January 25, 2018
Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.
The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.
In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.
But those same products protect some of the most sensitive areas of the U.S. government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.
Reuters revealed in October that Hewlett Packard Enterprise software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.
Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.
Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.
McAfee, SAP, Symantec and Micro Focus, the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.
The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”
Reuters has not found any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.
But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.
“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.
Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.