Source Code Reviews Pose Great Risks - Symantec CEO
Symantec, a US-based cyber firm, said that it would no longer allow governments to review the source code of its products, as the lucrative tech industry increasingly becomes wary of agencies that exploiting vulnerabilities for espionage and other purposes.
In an interview, the cyber company’s chief executive officer Greg Clark said the agreement that enables governments to examine source codes causes unacceptable risks.
Clark has stated that he was willing to sell his company’s products in any country. However, he added, “that is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it works’.”
Meanwhile, he also indicated that he has not yet seen a “smoking gun” that governments’ reviews of source codes had resulted to any breach.
The cyber firm’s decision underscores the lurking tension among US tech companies, which are currently on a balance beam as they fill their roles as protectors of the country’s cybersecurity. This becomes extra difficult because these companies also have to pursue businesses with some of America’s adversaries, such as Russia and China, said security experts.
The Russian government has been exerting pressure to companies, requiring them to let the government check their products’ source codes and closely guard their inner workings before they receive the permission to sell products in Russia.
Even though Symantec previously allowed the reviews, its chief executive said that at present, he views them as a security threat. Clark said that the risk of losing consumer confidence by permitting reviews was not worth the business that the company could get, especially during a period of increased nation-hacking.
Symantec’s Russian shares are relatively small and this made Clark’s decision easier to do. This would not be as easy for the firm’s competitors that have heavily invested in Russia.
“We’re in a great place that says, ‘You know what, we don’t see a lot of product over there,’” said Clark. “We don’t have to say yes.”
Western cyber security experts have lauded the firm’s decision, saying that the company refused to follow the trend that has made other companies sway to the demand to share source codes.
“They took a stand and they put security over sales,” said Frank Cilluffo, who is the director of the Center for Cyber and Homeland Security at George Washington University.
“Obviously, source code could be used in ways that are inimical to our national interest. They took a principled stand, and that’s the right decision and a courageous one,” added Cilluffo. He has also worked as a senior homeland security official under former president George W. Bush.
Reviews: A Common Industry Practice?
According to Hewlett Packard Enterprise (HPE), such reviews have been done in their products for several years. These reviews are conducted at an HPE research and development center outside Russia, and the people conducting the reviews are from a Russian government-accredited testing company.
Last week, news agencies reported that HPE has given permission to a Russian defense agency to review the inner workings of ArcSight, which is a cyber defense software used by the Pentagon to guard its computer networks.
HPE said that it closely monitors the review process and that none of the codes is permitted to be transferred outside the premises, guarding the safety of its products. No recent HPE product has been under Russian source code reviews, said an HPE spokeswoman.
Meanwhile, Micro Focus, which is a multinational software and IT business, claimed that the reviews were common in the industry. However, it also said that it would restrict future source code reviews by “high-risk” governments, and that any kind of review would require chief executive approval.
The US government has also recently banned Kaspersky Lab, a Russian cyber security firm, from federal networks. The Homeland Security said that it was worried about the ties between Kaspersky and Kremlin-linked intelligence.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security,” it said in a statement.
However, the US government has also received hits by tech companies. Microsoft has criticized the US government this year following an enormous cyber attack called ‘WannaCry,’ which ripped through networks all over the world via vulnerabilities found in the Windows operating system. The vulnerabilities were thought to have been leaked from the US National Security Agency.
“A Slippery Slope”
In the beginning of this year, the Chinese government has implemented a cyber security law, which was then believed by foreign businesses to negatively impact trade due to its data surveillance and storage requirements. The law has underscored the choice that companies have to make, basically deciding whether to pick security over potentially lucrative markets.
As for Symantec, Clark said that the Chinese government has not yet sent a request to check their products’ source code. However, he indicated that even if Beijing sent such a request, he would not comply.
“We have just taken a policy decision to say, ‘Any foreign government that wants to read our source code, the answer is no’,” said Clark. “As a vendor here in the United States, we are headquartered in a country where it is OK to say no.”
Experts have raised concerns over heightened requests, which may further dent the tech industry. This could lead to consumers and governments choosing to buy only products that are made in their own countries.
“We are heading down a slippery slope where you are going to end up balkanizing, where US companies will only be able to sell software to parts of Europe, and Russia won’t be able to sell products in the US,” said Curtis Dukes, who is a former head of cyber defense at the National Security Agency.
Keep yourself updated about the movements in the stock market and trading through visual help. A Bworld chart gives you the visual aids you need to properly asses market movements. Visit us at bworldcharts.com