U.S. technology companies routinely share sensitive product security secrets with Russian agencies in order to gain access to the country’s lucrative tech market, a compromise that could enable Moscow’s aggressive hacking efforts against Western governments and companies.
Russian officials demand tech companies hand over source codes for security products such as firewalls, anti-virus applications, and encrypted software before they are authorized to be sold in the country, according to an investigation by Reuters. Several American and Western firms, including including Cisco, IBM and SAP, have agreed to give the Russian Federal Security Service (FSB) the sensitive information.
Moscow says it conducts prior reviews of the software products to make sure that foreign spy agencies haven’t built in “backdoors” that would allow access to Russian government systems. Security experts and U.S. officials have warned that those inspections also give the Russians a free pass to discover weaknesses in the products’ source code, potentially making Western targets more vulnerable to cyber attacks. (RELATED: Report: NSA Document Outlines Russian Hacking Campaign Just Before 2016 Election)
“It’s something we have a real concern about,” a former senior Commerce Department official told Reuters. “You have to ask yourself what it is they are trying to do, and clearly they are trying to look for information they can use to their advantage to exploit, and that’s obviously a real problem.”
The security reviews are conducted by the FSB and a Russian defense agency called the Federal Service for Technical and Export Control (FSTEC), which is tasked with defending against cyber espionage and protecting state secrets. FSTEC has increased the frequency of its reviews since the Russian intervention in Ukraine began in 2014. After conducting source code reviews for 13 technology products between 1996 and 2013, it has carried out 28 such reviews in the past three years alone, reports Reuters.
The U.S. tech companies, which also include Hewlett Packard Enterprise Co. and McAfee, say they have to accede to Moscow’s demands or else risk being denied access to an important international market. Security risks are mitigated, they say, because the source code reviews are conducted in secure facilities that prevent the code from being copied or modified by outside actors.
Supposedly independent companies, certified by the FSB, operate the “clean rooms” are operated on behalf of Russian regulators. However, many of the firms have current or former links to the Russian defense ministry.
For one American tech firm, Symantec, the review process is too closely tied to Moscow and not worth the price of admission to the Russian market.
“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” Kristen Batch, a Symantec spokesperson, told Reuters.