To Avoid Being Cut Out Of The Market, US Tech Companies Are Allowing Russian Vetting Of Source Code
from the backdoors-for-all dept
Nobody trusts anybody, and it’s probably going to end up affecting end users the most. The Snowden leaks showed the NSA’s Tailored Access Operations routinely intercepted network hardware to insert backdoors. The exploits leaked by the Shadow Brokers indicated the NSA was very active on the software exploit front as well.
In response to the Snowden leaks, it appears the Russian hardware/software purchasers are stepping up their due diligence efforts. This comes at a time when the Russian government is suspected of hacking away at the American democratic process, as Reuters reports.
Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.
According to the article, multiple US officials and company executives are tracing the uptick in review demands to a downturn in US-Russian relations following Russia’s 2014 annexation of Crimea. But the NSA’s hardware operations were exposed in mid-2014, so it’s hard to believe the Snowden effect isn’t in play.
[Some] reviews are… conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.
Since these companies aren’t willing to give up their share of an $18.4 billion market, compromises are being made. Examinations of code are being done in “clean rooms,” with conditions somewhat controlled by the companies being vetted. But this isn’t always the case. Nor are these precautions necessarily enough to prevent those doing the vetting — some linked to the Russian government — from finding undiscovered security holes and flaws. The vetting may help keep Russian government agencies and private companies from being spied on by the US, but it’s not going to do much to keep the Russian government from spying on Russian companies and Russian computer users.
So far, only one company has publicly announced its refusal to submit its software for vetting. Symantec has rejected testing by Echelon, a Moscow-based lab with some tenuous ties to the Russian military.
But for Symantec, the lab “didn’t meet our bar” for independence, said spokeswoman Kristen Batch.
“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” said Batch, who added that the company did not believe Russia had tried to hack into its products.
The company also provides testing for the Russian Ministry of Defense and multiple law enforcement agencies. Echelon claims it’s wholly independent from the Russian government, but those assertions haven’t been enough to overcome Symantec’s objections. Other companies (the article lists HP and IBM) have allowed their products to be tested by Echelon, but neither were willing to comment on this story.
The Russians are checking for US backdoors while potentially seeking to install their own. US companies are given the choice of possibly aiding in Russian domestic surveillance or being locked out of the market. Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.