Suppose the FBI got involved in private companies’ security screening, demanding access to closely-guarded product security secrets. Lawmakers would be screaming bloody murder from the rooftops! And if the demands were made of foreign companies, you can bet there would be hell to pay from entities, like, say, the EU. Well, this is just what is happening in Russia.
The Russian Federal Security Service (FSB), you know – formerly those friendly folks from the KGB – is demanding that Western tech companies permit it to review source code for security products such as firewalls, anti-virus applications, and software containing encryption, before permitting the products to be imported and sold in the country. If tech firms don’t acquiesce to the FSB’s source code requests, they risk delay or disapproval of their products.
Supposedly, the inspections are to make certain that foreign spy agencies have not hidden any “backdoors” that would allow them to infect Russian systems. However, officials of foreign countries, most notably the US, are not swayed by this argument.
As you may know, the atmosphere in the US is currently roiled in an anti-Russian fervor over allegations over Russian interference in the presidential election. US officials, therefore, are naturally skeptical of the Russians, and fear any information gleaned could be used in future cyberattacks.
Grudgingly, lest they are shut out of the lucrative $18bn Russian market, companies such as Cisco, IBM, and SAP are playing ball with the FSB – much to the chagrin of fearful American authorities. Still, requests like those emanating from the FSB are nothing new, and have caused tension over the years with companies and the government. However, they have mushroomed since 2014, reaching a crescendo with Russia’s invasion of the Crimea, according to the sources for the Reuters article.
Tech companies have agreed to walk the tightrope and undergo the procedures, as they are not keen to take a hit to their bottom line. They balance this against the dangers of revealing source code to Russian security services. Until lately, except for industry watchers, this was a closely guarded secret – and with good reason. In the highly charged political climate that exists today, politicians in the US are paranoid about anything that has to do with the Kremlin.
A former senior Commerce Department official who had direct knowledge of the interaction between US companies and Russian officials until he left office this year told Reuters that:
“It’s something we have a real concern about. You have to ask yourself what it is they are trying to do, and clearly they are trying to look for information they can use to their advantage to exploit, and that’s obviously a real problem.”
No direct link to date has been made between this code review process and cyber-espionage. Other countries also perform source code reviews for defense-related or other sensitive matters, but these are done in so-called “clean rooms” by independent entities at arms-length from the government.
This is not always the case with Russia, as the FSB and government are joined at the hip, and testing companies have had ties with the Russian military. One such firm is Echelon. To elaborate, its own website boasts of medals it was awarded in 2013 by Russia’s Ministry of Defense for “protection of state secrets.”
Nonetheless, tech companies, perhaps with a wink and a nod to the inherent dangers, chalk these dodgy relationships up to the cost of doing business in the lucrative Russian market. However, not all companies choose to play ball. One company, Symantec, appears to have scruples, as well as misgivings about the cozy correlation between the military, source code auditing, and the implicit insecurity of doing business in this way.
Symantec drew the line back in 2016, when the company decided it would no longer use a source code auditing system that has ties to a foreign state, or get most of its revenue from government-mandated security testing. It decided to err on the side of caution:
“It poses a risk to the integrity of our products that we are not willing to accept. In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia.”
Symantec, by demurring in this regard, has paid a steep price. It is prohibited from doing business in Russia. Nonetheless, it is heartening to see that at least one company has scruples and is willing to sacrifice more than a smidgen of its bottom line to safeguard users of its products… and dare I say, maybe US security into the bargain?