RPT-U.S. Congress passes bill forcing tech companies to disclose foreign software probes

 (Repeats with no changes to text, removes Internet links)
    By Joel Schectman
    WASHINGTON, Aug 1 (Reuters) - The U.S. Congress is sending
President Donald Trump legislation that would force technology
companies to disclose if they allowed countries like China and
Russia to examine the inner workings of software sold to the
U.S. military.  
    The legislation, part of the Pentagon’s spending bill, was
drafted after a Reuters investigation last year found software
makers allowed a Russian defense agency to hunt for
vulnerabilities in software used by some agencies of the U.S.
government, including the Pentagon and intelligence services. 
    The final version of the bill was approved by the Senate in
a 87-10 vote on Wednesday after passing the House last week. The
spending bill is expected to be signed into law by Trump. 
    Security experts said allowing Russian authorities to probe
the internal workings of software, known as source code, could
help Moscow discover vulnerabilities they could exploit to more
easily attack U.S. government systems. 
    The new rules were drafted by Democratic Senator Jeanne
Shaheen of New Hampshire.
    “This disclosure mandate is the first of its kind, and is
necessary to close a critical security gap in our federal
acquisition process,” Shaheen said in an emailed statement.
    “The Department of Defense and other federal agencies must
be aware of foreign source code exposure and other risky
business practices that can make our national security systems
vulnerable to adversaries,” she said. 
    The law would force U.S. and foreign technology companies to
reveal to the Pentagon if they allowed cyber adversaries, like
China or Russia, to probe software sold to the U.S. military. 
    Companies would be required to address any security risks
posed by the foreign source code reviews to the satisfaction of
the Pentagon, or lose the contract. 
    The legislation also creates a database, searchable by other
government agencies, of which software was examined by foreign
states that the Pentagon considers a cyber security risk. 
    It makes the database available to public records requests,
an unusual step for a system likely to include proprietary
company secrets.  
    Tommy Ross, a senior director for policy at the industry
group The Software Alliance, said software companies had
concerns that such legislation could force companies to choose
between selling to the U.S. and foreign markets. 
    "We are seeing a worrying trend globally where companies are
looking at cyber threats and deciding the best way to mitigate
risk is to hunker down and close down to the outside world,"
Ross told Reuters last week.
    A Pentagon spokeswoman declined to comment on the
    In order to sell in the Russian market, technology companies
including Hewlett Packard Enterprise Co        , SAP SE
          and McAfee have allowed a Russian defense agency to
scour software source code for vulnerabilities, the Reuters
investigation found last year. 
    In many cases, Reuters found that the software companies had
not informed U.S. agencies that Russian authorities had been
allowed to conduct the source code reviews. In most cases, the
U.S. military does not require comparable source code reviews
before it buys software, procurement experts have told Reuters.
    The companies had previously said the source code reviews
were conducted by the Russians in company-controlled facilities,
where the reviewer could not copy or alter the software. The
companies said those steps ensured the process did not
jeopardize the safety of their products. 
    McAfee announced last year that it no longer allows
government source code reviews. Hewlett Packard Enterprise has
said none of its current software has gone through the process. 
    SAP did not respond to requests for comment on the
legislation. HPE and McAfee spokespeople declined further

 (Reporting by Joel Schectman; Additional reporting by Jack
Stubbs in Moscow)