Symantec refused to provide source codes for auditing in Russia

Under Russian law, Western companies are obliged to comply with the request of the FSB and provide the source code of their proprietary programs for review before they are allowed into the Russian market - the authorities want to make sure that the programs do not have built-in backdoors. All companies comply with this requirement. Microsoft shows the source code of Windows, and Cisco, IBM, SAP and other companies share with the Russian Federation the source code of their firewalls, antiviruses, programs with cryptographic modules. But recently, this practice has caused concern to companies, because, at the same time, the Russian special services are able to find vulnerabilities in the proprietary programs of Western companies, Reuters reports . These vulnerabilities can later be used during cyber attacks and espionage.

Out of concern for the safety of its products, one company, Symantec, ceased cooperation with Russian auditors.

US officials say they warned commercial companies about the risks associated with transferring source codes to Russian authorities. But the US government does not have the authority to prohibit such a practice, if it is not some kind of military development, but purely civilian software.

In turn, the companies themselves say that they have no other choice. If they do not provide the source code, they will not be allowed into the market. The audit takes place in a safe environment, in specially equipped premises, in order to prevent the source code from leaking.

In addition to Cisco, IBM and SAP, it is known that Hewlett Packard Enterprise Co and McAfee products underwent source code audits. In recent years, the number of requests to audit the source code of Microsoft products has increased dramatically.

In general, Russia was the first in the world to receive the source code of Windows. This happened back in 2002 . Microsoft agreed to show the source code only on the condition that they would be considered a state secret of the Russian Federation . Cooperation continued in the following years. For example, in the summer of 2010, Microsoft provided the FSB with the source codes of Windows 7, Windows Server 2008 R2, Office 2010, SQL Server 2008 R2, and Exchange Server 2010 "to increase the government's trust in Microsoft products."

The source code is directly examined by the Federal Service for Technical and Export Control ( FSTEC of Russia ). The FSTEC records state that from 1996 to 2013 it conducted an examination of the source code of 13 technology products of Western companies, and from 2014 to 2016 the number of examinations increased dramatically and amounted to 28. In a comment for Reuters, the FSTEC representatives said that such an audit of the source code corresponds to practice, the FSB declined to comment.

The source code is audited by several other companies accredited to the FSB. Tellingly, they all have connections with military structures. For example, the Echelon company has awards “for keeping state secrets” from the Ministry of Defense.

Office building of the company "Echelon" in Moscow

Despite all the fears, experts polled by Reuters could not name any specific cases of hacking, cyber attacks or cyber espionage operations, which would have been carried out due to the fact that the source codes of a proprietary product became available to the Russian special services. While these concerns are speculative.

In fact, the audit of the source code of proprietary products is not a unique practice for Russia. Even the US government in some cases requires to provide the source code of a closed program, especially if we are talking about a defense order or other important contract. China, too, sometimes requires to provide source code as a condition for the import of commercial software.

In 2014, Microsoft opened the Center for Transparency in Redmond, and later the same in Brussels. Representatives of government agencies can visit this place, look at the source code of the Windows operating system and other programs - and make sure that there are no backdoors and spyware in them.

The director of Echelon, Alexey Markov, said that the code is audited in a kind of “clean rooms” - special laboratories from which the source code cannot be transferred. Interestingly, not all audit procedures take place in Moscow. For example, the source code of SAP products was carried out by Russian specialists in a protected SAP laboratory in Germany.

But for the company Symantec these conditions were not enough, if she does not trust the expertise.

“This represents a risk of the integrity of our products, which we don’t want to accept,” said company spokeswoman Kristen Batch. After refusing to show source codes, Symantec will no longer be able to sell some corporate products in Russia.


All Articles