The bill — approved by the Senate in an 87-10 vote and expected to be given the go ahead by President Trump — is designed to prevent US adversaries discovering vulnerabilities that could be used to attack government systems. In a statement emailed to Reuters, Democratic senator Jeanne Shaheen, who drafted the rules, said that the first-of-its-kind mandate is “necessary to close a critical security gap in our federal acquisition process.”
The Reuters investigation found that companies such as Hewlett Packard, SAP and McAfee have previously allowed Russian agencies to scour software source code prior to purchase, in most cases without informing US agencies that it was doing so. However, they all claim that source code reviews were conducted in company-controlled facilities, where there was no chance of the reviewer copying or altering the software.
Nonetheless, some experts say the move could force companies to choose between selling to US and foreign markets. Considering the US government is known to make things hard for a number of software companies, they may end up choosing the latter. As The Software Alliance’s senior director for policy, Tommy Ross, told Reuters, “we are seeing a worrying trend globally where companies are looking at cyber threats and deciding the best way to mitigate risk is to hunker down and close down to the outside world.”