Western technology companies, including Cisco Systems Inc, IBM and SAP SE, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyberattacks on the West, a Reuters investigation has found.
Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.
However, those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code — instructions that control the basic operations of computer equipment — current and former US officials and security experts said.
While a number of US firms have said they are playing ball to preserve their entry to Russia’s huge tech market, at least one US firm, Symantec Corp, said it has stopped cooperating with the source code reviews over security concerns. That halt has not been previously reported.
Symantec said one of the labs inspecting its products was not independent enough from the Russian government.
US officials said they have warned firms about the risks of allowing the Russians to review their products’ source code, because of fears it could be used in cyberattacks.
However, they say they have no legal authority to stop the practice unless the technology has restricted military applications or violates US sanctions.
From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market.
The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered.
The demands are being made by the Federal Security Service of the Russian Federation (FSB), which the US government says took part in the cyberattacks on former US secretary of state Hillary Rodham Clinton’s 2016 US presidential campaign and the 2014 hack of 500 million Yahoo e-mail accounts.
The FSB, which has denied involvement in both the US election and Yahoo hacks, doubles as a regulator charged with approving the sale of sophisticated technology products in Russia.
The reviews are also conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyberespionage and protecting state secrets.
Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.
A Kremlin spokesman referred all questions to the FSB.
The FSB did not respond to requests for comment.
FSTEC said in a statement that its reviews were in line with international practice.
The US Department of State declined to comment.
Moscow’s source code requests have mushroomed in scope since US-Russia relations went into a tailspin following the Russian annexation of Crimea in 2014, eight current and former US officials, four company executives, three US trade attorneys and Russian regulatory documents said.
In addition to IBM, Cisco and SAP, Hewlett Packard Enterprise Co (HP) and McAfee Inc have also allowed Russia to conduct source code reviews of their products, said people familiar with the companies’ interactions with Moscow and Russian regulatory records.
Until now, little has been known about that regulatory review process outside of the industry. The FSTEC documents and interviews with those involved in the reviews provide a rare window into the tense push-and-pull between technology companies and governments in an era of mounting alarm about hacking.
Roszel Thomsen, an attorney who helps US tech companies navigate Russia import laws, said the firms must balance the dangers of revealing source code to Russian security services against possible lost sales.
“Some companies do refuse,” he said. “Others look at the potential market and take the risk.”
If tech firms do decline the FSB’s source code requests, then approval for their products can be indefinitely delayed or denied outright, US trade attorneys and US officials said.
The Russian information technology market is expected to be worth US$18.4 billion this year, market researcher International Data Corporation said.
Six current and former US officials who have dealt with companies on the issue said they are suspicious about Russia’s motives for the expanded reviews.
“It’s something we have a real concern about,” a former senior US Department of Commerce official said, who had direct knowledge of the interaction between US companies and Russian officials until he left office this year. “You have to ask yourself what it is they are trying to do and clearly they are trying to look for information they can use to their advantage to exploit, and that’s obviously a real problem.”
However, none of the officials who spoke to reporters could point to specific examples of hacks or cyberespionage that were made possible by the review process.
Source code requests are not unique to Russia. In the US, tech companies allow the government to audit source code in limited instances as part of defense contracts and other sensitive government work. China sometimes also requires source code reviews as a condition to import commercial software, US trade attorneys said.
The reviews often take place in secure facilities known as “clean rooms.” Several of the Russian companies that conduct the testing for Western tech companies on behalf of Russian regulators have current or previous links to the Russian military, according to their Web sites.
Echelon Corp, a Moscow-based technology testing company, is one of several independent FSB-accredited testing centers that Western companies can hire to help obtain FSB approval for their products.
Echelon chief executive Alexey Markov said his engineers review source code in special laboratories, controlled by the companies, where no software data can be altered or transferred.
Markov said Echelon is a private and independent company, but it does have a business relationship with Russia’s military and law enforcement authorities.
Echelon’s Web site touts medals it was awarded in 2013 by the Russian Ministry of Defense for “protection of state secrets.”
The company’s Web site also sometimes refers to Markov as the “Head of Attestation Center of the [Russian] Ministry of Defense.”
In an e-mail, Markov said that the title is only intended to convey Echelon’s role as a certified outside tester of military technology testing.
The medals were generic and insignificant, he said.
However, for Symantec, the lab “didn’t meet our bar” for independence, spokeswoman Kristen Batch said.
“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” Batch said, adding that the company did not believe Russia had tried to hack into its products.
Last year, the company decided it would no longer use third parties, including Echelon, that have ties to a foreign state or get most of their revenue from government-mandated security testing.
“It poses a risk to the integrity of our products that we are not willing to accept,” she said.
Without the source code approval, Symantec can no longer get approval to sell some of its business-oriented security products in Russia.
“As a result, we do minimal business there,” she said.
Markov declined to comment on Symantec’s decision, citing a non-disclosure agreement with the company.
In the past year, HP has used Echelon to allow FSTEC to review source code, agency records showed.
A company spokesman declined to comment.
An IBM spokesman confirmed the company allows Russia to review its source code in secure, company-controlled facilities “where strict procedures are followed.”
FSTEC certification records showed the Information Security Center, an independent testing company based outside Moscow, has reviewed IBM’s source code on behalf of the agency. The company was founded more than 20 years ago under the auspices of an institute within the Russian defense ministry, its Web site said.
The company did not respond to requests for comment.
The Russia code reviews were conducted at “certified testing labs” at company-owned premises in the US, McAfee said in a statement.
SAP allows Russia to review and test source code in a secure SAP facility in Germany, a person familiar with the process said.
In a company statement, SAP said the review process assures Russian customers “their SAP software investments are safe and secure.”
Cisco has recently allowed Russia to review source code, a person familiar with the matter said.
A Cisco spokeswoman declined to comment on the company’s interactions with Russian authorities, but said the firm does sometimes allow regulators to inspect small parts of its code in “trusted” independent labs and that the reviews do not compromise the security of its products.
Before allowing the reviews, Cisco scrutinizes the code to ensure they are not exposing vulnerabilities that could be used to hack the products, she said.
A White House official said the administration is generally opposed to broad source code requirements because they impede free trade, but whether to comply is “a private business decision.”
Additional reporting by Steve Holland
With its passing of Hong Kong’s new National Security Law, the People’s Republic of China (PRC) continues to tighten its noose on Hong Kong. Gone is the broken 1997 promise that Hong Kong would have free, democratic elections by 2017. Gone also is any semblance that the Chinese Communist Party (CCP) plays the long game. All the CCP had to do was hold the fort until 2047, when the “one country, two systems” framework would end and Hong Kong would rejoin the “motherland.” It would be a “demonstration-free” event. Instead, with the seemingly benevolent velvet glove off, the CCP has revealed its true iron
At the end of last month, Paraguayan Ambassador to Taiwan Marcial Bobadilla Guillen told a group of Chinese Nationalist Party (KMT) legislators that his president had decided to maintain diplomatic ties with Taiwan, despite pressure from the Chinese government and local businesses who would like to see a switch to Beijing. This followed the Paraguayan Senate earlier this year voting against a proposal to establish ties with China in exchange for medical supplies. This constituted a double rebuke of the Chinese Communist Party’s (CCP) diplomatic agenda in a six-month span from Taiwan’s only diplomatic ally in South America. Last year, Tuvalu rejected an
US President Donald Trump on Thursday issued executive orders barring Americans from conducting business with WeChat owner Tencent Holdings and ByteDance, the Beijing-based owner of popular video-sharing app TikTok. The orders are to take effect 45 days after they were signed, which is Sept. 20. The orders accuse WeChat of helping the Chinese Communist Party (CCP) review and remove content that it considers to be politically sensitive, and of using fabricated news to benefit itself. The White House has accused TikTok of collecting users’ information, location data and browsing histories, which could be used by the Chinese government, and pose
US President Donald Trump’s administration on Friday last week announced it would impose sanctions on the Xinjiang Production and Construction Corps, a vast paramilitary organization that is directly controlled by the Chinese Communist Party (CCP) and has been linked to human rights violations against Uighurs and other ethnic minorities in Xinjiang. The sanctions follow US travel bans against other Xinjiang officials and the passage of the US Hong Kong Autonomy Act, which authorizes targeted sanctions against mainland Chinese and Hong Kong officials, in response to Beijing’s imposition of national security legislation on the territory. The sanctions against the corps would be implemented