Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found.
Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country.
But those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code. While a number of U.S. firms say they are playing ball to preserve their entree to Russia’s huge tech market, at least one U.S. firm, Symantec, has stopped cooperating with the source code reviews over security concerns.
U.S. officials say they have warned firms about the risks of allowing the Russians to review their products’ source code, because of fears it could be used in cyber attacks. But they say they have no legal authority to stop the practice unless the technology has restricted military applications or violates U.S. sanctions.
From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market. The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered.
Moscow’s source code requests have mushroomed in scope since U.S.-Russia relations went into a tailspin following the Russian annexation of Crimea in 2014, according to eight current and former U.S. officials, four company executives, three U.S. trade attorneys and Russian regulatory documents.
In addition to IBM, Cisco and Germany’s SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products. If tech firms do decline the FSB’s source code requests, then approval for their products can be indefinitely delayed or denied outright, U.S. trade attorneys and U.S. officials said. The Russian information technology market is expected to be worth $18.4 billion this year, according to market researcher International Data Corporation (IDC).
Source code requests are not unique to Russia. In the United States, tech companies allow the government to audit source code in limited instances as part of defense contracts and other sensitive government work. China sometimes also requires source code reviews as a condition to import commercial software, U.S. trade attorneys say.
FSTEC certification records showed the Information Security Center, an independent testing company based outside Moscow, has reviewed IBM’s source code on behalf of the agency. The company was founded more than 20 years ago under the auspices of an institute within Russia’s Ministry of Defense, according to its website. The company did not respond to requests for comment.
In a statement, McAfee said the Russia code reviews were conducted at “certified testing labs” at company-owned premises in the United States.
SAP allows Russia to review and test source code in a secure SAP facility in Germany, according to a person familiar with the process. In a company statement, SAP said the review process assures Russian customers “their SAP software investments are safe and secure.”
Cisco has recently allowed Russia to review source code, according to a person familiar with the matter.
A Cisco spokeswoman declined to comment on the company’s interactions with Russian authorities but said the firm does sometimes allow regulators to inspect small parts of its code in “trusted” independent labs and that the reviews do not compromise the security of its products. Before allowing the reviews, Cisco scrutinizes the code to ensure they are not exposing vulnerabilities that could be used to hack the products, she said.