Several technological giants whose software is widely used by the U.S. government have allowed Russian defense agency access to their programs’ source code, potentially jeopardizing the security of computer networks in at least a dozen federal agencies, a Reuters investigation has found.
Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government. The practice involves more companies and a broader swath of the government than previously reported.
In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.
But those same products protect some of the most sensitive areas of the U.S. government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.
Reuters revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.
Now, a new review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.
Many of the Russian reviews have occurred since 2014 when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.
Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyber attacks.