November 6, 2015
Here’s one more surprise in the newly released TPP. It could have a big impact on cybersecurity. That’s because the deal prohibits nations from asking mass market software companies for access to their source code. See TPP article 14.17 http://www.mfat.govt.nz/downloads/trade-agreement/transpacific/TPP-text/14.%20Electronic%20Commerce%20Chapter.pdf The ban doesn’t apply to code run on critical infrastructure, which will make for endless disputes, since there’s very little mass market software that doesn’t run on computers involved in critical infrastructure.
Right now, this is a measure US software companies want. That’s because we make most of the mass market software in the market. But that’s likely to change, especially given the ease of entry into smart phone app markets. We’re going to want protection against the introduction of malware into such software. The question of source code inspection is a tough one. If other countries can inspect US source code, they’ll find it easier to spot security flaws, so the US government would like to keep other countries from doing that. But I doubt US security agencies are comfortable letting Vietnam write apps that end up on the phones of their employees without the ability to inspect the source. In short, this is a tough policy call that is likely to look quite different in five years than it does today.