Several Security Companies Allowed Russia to Review Software Widely Used by the US Government
Latest reports reveal that major security software makers allow Russia to look for vulnerabilities in their products. Published by Reuters earlier today, the report suggests that global technology providers including SAP, Symantec and McAfee who have their software "deeply embedded across the US government" let Russia take apart their code. This report is a follow-up of the original report in October last year that had revealed that Hewlett Packard Enterprise had allowed a Russian military contractor to review its ArcSight software, used in the Pentagon. It appears the practice is far more widespread than previously believed.
The publication has reviewed "hundreds of U.S. federal procurement documents and Russian regulatory records" confirming that the "potential risks to the U.S. government from Russian source code reviews are more widespread".
While a bitter pill for the US government, countries like Russia often push tech companies to give the authorities access to the source code before they are allowed to operate in the country. Russia says it follows this practice to make sure there aren't any backdoors or vulnerabilities that could be used by attackers. However, this practice does put other governments who are also clients of these companies at risk. Reuters has specifically focused on the US government's vulnerability to attacks that could potentially occur due to this code access. The report mentions the likes of the Pentagon, NASA and the FBI where these products are used.
"The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said," the report suggests.
[...] those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.
Security software makers continue to argue that they allow governments to review source code under their supervision in secure facilities where the source code cannot be removed or altered. It should be noted that the Russia-based Kaspersky Lab had also offered the US government to review its source code when the Trump administration had put a ban on its use inside the federal agencies.
However, while companies argue that this practice doesn't compromise security, those in the government have had their doubts, as many believe this could potentially help attackers in discovering vulnerabilities in software that are known to be used by the governments. It appears that the tech companies also agree with these concerns since both Symantec and McAfee claimed that they no longer allow these reviews, Reuters reported.
No proof if this access has converted into cyberattacks by Russia
The publication hasn't found any evidence if the source code review has resulted in any cyberattacks. However, it adds that many of these reviews started happening in 2014 when the US-Russia relationship wasn't exactly at its peak. Since then several countries and private companies have blamed Russia for countless cyberattacks. The Kremlin has continued to deny any involvement in any of these attacks.
Russia also appears to be an anomaly here requesting every company to let it review the source code. "In contrast to Russia, the U.S. government seldom requests source code reviews when buying commercially available software products," the report added citing trade attorneys and security experts.
Even if these reviews are conducted inside secure facilities, software makers cannot guarantee complete security. "Even letting people look at source code for a minute is incredibly dangerous," Steve Quane of Trend Micro said. He added that there are people who can quickly spot exploitable vulnerabilities just by examining source code. "We know there are people who can do that, because we have people like that who work for us."