Tech firms let Russia probe software used by US Government

Tech firms let Russia probe software used by US Government

At least a dozen US federal agencies use software that has been inspected by Russia, an investigation has found.

Key points:

  • Russian authorities say reviews are necessary to detect flaws that could be exploited
  • The products protect sensitive areas of the US Government including the Pentagon, NASA and the FBI
  • Many Russian reviews have occurred since 2014, when US-Russia relations plunged to new lows

Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the US Government.

The practice potentially jeopardises the security of computer networks in at least a dozen federal agencies, US lawmakers and security experts said.

It involves more companies and a broader swath of the Government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defence agency scour the inner workings, or source code, of some of their products.

Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the US government — including the Pentagon, NASA, the State Department, the FBI and the intelligence community — against hacking by sophisticated cyber adversaries like Russia.

It was revealed in October that Hewlett Packard Enterprise software, known as ArcSight and used to help secure the Pentagon's computers, had been reviewed by a Russian military contractor with close ties to Russia's security services.

Some tech providers no longer allow such reviews

Now, a review of hundreds of US federal procurement documents and Russian regulatory records shows that the potential risks to the US Government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department's intelligence unit, the review showed.

Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus, the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker's supervision in secure facilities where the code could not be removed or altered.

The process does not compromise product security, they said.

Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China "may aid such countries in discovering vulnerabilities in those products".

Reuters has not found any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

Source code review may expose vulnerabilities

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former US security officials and some US tech companies said allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine US network defences.

"Even letting people look at source code for a minute is incredibly dangerous," said Steve Quane, executive vice president for network defence at Trend Micro, which sells TippingPoint security software to the US military.

Worried about those risks to the US Government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Mr Quane said.

Mr Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

"We know there are people who can do that, because we have people like that who work for us," he said.

Many of the Russian reviews have occurred since 2014, when US-Russia relations plunged to new lows following Moscow's annexation of Crimea.

Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some US lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

"I fear that access to our security infrastructure — whether it be overt or covert — by adversaries may have already opened the door to harmful security vulnerabilities," Ms Shaheen said.

In its December 7 letter to Ms Shaheen, the Pentagon said it was "exploring the feasibility" of requiring vendors to disclose when they have allowed foreign governments to access source code.

Ms Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future.

HPE said none of its current products have undergone Russian source code review.

Source code reviews conducted securely

Tech companies wanting to access Russia's large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia's Federal Service for Technical and Export Control (FSTEC), a defence agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment.

FSTEC often requires companies to permit a Russian government contractor to test the software's source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records.

The software stores and analyses information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils are "are strictly forbidden"

"All governments and governmental organisations are treated the same with no exceptions," the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the US Government, which can take decades to upgrade technology.