alphaspirit - Fotolia

Security code reviews by Russian agencies cause concern

Demands for security code reviews by Russia have been on the rise, and not all experts or U.S. companies want to comply with the requests.

Before allowing cybersecurity products into Russia, U.S. tech companies are reportedly being required to submit source code for review, and many are worried of the privacy and security impacts of this testing.

Rising tensions between the U.S. and Russia over apparent election interference appear to be to blame for both Russia's insistence on security code reviews and U.S. experts' wariness of the practice. Russian authorities apparently want to ensure foreign intelligence agencies haven't embedded backdoors or other code into security products that could be used to attack Russian systems. However, U.S. enterprises and experts are worried that testing agencies will share vulnerability details with the Russian government, bolstering its cyberattack capabilities.

According to a report by Reuters, U.S. tech companies, including Cisco, IBM, HP and Microsoft, are submitting to the security code reviews, although at least one -- Symantec -- has stopped allowing the reviews because it wasn't convinced the testing agencies were fully independent from the Russian government.

Rebecca Herold, CEO of Privacy Professor, agreed with Symantec's decision to stop cooperating.

"Symantec is wise to just say no to code inspections, given how the Russian government has demonstrated they control basically all segments of Russian business industries in one way or another, and also the facts that point to the Russian leaders, including Putin, taking advantage of these accesses and personally profiting from obtaining similar types of IP and other business assets," Herold said.

Ralph Squillace, principal product manager for the Azure Containers team at Microsoft, said on Twitter that this should not be confused with Russia demanding backdoors.

"They are not demanding backdoors," he said. "They are demanding source code review because the companies come from a hostile country, which is something the hostile country would definitely try," Squillace wrote. "Nothing strange about this practice, which happens all over [in government and private sectors]."

Independent security code reviews

According to Reuters, while the agencies that perform the security code reviews must all be accredited by the Federal Security Service (FSB), the Russian agency tasked with counter-intelligence and counter-terrorism, they are said to be independent from Russian government control. However, code reviews can also be conducted by the Federal Service for Technical and Export Control (FSTEC), a department of the Russian Ministry of Defense.

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said it would surprise him if "unfriendly nations could agree on a truly neutral independent auditor."

"Independence is in the eye of the beholder, and security risks involve more than just the code," Bambenek told SearchSecurity. "Time will tell. It is not uncommon for other benign and perfectly appropriate processes to uncover things of intelligence value that end up in the hands of intelligence agencies. At the end of the day, it depends on how it is implemented and what these secure reviews require."

Richard Goldberg, principal and litigator at Goldberg & Clements in Washington, D.C., said, in general, he is in favor of third-party or public security code reviews, with one caveat.

"The problem, of course, occurs when only one actor has access, and that actor has incentives to find vulnerabilities and keep them secret for its own use," Goldberg told SearchSecurity. "If a foreign government identifies vulnerabilities in a security product and wants to exploit them, it is unlikely to share those with the public or even the vendor. Granting code reviews to foreign governments, but not the U.S. government, may put the United States at a disadvantage."

Mike Pittenger, vice president of security strategy at Black Duck Software, said the companies submitting to the security code reviews are not naïve to the risks.

"They have weighed the risks against the benefit of having access to a large and growing IT market," Pittenger told SearchSecurity. "It is natural that governments would want assurances that adversarial agencies haven't planted spyware in products. However, allowing an agency associated with a foreign government certainly increases risk."

Bambenek said these kinds of security code reviews by foreign governments could become more common as U.S. lawmakers push for more data sharing and even encryption backdoors from tech companies.

"It depends on the depth of the specific requests, but China just adopted a policy to require access to information from companies that have sensitive data for their citizens, and I expect other nations to follow suit," Bambenek said. "It is a logical consequence from the revelations of bulk surveillance by Edward Snowden that are still reverberating globally. People expect U.S. companies to be sharing data with the U.S. government, so they now want in on the game."

Economic and privacy concerns

Reuters stated in its report that any company refusing the security code reviews could see the FSB deny or indefinitely delay approval to import those products into Russia.

Herold said it would be "very shortsighted" for a U.S. company to acquiesce to demands on purely economic reasons.

"They will only be in a lucrative market to U.S. firms until the Russians copy their products and replace the U.S. products with their own new Russian copies of the same," Herold said. "If you've ever looked at the history of Russia, and their long practice of stealing U.S. intellectual property, and the many ways in which they've spied over the decades, it is a justified concern. In today's environment, no one can be accused of being too concerned by Russian activities, especially where security and privacy technology is concerned."

Goldberg said the consideration goes beyond economic concerns, as well.

Anyone using the code inspected -- firewalls, antivirus, encryption and other security products that are being inspected by FSTEC -- should expect that now the Russian government is surveilling all their data that they thought these products were protecting.
Rebecca HeroldCEO, Privacy Professor

"In the end, U.S. companies face a difficult choice, and it is not just a question of balancing potentially decreased security with the available economic gains of foreign markets," Goldberg said. "The first U.S. maker of security products that falls victim to hacking by a foreign government to which it has granted code reviews will have a lot of explaining to do. But because these things are often handled in secret; this may already have happened, and we might not know."

Herold also added that there are huge privacy concerns with these security code reviews.

"Anyone using the code inspected -- firewalls, antivirus, encryption and other security products that are being inspected by FSTEC -- should expect that now the Russian government is surveilling all their data that they thought these products were protecting," Herold said. "Are these the same tools being sold in the U.S.? I certainly hope not; that would widen the Russian surveillance and spying activities to unprecedented reaches. It would be good for these tech companies to provide verifiable assurance to their non-Russian clients that their products sold elsewhere are not the same as the products the Russians are examining."

Next Steps

Learn how a source code review process can create better developers

Find out why experts don't think election hacking should be considered an act of cyberwarfare

Get info on how testers can contribute to the code review process

Dig Deeper on Security operations and management