Tue, Jun 27, 2017 - Page 9 News List

Western techs bow to Russian demands to share cybersecrets

By Joel Schectman, Dustin Volz and Jack Stubbs  /  Reuters, WASHINGTON and MOSCOW

Western technology companies, including Cisco Systems Inc, IBM and SAP SE, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyberattacks on the West, a Reuters investigation has found.

Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.

However, those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code — instructions that control the basic operations of computer equipment — current and former US officials and security experts said.

While a number of US firms have said they are playing ball to preserve their entry to Russia’s huge tech market, at least one US firm, Symantec Corp, said it has stopped cooperating with the source code reviews over security concerns. That halt has not been previously reported.

Symantec said one of the labs inspecting its products was not independent enough from the Russian government.

US officials said they have warned firms about the risks of allowing the Russians to review their products’ source code, because of fears it could be used in cyberattacks.

However, they say they have no legal authority to stop the practice unless the technology has restricted military applications or violates US sanctions.

From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market.

The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered.

The demands are being made by the Federal Security Service of the Russian Federation (FSB), which the US government says took part in the cyberattacks on former US secretary of state Hillary Rodham Clinton’s 2016 US presidential campaign and the 2014 hack of 500 million Yahoo e-mail accounts.

The FSB, which has denied involvement in both the US election and Yahoo hacks, doubles as a regulator charged with approving the sale of sophisticated technology products in Russia.

The reviews are also conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyberespionage and protecting state secrets.

Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.

A Kremlin spokesman referred all questions to the FSB.

The FSB did not respond to requests for comment.

FSTEC said in a statement that its reviews were in line with international practice.

The US Department of State declined to comment.

Moscow’s source code requests have mushroomed in scope since US-Russia relations went into a tailspin following the Russian annexation of Crimea in 2014, eight current and former US officials, four company executives, three US trade attorneys and Russian regulatory documents said.

This story has been viewed 2136 times.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top