IBM, Cisco and McAfee pressured by Russia to share source code secrets

MOSCOW, Russia - With Russia’s Federal Security Service (FSB) intensifying pressure on multiple Western tech giants to share their source code secrets - the tech firms are now largely looking like giving into the demands.

According to reports, Russian officials have demanded access to secret source code for various security products by tech giants Cisco, IBM, Germany's SAP and McAfee.

The requests from Russian authorities were first made in 2014, and since then authorities in the country have sought to review Western tech firms' source code for security products before they are imported and sold in the lucrative Russian market have increased and expanded in scope.

The FSB has asked to review products such as firewalls, anti-virus applications and other software containing encryption to make sure there aren't any "backdoors" that would allow them to be used for spying.

According to U.S. trade attorneys and officials, companies that do decline the FSB's source code requests could have their products' approval delayed or denied.

Security experts have however pointed out that these reviews could allow Russia to discover vulnerabilities in these products' source code as well.

A former senior Commerce Department official with direct knowledge of interactions between U.S. firms and Russian authorities was quoted in a report as saying, “It's something we have a real concern about. You have to ask yourself what it is they are trying to do, and clearly they are trying to look for information they can use to their advantage to exploit, and that's obviously a real problem.”

Previously, the U.S. has accused the FSB of the massive Yahoo email hack in 2014 that affected 500 million users.

It was also blamed FSB for the cyberattacks on Democratic Presidential candidate Hillary Clinton's presidential campaign in 2016.

Meanwhile, reports pointed out that FSB’s reviews, which take place in secure facilities called "clean rooms", are conducted by multiple Russian tech companies on behalf of the Russian authorities. 

Many of these firms are currently or were previously linked to Russian law enforcement authorities or Russia's military.

In a bid to gain access to Russia's estimated $18.4 billion IT industry, many companies have agreed to have their products' source code reviewed - however, Symantec said they are no longer cooperating with the FSB due to security concerns.

According to Symantec, the Moscow-based tech firm Echelon, one of the labs reviewing their source code, "didn't meet our bar" for independence.

Symantec spokeswoman Kristen Batch said in a statement, "In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia. It poses a risk to the integrity of our products that we are not willing to accept."

However, sources confirmed that IBM, Cisco, Hewlett Packard, McAfee and Germany's SAP have allowed Russia to review their products' source codes in secure facilities.

They pointed out that these companies had demanded that the source codes of their products be reviewed in secure facilities  "where strict procedures are followed" to avoid their code being copied or tampered with.

The Federal Service for Technical and Export Control, which also conducts these reviews, said in a report that it has conducted 28 reviews in the past three years. 

Between 1996 and 2013 - the body conducted multiple reviews for approvals of 13 technology products from Western firms.