Reuters has an exclusive today that was of interest to anyone with software “sold to the US military”. The story slants its examples to Russian review of some tools used by the US military, but the whole issue of China’s review of source code is far more important. This is a complicated issue and not as easy to interpret as one might hope. That usually spells disaster for most pieces of legislation that are put forward.
What the real issue is about is the fact that some countries like China and Russia do reviews of source code for “national security reasons”, an entirely bogus claim. Countries do reviews of software all the time, but usually without the source code. Russia and China want the source code and have demanded it from just about everyone in their countries. Some businesses have maintained that they can control how that software is reviewed and deny access to the actual code itself during a review. I doubt that. Some give versions of software that are exclusive to the country involved, like Microsoft giving China its own version of Windows 10. Of course, we have no way of knowing if China uses that version in any of its exported products. Source code gives them the ability to insert code that will do exploitation, monitoring, or censorship that would be done on anyone who bought that computer. And who makes most of the computers in the world? China.
So, the first issue to settle is “sold to the US military”. The US military buys Microsoft Office on a grand scale and Microsoft once offered it the chance to have its own version, similar to allowing China to have its own version of Windows 10. They turned down that offer because they had to maintain their own version. All kinds of software are sold to the US military for every purpose imaginable. What we really need to know is if proprietary source code of any kind is supplied to any government for review. That is an export of US technology that should be prohibited.
Second, the prohibition against use is not encompassing i.e. it allows use on unclassified systems. That is a really bad idea, because it is like saying all unclassified information can be given to the foreign government. The end result is they get it if we allow it to be used in any networks in the US.
There are a lot of things in unclassified networks that are still sensitive, and a whole class of information called Unclassified Sensitive that is used only for official purposes and has to be reviewed before public release.
Third, self-reporting seldom works where the reporting causes limits on sales to the agencies of the Federal government. Reporting is damaging to the bottom line of any company that reports. That is not a recipe for success.
Fourth, open source software is a bigger risk than vendor supplied software. Anyone can get open source source code and modify it, then redistributed to those sites that hold the source code. That software is not sold to anyone.
The use of software by the military is a mess that is largely uncontrolled by the Defense Department. It is sparsely regulated, and there is next to no enforcement of what rules are supposed to be followed. This legislation is not going to improve that situation.
No comments:
Post a Comment