban on sales. The reporting requirements won't affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.

And, of course, there's a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government's demands for source code and device access. The US government already does this -- repeatedly -- with court orders obtained from federal courts, including the NSA's home turf, the FISA court.

This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.

What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world's exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, breaches, china, cybersecurity, russia, security, source code, transparency


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 7 Aug 2018 @ 1:15am

    Gotta love the (blatantly sleazy) classics

    To help ease its passage, the law isn't being allowed to stand up by itself. It's attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments.

    Because if you want to know when even a bill's supporters don't think a particular bill would stand up under scrutiny you need look no farther than which ones are attached to unrelated 'must pass' bills like budget ones.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Aug 2018 @ 4:22am

    cyber Cold War

    Yeah, I can also imagine the government turning the information on the companies and prosecuting them for "aiding the enemy" if they don't like what they hear.

    link to this | view in thread ]

  3. icon
    Berenerd (profile), 7 Aug 2018 @ 4:23am

    I know! As its relative common knowledge, why not just assume they are? No extra expenditures or extra loop holes the congress can use to use to prosecute average people in the name of the law.
    What will you do to a company that does not properly comply? Have them finance your next re-election?
    How many laws have been broken by large companies in the last 30 years? How many of those company leaders have gone to jail? How many have gotten more than a wrist slap?
    Then, lets go to the fact that you feel the law can't stand on its own so you attach it to a bill that "has to be passed" by default?

    link to this | view in thread ]

  4. icon
    Coyne Tibbets (profile), 7 Aug 2018 @ 4:43am

    Maybe not the first priority?

    This is probably not even about NSA back doors. It's probably about that idiotic encryption export restriction. Can't allow other countries to see/steal our super-super-secret encryption that any foreign national can just buy a book about.

    Maybe instead we should be worrying about what is in some of the foreign products that we incautiously use here in the United States.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 7 Aug 2018 @ 5:51am

    Re: prosecute average people

    Tsk, Tsk -- U make it sound like our beloved U.S. Congress is stocked with unhinged, narrow minded fools

    But of course it's of critical importance that our expert representatives in Congress regulate & supervise all businesses & commerce, especially those businesses engaged in foreign trade. Congress must be obeyed and disobedient Americans punished.

    Who are we to criticize and second guess official actions of the United States Congress? Do U not understand how government regulation works? .../S

    link to this | view in thread ]

  6. icon
    Nathan F (profile), 7 Aug 2018 @ 6:04am

    The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

    Cyber Security Risk huh? Does that mean if the government gets their way and mandated backdoors are installed in devices, that all those devices will get put on the list?

    link to this | view in thread ]

  7. icon
    Ninja (profile), 7 Aug 2018 @ 7:16am

    Seriously, the goal seems reasonable somehow but couldn't it be better executed? And hitching a hike in a budget bill. Seriously this should be unconstitutional.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 7 Aug 2018 @ 7:41am

    but but T-bonds

    Feds:
    Don't let foreign companies mess with your source code. They could undermine our national security!

    Common sense guy:
    Buy you sell Treasury Bonds to foreign countries; even enemy foreign countries like China. They could cash those in and bankrupt us!

    Feds:
    Shut up! Do as I say, not as I do.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 7 Aug 2018 @ 7:54am

    Re: Gotta love the (blatantly sleazy) classics

    Each bill should stand upon its own merits.

    link to this | view in thread ]

  10. icon
    Anonymous Anonymous Coward (profile), 7 Aug 2018 @ 7:54am

    What's missing?

    The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.

    It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.

    This sounds to me like a list of titles that have been examined. What company 'secrets' would be included? That they have been examined? So what, they got examined.

    Now, that examination might give the examiners a leg up on creating something they will inject later, but again, so what?

    link to this | view in thread ]

  11. icon
    Mason Wheeler (profile), 7 Aug 2018 @ 10:07am

    Or we could just apply Kerckhoffs's principle

    One of the most fundamental rules of security is Kerckhoffs's principle: "[assume that] the enemy knows the system." It states that a system must be secure even if the entire design (source code, in the case of software) is in the hands of the adversary, and for this to happen, the only part of the system that needs to be kept secret is the cryptographic key.

    Kerckhoff's principle tells us that any system that can't be considered secure if everything but the key is publicly known cannot be considered secure, period. Therefore, if any vendor claims that letting the public look at their source code could compromise their product's security, your default assumption should be to consider their product compromised already.

    link to this | view in thread ]

  12. icon
    Thad (profile), 7 Aug 2018 @ 10:33am

    Re: Gotta love the (blatantly sleazy) classics

    ...there may be another reason why someone might think a bill that targets Russian surveillance might not pass right now.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 7 Aug 2018 @ 10:44am

    Re: Or we could just apply Kerckhoffs's principle

    Yes - but then they would have to do real work 'n stuff.

    link to this | view in thread ]

  14. identicon
    bob, 7 Aug 2018 @ 10:53am

    citation needed

    Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.

    Can you add a source for this? Because that seems like a lie based on the current publicly available regulations for military procurement.

    link to this | view in thread ]

  15. identicon
    bob, 7 Aug 2018 @ 10:56am

    Re: What's missing?

    Sounds like Tim got a little excited in his post and started making some assumptions. But he may have some factual backing he forgot to add.

    link to this | view in thread ]

  16. icon
    Uriel-238 (profile), 7 Aug 2018 @ 10:58am

    Why is this not an established thing?

    Years of Techdirt articles about the failure after failure of security-though-obscurity have shown us that Linus' law works better, especially when white hats are paid a proper bounty rather than demonized.

    Ultimately, every secure system is penetration tested, whether the hats are white or not.

    link to this | view in thread ]

  17. icon
    Anonymous Anonymous Coward (profile), 7 Aug 2018 @ 11:10am

    Re: Re: What's missing?

    That was a quote in the story Tim wrote, he did not write the quote. It seems like the quote is attributed to The Business Software Alliance but that isn't entirely clear. It still appears to be a function of FUD.

    link to this | view in thread ]

  18. identicon
    bob, 7 Aug 2018 @ 12:31pm

    Re: Re: Re: What's missing?

    My bad on missing who said it.

    link to this | view in thread ]

  19. icon
    ECA (profile), 7 Aug 2018 @ 12:51pm

    Dont care if local or Foreign..

    Love this idea..
    Install software and NOT know everything its doing??
    Go install 'Discord' or Many other chat programs and see what happens..
    How many run threw your HD and find every game you own and tell OTHERS what you are playing?? Which channel you are on, and how to directly connect TO YOU..

    With current programming, it takes only a few lines hidden in Parts of the program..

    How many games, browsers, KNOW your location? Its not hard to send a Note to the creator of YOU and your location.

    Having a remote location and getting the info FROM your program isnt hard...BUT them insert/inject a small Bot/virus/tracker?? Anything..

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 7 Aug 2018 @ 1:22pm

    Re: Re: Re: What's missing?

    It still appears to be a function of FUD.

    The idea that it's a "ban" is definitely FUD. Nothing here is remotely a ban.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 7 Aug 2018 @ 1:25pm

    Re: Why is this not an established thing?

    That's "given enough eyeballs, all bugs are shallow". Better, but obviously not good enough. We've had bad bugs survive a long time; maybe we've never had enough eyeballs, or some areas have escaped their glaze.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 7 Aug 2018 @ 1:30pm

    Re: Dont care if local or Foreign..

    Well, there's long been a movement saying that everyone should be free to "poke around" in the source code of the software they use. Foreign militaries have decided it's important, while the public has, by its actions, thoroughly voted against it (excepting a small minority of "extremists"). If we could get people to care enough to push a law forward, we wouldn't need that law.

    link to this | view in thread ]

  23. icon
    Uriel-238 (profile), 7 Aug 2018 @ 2:31pm

    "Not good enough"

    Well that raises the question, what is good enough? We'll never get perfect, but we can get to were successful hacks by day-zero exploit are sufficiently rare. And in the meantime, it's hard to disguise intentional back doors as an unintentionally exploitable bug.

    To be fair, we haven't fairly tried a robust bounty system to encourage white-hats to quash exploits without national agencies subverting the system and offering to pay for exploits to go unreported and added to their spycraft library.

    I think open source would be pretty durned effective, especially if industries and government are using the code, they might get invested in keeping an eye on it. That's the sort of thing the NSA was supposed to do before it went completely espionage.

    link to this | view in thread ]

  24. identicon
    Kevin Hayden, 7 Aug 2018 @ 2:44pm

    Or....

    Maybe they should all just start using open source code.
    I do and its nice to know that I can vet everything I'm using if I want to. Can check for backdoors, security holes, etc. Can customize according to my needs. Plus it's free, does all I want and more, with no need to kowtow to the BSA, Microsoft, Apple et al.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 7 Aug 2018 @ 3:10pm

    Hey! We don't like it when they do it...

    It is not that I think it is a bad idea that this information would be publicly available, but I can't help but connect it to backdoors in encryption.
    By this law it is expressed that we should be watchful when the source is inspected by foreign countries. At the same time, people pretty high up the food chain is expressing a desire to open for the possibility to look at the data generated, which is far more valuable and far more dangerous than mere source code.
    The people who want this access have never provided any good reasons or evidence that this access wouldn't at the same time be granted to every foreign country that now would feel emboldened with precedent to demand it too.

    But we sent a man to the moon, right? So who cares.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 7 Aug 2018 @ 6:02pm

    Re: "Not good enough"

    Well that raises the question, what is good enough?

    One exploited security bug can be devastating, so... zero.

    we can get to were successful hacks by day-zero exploit are sufficiently rare.

    "day-zero" or not makes little difference when, say, the data of 145.5 million people gets leaked.

    if industries and government are using the code, they might get invested in keeping an eye on it.

    That's the idea. But then there was Heartbleed, when we learned OpenSSL had 4 funded developers; it still runs on less than a million dollars a year. It protects protects billions, maybe trillions of dollars in financial transactions, and none of the interested parties noticed for 2 years. Or look at NTP: one guy, meager budget, but used by everyone.

    Open-source is absolutely necessary, but not sufficient. We don't even know what would be sufficient. So-called "software engineering" isn't; could you imagine if bridges had the reliability of software? I look toward formal verification with cautious optimism, but feel we're several disasters away from an era where we'll recoil with horror when someone suggests a development strategy with the typical circa-2018 lack of rigor.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 8 Aug 2018 @ 3:10am

    Re: Re: "Not good enough"

    Even mechanical design suffers from bugs, what are else are vehicle recall than fixing bugs discovered during their everyday use. A few aircraft disasters have been due to bugs in the design, like the Lockheed Electra, which once the bugs was has continued in service, as does its derivative the Orion.

    Bridges in comparison to aircraft (and software) are simple systems, for which an thorough mechanical analysis is possible. It should be noted however that some of that analysis comes from failure analysis of the few bridges, like the Tacoma bridge, that failed in service.

    A few minutes on a super computer will carry out a detailed stress analysis of a bridges, while no computer exists which can do the same for software.

    Software reliability is improving, via the use of various design techniques, unit testing and static analysis tools. It does take time to go back over the huge volume of old code that is still in use. Just to add to the fun of software reliability, there are some old programs, where the source decks were destroyed by mice decades ago, but the software is still in use, and effectively unmaintainable.

    link to this | view in thread ]

  28. icon
    Uriel-238 (profile), 8 Aug 2018 @ 5:36am

    On"exploited security bug can be devastating, so... zero."

    You're going to have a better chance, I think, of curing the Earth of hurricanes. A non-zero degree of risk, even devastating risk will have to be acceptable, unless you want to forbid the state from using software at all.

    I observe even imperfect software provides fewer errors than humans doing the same job. Though better than their human counterparts is a rather low bar.

    link to this | view in thread ]

  29. identicon
    GERALD L ROBINSON, 8 Aug 2018 @ 6:50am

    Kerckhoff's principl

    Just require all software sold with critical hardware-weather to a government or a utility - to be open source!

    link to this | view in thread ]

  30. identicon
    bob, 8 Aug 2018 @ 12:52pm

    Re: Kerckhoff's principl

    Whether*

    Your point is good but confusing with the misspelled word.

    link to this | view in thread ]

  31. icon
    Uriel-238 (profile), 8 Aug 2018 @ 1:32pm

    were-hacks

    I'm pretty sure I was talking about lycanthropic hacking at the time. I should have been referring to all day-zero-exploit attacks, whether by shapeshifting hackers or not.

    Sorry about any confusion.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 8 Aug 2018 @ 3:28pm

    Re: On"exploited security bug can be devastating, so... zero."

    I observe even imperfect software provides fewer errors than humans doing the same job.

    I would say, then, that the humans aren't good enough either. I suppose we have to go with the best option we have at any given time, but I hope we don't at some point declare it "good enough" and stop trying to improve things.

    link to this | view in thread ]

  33. icon
    Uriel-238 (profile), 8 Aug 2018 @ 8:19pm

    good enough to stop trying to improve

    I was thinking of good enough to utilize.

    Yeah, we want errors in the system to approach zero over time, even if we can't reasonably expect it ever to get there. There will always be room for improvement.

    And also, yes, it's sad our government isn't really trying that hard to make things better.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.