Western technology companies, including Cisco, IBM and SAP , are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of an increasing number of cyber attacks on the West, a Reuters investigation has found.
Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.
But those inspections also provide the Russians an opportunity to find vulnerabilities in the products’ source code – instructions that control the basic operations of computer equipment – US officials and security experts said. A number of US firms say they are playing ball to preserve their entree to Russia’s huge tech market. US officials say they have warned firms about the risks of allowing the Russians to review their products’ source code, because of fears it could be used in cyber attacks.
From their side, companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market. The demands are being made by Russia’s Federal Security Service (FSB), which the US government says took part in the cyber attacks on Hillary Clinton’s 2016 presidential campaign and the 2014 hack of 500 million Yahoo email accounts.
The FSB, which has denied involvement in both the election and Yahoo hacks, doubles as a regulator charged with approving the sale of sophisticated technology products in Russia. The reviews are also conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defence agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.
A Kremlin spokesman referred all questions to the FSB. The FSB did not respond to requests for comment. FSTEC said in a statement that its reviews were in line with international practice.
Moscow’s source code requests have mushroomed in scope since US-Russia relations went into a tailspin following the Russian annexation of Crimea in 2014.
In addition to IBM, Cisco and Germany’s SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies’ interactions with Moscow and Russian regulatory records. If tech firms do decline the FSB’s source code requests, then approval for their products can be indefinitely delayed or denied outright, US trade attorneys and US officials said. The Russian information technology market is expected to be worth $18.4 billion this year, according to market researcher International Data Corporation.
US officials who have dealt with companies on the issue said they are suspicious about Russia’s motives for the expanded reviews. The reviews often takes place in secure facilities known as “clean rooms.” Several of the Russian companies that conduct the testing for Western tech companies on behalf of Russian regulators have current or previous links to the Russian military.
Echelon, a Moscow-based technology testing company, is one of several FSB-accredited testing centres that Western companies can hire to help obtain FSB approval for their products. Echelon CEO Alexey Markov said Echelon is a private and independent company but does have a business relationship with Russia’s military and law enforcement authorities.