Technology giants Including Cisco, IBM and SAP, are agreeing to demands by Moscow. For access to closely guarded product security cyber secrets. Where Russia accused of a growing number of cyberattacks on the West. A Reuters investigation found.
Russian authorities are asking Western tech companies to allow them to review source code. For security products such as firewalls, anti-virus applications and software containing encryption. Before permitting the products, imported and sold in the country. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products. And source code instructions that control the basic operations of computer equipment current and former U.S. officials and security experts said.
U.S. firm, Symantec has stopped cooperating with the source code reviews over security concerns. Symantec labs inspecting its products was not independent enough from the Russian government.
U.S. officials say they have warned firms about the risks of allowing the Russians to review their products source code. Because of fears used in cyberattacks. But they say they have no legal authority to stop the practice. Unless the technology has restricted military applications or violates U.S. sanctions. Companies say they are under pressure. To agree demands from Russian regulators or risk being shut out of great profit market. The companies allow Russia to review source code in secure facilities that prevent code from copying or altering.
In addition to IBM, Cisco and Germany’s SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products. According to people familiar with the companies’ interactions with Moscow and Russian regulatory records. If tech firms do decline the FSB’s source code requests. Further, the approval for products indefinitely delayed or denied outright, U.S. trade attorneys and U.S. officials said. The Russian information technology market expected worth of $18.4 billion this year. According to market researcher International Data Corporation (IDC).
U.S. officials take part with companies on the issue
Furthermore, reviews conducted by the Federal Service for Technical and Export Control (FSTEC) Russian defense agency tasked with countering cyber espionage and protecting state secrets. In the past three years alone it carried out 28 reviews.
Moreover, six current and former U.S. officials who have dealt with companies on the issue. And suspicious about Russia’s motives for the expanded reviews.
Source code requests are not unique to Russia. In the United States, tech companies allow the government to audit source code in limited instances as part of defense contracts and other sensitive government work. China sometimes also requires source code reviews as a condition to import commercial software, U.S. trade attorneys say.
An IBM spokesman confirms the company allows Russia to review its source code in secure, company-controlled facilities and strict procedures are followed.
In a statement, McAfee the Russia code reviews were conducted at certified testing labs at company-owned premises in the United States.
However, SAP allows Russia to review and test source code in a secure SAP facility in Germany, according to a person familiar with the process. In a company statement, SAP said the review process assures Russian customers their SAP software investments are safe and secure.
Cisco has recently allowed Russia to review source code, according to a person familiar with the matter. Before allowing the reviews, Cisco scrutinizes the code to ensure not exposing vulnerabilities used to hack the products.