Symantec Takes Stand Against Russian Source Code Review June 2017

Cyber security software vendor Symantec today emerged as the only known western technology company to publicly refuse Russian government access to source code for its security products.

IBM, Cisco, Germany's SAP, Hewlett Packard Enterprise and McAfee are among the firms that allowed Russia to conduct source code reviews of products, including firewalls, anti-virus applications and other encrypted software, according to a new investigative report from Reuters.

The reviews – intended to protect Russia against cyber espionage – are conducted by the country’s Federal Service for Technical and Export Control (FSTEC), and the Federal Security Service (FSB), successor to the KGB and the agency blamed for attacking the 2016 U.S. Presidential election.

“But those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code,” Reuters reported, citing current and former U.S. officials and security experts.

As IT services providers sell and employ increasingly sophisticated solutions to combat an expanding array of cyber security threats, this report suggests those efforts could be at-least somewhat undermined by software vendors’ desire to cash in on substantial revenue opportunities in Russia.

The Russian IT market is projected to be worth $18.4 billion in 2017.

In a stark rebellion, Symantec officials said that company has refused to submit to the reviews and acknowledged they’re prepared to absorb the impact to their top line.

“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” spokeswoman Kirsten Batch is quoted as saying.

Code inspections are performed by “independent” software firms, some with ties to Russian military intelligence or defense agencies, the investigation found.

One such company, Echelon, is used by IBM.   

But Symantec officials decided the lab "didn't meet our bar" for independence.

The company refused to allow the review, thus disqualifying it from selling business products in Russia.

“It poses a risk to the integrity of our products that we are not willing to accept,” Batch, the Symantec spokeswoman, told Reuters.

There’s discrepancy about where the source code reviews are conducted, with the tech companies saying they conduct the reviews in “safe rooms “at their own facilities, where nothing can be copied or exfiltrated.

But in at least one case – that of IBM, the FSTEC posted documents claiming the testing was done at a firm located 20 miles outside of Moscow.

The article noted there is no evidence that the software code reviews have resulted in an actual hack and that other nations – including China and the U.S. – also conduct source code inspections for some products.  

Send tips and news to [email protected].