The National Defense Authorization Act aims to limit the basket of vulnerabilities, adversaries of the United States can use to perpetrate cyber attacks on U.S. interests.
On Thursday, in a development that has significant strategic ramifications across U.S. industries, a bill, approved by the Senate Armed Services Committee, will force U.S. tech companies to disclose whether they allowed other countries, including China and Russia, to go through the source code of their software which are sold to the U.S. military.
The bill comes after a year-long investigation by Reuters wherein it found that software makers had allowed a Russian defense agency to hunt for vulnerabilities in software, many of which are deeply embedded in some of the most sensitive parts of the U.S. government, including in intelligence agencies, the Pentagon and the FBI.
According to security experts, since Russian authorities were given access to the source code, it could provide them with a trove of vulnerabilities which could enable them to compromise critical systems that protect the U.S.
According to Senator Jeanne Shaheen, the new source code disclosure rules have been included in the Senate version of the National Defense Authorization Act as well as in the Pentagon’s spending bill.
Details of bill, which passed the committee 25-2, have not yet been made public.
The proposed legislation will need to pass a full senate vote and will have to be reconciled with a House version before it can be signed into law.
Once it becomes law, it would require companies that do business with the U.S. military to disclose source code reviews, if any, done by a third party. If the source code review is deemed as a risk by the Pentagon, the software company along with military officials will have to agree on how to contain the threats.
Details of foreign source code reviews, along with the steps the software company decides to mitigate the risks from such review, would be stored in a database accessible to military officials.
For the majority of products, the notifications will mostly apply to countries that are deemed as cybersecurity threats, including China and Russia.
Tech companies that have allowed their source code to be reviewed by Russian agencies include Hewlett Packard Enterprise Co, McAfee and SAP.