Tech firms let Russia probe progs
WASHINGTON: Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the US government, an investigation has found.
The practice potentially jeopardises the security of computer networks in at least a dozen federal agencies, US lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported. In order to sell in the Russian market, the tech companies let a Russian defence agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.
But those same products protect some of the most sensitive areas of the US government, including the Pentagon, Nasa, the State Department and the FBI, against hacking by sophisticated cyber adversaries such as Russia.
Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.
McAfee, SAP, Symantec and Micro Focus, which owns ArcSight, all said any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said.
Investigators have not f ound any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems. But private sector cyber experts say allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine US network defences.
“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice-president for network defence at Trend Micro.