Bill Says US Tech Companies Must Let The Feds Know When Foreign Companies Poke Around In Their Source Code
from the I-went-to-the-Trade-War-and-all-I-got-was-this-lousy-reporting-requirement dept
American tech companies don't want to give up their cut of a $20 billion Russian software/hardware market, so they've been allowing purchasers to examine devices and vet source code before shelling out for new products. This isn't exactly ideal for American companies, but Russia is as concerned as anyone else products might be shipping with adversaries' backdoors pre-installed. American companies don't necessarily like having entities linked to Russia's government vetting source code, but the market is too big to be ignored.
Russia has every right to suspect government backdoors may be unlisted features. Checking products and source code before purchase just makes sense, what with leaked documents showing the NSA intercepts foreign-bound hardware to install backdoors and other leaks exposing a fair bit of the agency's exploit collection. But now that Russia appears to have engaged in cyberwarfare efforts during the 2016 election, legislators are demanding US companies let the US government know who's been poking around in their products.
The U.S. Congress is sending President Donald Trump legislation that would force technology companies to disclose if they allowed countries like China and Russia to examine the inner workings of software sold to the U.S. military.
To help ease its passage, the law isn't being allowed to stand up by itself. It's attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments. Not that a bill like this wouldn't be popular at this time. It doesn't forbid companies sell to Russia and China. It only asks the government be informed if these purchasers do anything than grab boxed product off the shelves. China and Russia likely aren't going to be happy with this new development. If these customers in these lucrative markets decide they're no longer interested in buying American because their vetting will be made public, American companies may only have America to sell to.
What makes it an even harder pill to swallow is the reporting requirements, which could result in tech companies' secrets being publicly outed.
The legislation also creates a database, searchable by other government agencies, of which software was examined by foreign states that the Pentagon considers a cyber security risk.
It makes the database available to public records requests, an unusual step for a system likely to include proprietary company secrets.
The Business Software Alliance notes that the law is pretty much a ban, even if there's no ban on sales. The reporting requirements won't affect sales to American purchasers, just certain foreign countries. The path of least resistance would be pulling out of foreign markets targeted by this bill.
And, of course, there's a chance retaliatory legislation will be enacted in other countries in response. Some equivalent process may already be in place in countries where governments have more of a hand in every business transaction (not just the import/export business). But where nothing similar is in place, it may well be soon. This could result in US companies informing foreign governments about the US government's demands for source code and device access. The US government already does this -- repeatedly -- with court orders obtained from federal courts, including the NSA's home turf, the FISA court.
This may also force the US government to do a bit more due diligence before buying foreign goods. Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.
What this looks like is a bit more wintry air blowing across international relations, bringing us closer to a full-blown cyber Cold War. Markets are going to become increasingly siloed as world powers demand other governments open up their cloaks and present their daggers for inspection. Meanwhile, the world's exploit/malware dealers will continue to rake in the cash, cutting both governments and tech companies out of the loop.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, breaches, china, cybersecurity, russia, security, source code, transparency
Reader Comments
The First Word
“Or we could just apply Kerckhoffs's principle
One of the most fundamental rules of security is Kerckhoffs's principle: "[assume that] the enemy knows the system." It states that a system must be secure even if the entire design (source code, in the case of software) is in the hands of the adversary, and for this to happen, the only part of the system that needs to be kept secret is the cryptographic key.
Kerckhoff's principle tells us that any system that can't be considered secure if everything but the key is publicly known cannot be considered secure, period. Therefore, if any vendor claims that letting the public look at their source code could compromise their product's security, your default assumption should be to consider their product compromised already.
Subscribe: RSS
View by: Time | Thread
Gotta love the (blatantly sleazy) classics
To help ease its passage, the law isn't being allowed to stand up by itself. It's attached to a Pentagon spending bill, which has helped it avoid any scrutiny or heated arguments.
Because if you want to know when even a bill's supporters don't think a particular bill would stand up under scrutiny you need look no farther than which ones are attached to unrelated 'must pass' bills like budget ones.
[ link to this | view in chronology ]
Re: Gotta love the (blatantly sleazy) classics
[ link to this | view in chronology ]
Re: Gotta love the (blatantly sleazy) classics
[ link to this | view in chronology ]
cyber Cold War
Yeah, I can also imagine the government turning the information on the companies and prosecuting them for "aiding the enemy" if they don't like what they hear.
[ link to this | view in chronology ]
What will you do to a company that does not properly comply? Have them finance your next re-election?
How many laws have been broken by large companies in the last 30 years? How many of those company leaders have gone to jail? How many have gotten more than a wrist slap?
Then, lets go to the fact that you feel the law can't stand on its own so you attach it to a bill that "has to be passed" by default?
[ link to this | view in chronology ]
Re: prosecute average people
But of course it's of critical importance that our expert representatives in Congress regulate & supervise all businesses & commerce, especially those businesses engaged in foreign trade. Congress must be obeyed and disobedient Americans punished.
Who are we to criticize and second guess official actions of the United States Congress? Do U not understand how government regulation works? .../S
[ link to this | view in chronology ]
Maybe not the first priority?
Maybe instead we should be worrying about what is in some of the foreign products that we incautiously use here in the United States.
[ link to this | view in chronology ]
Cyber Security Risk huh? Does that mean if the government gets their way and mandated backdoors are installed in devices, that all those devices will get put on the list?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
but but T-bonds
Don't let foreign companies mess with your source code. They could undermine our national security!
Common sense guy:
Buy you sell Treasury Bonds to foreign countries; even enemy foreign countries like China. They could cash those in and bankrupt us!
Feds:
Shut up! Do as I say, not as I do.
[ link to this | view in chronology ]
What's missing?
This sounds to me like a list of titles that have been examined. What company 'secrets' would be included? That they have been examined? So what, they got examined.
Now, that examination might give the examiners a leg up on creating something they will inject later, but again, so what?
[ link to this | view in chronology ]
Re: What's missing?
[ link to this | view in chronology ]
Re: Re: What's missing?
[ link to this | view in chronology ]
Re: Re: Re: What's missing?
[ link to this | view in chronology ]
Re: Re: Re: What's missing?
The idea that it's a "ban" is definitely FUD. Nothing here is remotely a ban.
[ link to this | view in chronology ]
Or we could just apply Kerckhoffs's principle
One of the most fundamental rules of security is Kerckhoffs's principle: "[assume that] the enemy knows the system." It states that a system must be secure even if the entire design (source code, in the case of software) is in the hands of the adversary, and for this to happen, the only part of the system that needs to be kept secret is the cryptographic key.
Kerckhoff's principle tells us that any system that can't be considered secure if everything but the key is publicly known cannot be considered secure, period. Therefore, if any vendor claims that letting the public look at their source code could compromise their product's security, your default assumption should be to consider their product compromised already.
[ link to this | view in chronology ]
Re: Or we could just apply Kerckhoffs's principle
[ link to this | view in chronology ]
Why is this not an established thing?
Years of Techdirt articles about the failure after failure of security-though-obscurity have shown us that Linus' law works better, especially when white hats are paid a proper bounty rather than demonized.
Ultimately, every secure system is penetration tested, whether the hats are white or not.
[ link to this | view in chronology ]
Re: Why is this not an established thing?
[ link to this | view in chronology ]
"Not good enough"
Well that raises the question, what is good enough? We'll never get perfect, but we can get to were successful hacks by day-zero exploit are sufficiently rare. And in the meantime, it's hard to disguise intentional back doors as an unintentionally exploitable bug.
To be fair, we haven't fairly tried a robust bounty system to encourage white-hats to quash exploits without national agencies subverting the system and offering to pay for exploits to go unreported and added to their spycraft library.
I think open source would be pretty durned effective, especially if industries and government are using the code, they might get invested in keeping an eye on it. That's the sort of thing the NSA was supposed to do before it went completely espionage.
[ link to this | view in chronology ]
Re: "Not good enough"
One exploited security bug can be devastating, so... zero.
"day-zero" or not makes little difference when, say, the data of 145.5 million people gets leaked.
That's the idea. But then there was Heartbleed, when we learned OpenSSL had 4 funded developers; it still runs on less than a million dollars a year. It protects protects billions, maybe trillions of dollars in financial transactions, and none of the interested parties noticed for 2 years. Or look at NTP: one guy, meager budget, but used by everyone.
Open-source is absolutely necessary, but not sufficient. We don't even know what would be sufficient. So-called "software engineering" isn't; could you imagine if bridges had the reliability of software? I look toward formal verification with cautious optimism, but feel we're several disasters away from an era where we'll recoil with horror when someone suggests a development strategy with the typical circa-2018 lack of rigor.
[ link to this | view in chronology ]
Re: Re: "Not good enough"
Bridges in comparison to aircraft (and software) are simple systems, for which an thorough mechanical analysis is possible. It should be noted however that some of that analysis comes from failure analysis of the few bridges, like the Tacoma bridge, that failed in service.
A few minutes on a super computer will carry out a detailed stress analysis of a bridges, while no computer exists which can do the same for software.
Software reliability is improving, via the use of various design techniques, unit testing and static analysis tools. It does take time to go back over the huge volume of old code that is still in use. Just to add to the fun of software reliability, there are some old programs, where the source decks were destroyed by mice decades ago, but the software is still in use, and effectively unmaintainable.
[ link to this | view in chronology ]
On"exploited security bug can be devastating, so... zero."
You're going to have a better chance, I think, of curing the Earth of hurricanes. A non-zero degree of risk, even devastating risk will have to be acceptable, unless you want to forbid the state from using software at all.
I observe even imperfect software provides fewer errors than humans doing the same job. Though better than their human counterparts is a rather low bar.
[ link to this | view in chronology ]
Re: On"exploited security bug can be devastating, so... zero."
I would say, then, that the humans aren't good enough either. I suppose we have to go with the best option we have at any given time, but I hope we don't at some point declare it "good enough" and stop trying to improve things.
[ link to this | view in chronology ]
good enough to stop trying to improve
I was thinking of good enough to utilize.
Yeah, we want errors in the system to approach zero over time, even if we can't reasonably expect it ever to get there. There will always be room for improvement.
And also, yes, it's sad our government isn't really trying that hard to make things better.
[ link to this | view in chronology ]
were-hacks
I'm pretty sure I was talking about lycanthropic hacking at the time. I should have been referring to all day-zero-exploit attacks, whether by shapeshifting hackers or not.
Sorry about any confusion.
[ link to this | view in chronology ]
citation needed
Incredibly, the US military does not currently engage in pre-vetting when purchasing from from foreign companies, meaning it could be importing artisanal backdoors created by, or for, foreign governments.
Can you add a source for this? Because that seems like a lie based on the current publicly available regulations for military procurement.
[ link to this | view in chronology ]
Dont care if local or Foreign..
Install software and NOT know everything its doing??
Go install 'Discord' or Many other chat programs and see what happens..
How many run threw your HD and find every game you own and tell OTHERS what you are playing?? Which channel you are on, and how to directly connect TO YOU..
With current programming, it takes only a few lines hidden in Parts of the program..
How many games, browsers, KNOW your location? Its not hard to send a Note to the creator of YOU and your location.
Having a remote location and getting the info FROM your program isnt hard...BUT them insert/inject a small Bot/virus/tracker?? Anything..
[ link to this | view in chronology ]
Re: Dont care if local or Foreign..
[ link to this | view in chronology ]
Or....
I do and its nice to know that I can vet everything I'm using if I want to. Can check for backdoors, security holes, etc. Can customize according to my needs. Plus it's free, does all I want and more, with no need to kowtow to the BSA, Microsoft, Apple et al.
[ link to this | view in chronology ]
Hey! We don't like it when they do it...
By this law it is expressed that we should be watchful when the source is inspected by foreign countries. At the same time, people pretty high up the food chain is expressing a desire to open for the possibility to look at the data generated, which is far more valuable and far more dangerous than mere source code.
The people who want this access have never provided any good reasons or evidence that this access wouldn't at the same time be granted to every foreign country that now would feel emboldened with precedent to demand it too.
But we sent a man to the moon, right? So who cares.
[ link to this | view in chronology ]
Kerckhoff's principl
[ link to this | view in chronology ]
Re: Kerckhoff's principl
Your point is good but confusing with the misspelled word.
[ link to this | view in chronology ]