WASHINGTON (Reuters) - U.S.-based cyber firm Symantec (SYMC.O) is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products, Symantec Chief Executive Greg Clark said in an interview with Reuters.
Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia.
Symantec’s decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington’s adversaries, including Russia and China, according to security experts.
While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
The company’s about-face, which came in the beginning of 2016, was reported by Reuters in June. Clark’s interview is the first detailed explanation a Symantec executive has given about the policy change.
In an hour-long interview, Clark said the firm was still willing to sell its products in any country. But, he added, “that is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’.”
While Symantec had seen no “smoking gun” that foreign source code reviews had led to a cyberattack, Clark said he believed the process posed an unacceptable risk to Symantec customers.
“These are secrets, or things necessary to defend (software),” Clark said of source code. “It’s best kept that way.”
Because Symantec’s market share was still relatively small in Russia, the decision was easier than for competitors heavily invested in the country, Clark said.
“We’re in a great place that says, ‘You know what, we don’t see a lot of product over there’,” Clark said. “We don’t have to say yes.”
Symantec’s decision has been praised by some western cyber security experts, who said the company bucked a growing trend in recent years that has seen other companies accede to demands to share source code.
“They took a stand and they put security over sales,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington University and a former senior homeland security official to former President George W. Bush.
“Obviously source code could be used in ways that are inimical to our national interest,” Cilluffo said. “They took a principled stand, and that’s the right decision and a courageous one.”
Reuters last week reported that Hewlett Packard Enterprise (HPE) (HPE.N) allowed a Russian defense agency to review the inner workings of cyber defense software known as ArcSight that is used by the Pentagon to guard its computer networks.
HPE said such reviews have taken place for years and are conducted by a Russian government-accredited testing company at an HPE research and development center outside of Russia. The software maker said it closely supervises the process and that no code is allowed to leave the premises, ensuring it does not compromise the safety of its products. A spokeswoman said no current HPE products have undergone Russian source code reviews.
ArcSight was sold to British tech company Micro Focus International Plc (MCRO.L) in a sale completed in September.
On Monday, Micro Focus said the reviews were a common industry practice. But the company said it would restrict future reviews of source code in its products by “high-risk” governments, and that any review would require chief executive approval.
“SLIPPERY SLOPE”
Earlier this year, Beijing enacted a cyber security law that foreign business groups have warned could adversely impact trade because of its data surveillance and storage requirements. The law has further fueled concern that companies increasingly need to choose between compromising security to protect business or risk losing out on potentially lucrative markets.
Clark said Symantec had not received any requests to review source code from the Chinese government, but indicated he would not comply if Beijing made such a demand.
“We just have taken a policy decision to say, ‘Any foreign government that wants to read our source code, the answer is no’,” Clark said.
The U.S. government does not generally require source code reviews before purchasing commercially available software, according to security experts.
“As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”
Some security experts fear heightened requests may further splinter the tech world, leading to an environment where consumers and governments only feel safe buying products made in their own countries.
“We are heading down a slippery slope where you are going to end up balkanizing (information technology), where U.S. companies will only be able to sell software to parts of Europe,” said Curtis Dukes, a former head of cyber defense at the National Security Agency now with the non-profit Center for Internet Security, “and Russia won’t be able to sell products in the U.S.”
Additional reporting by Jack Stubbs in Moscow; Editing by Paul Thomasch
SAN FRANCISCO (Reuters) - Moscow-based Kaspersky Lab on Wednesday acknowledged that its security software had taken source code for a secret American hacking tool from a personal computer in the United States.
The admission came in a statement from the embattled company that described preliminary results from an internal inquiry it launched into media reports that the Russian government used Kaspersky anti-virus software to collect National Security Agency technology.
While the explanation is considered plausible by some security experts, U.S. officials who have been campaigning against using Kaspersky software on sensitive computers are likely to seize on the admission that the company took secret code that was not endangering its customer to justify a ban.
Fears about Kaspersky’s ties to Russian intelligence, and the capacity of its anti-virus software to sniff out and remove files, prompted an escalating series of warnings and actions from U.S. authorities over the past year. They culminated in the Department of Homeland Security last month barring government agencies from using Kaspersky products.
In a statement, the company said it stumbled on the code a year earlier than the recent newspaper reports had it, in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.
While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said.
“Following a request from the CEO, the archive was deleted from all our systems,” the company said. It said no third parties saw the code, though the media reports had said the spy tool had ended up in Russian government hands.
The Wall Street Journal said on Oct. 5 that hackers working for the Russian government appeared to have targeted the NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.
Kaspersky did not say whether the computer belonged to an NSA worker who improperly took home secret files, which is what U.S. officials say happened. Kaspersky denied the Journal’s report that its programs searched for keywords including “top secret.”
The company said it found no evidence that it had been hacked by Russian spies or anyone except the Israelis, though it suggested others could have obtained the tools by hacking into the American’s computer through a back door it later spotted there.
The new 2014 date of the incident is intriguing, because Kaspersky only announced its discovery of an espionage campaign by the Equation Group in February 2015. At that time, Reuters cited former NSA employees who said that Equation Group was an NSA project.
Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.
Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.
It also did not say how often it takes uninfected, non-executable files, which normally would pose no threat, from users’ computers.
Former employees told Reuters in July that the company used that technique to help identify suspected hackers. A Kaspersky spokeswoman at the time did not explicitly deny the claim but complained generally about “false allegations.”
After that, the stories emerged suggesting that Kaspersky was a witting or unwitting partner in espionage against the United States.
Kaspersky’s consumer anti-virus software has won high marks from reviewers.
It said Monday that it would submit the source code of its software and future updates for inspection by independent parties.
Reporting by Joseph Menn in San Francisco; Editing by Jim Finkle and Eric Auchard
News 
Market Data 
Discover 
