McAfee cracks down on government source code reviews

McAfee cracks down on government source code reviews

The move follows national security fears

Cyber security software vendor, McAfee, has said it will no longer permit foreign governments to scrutinise the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks.

It was reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment.

The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software.

But security experts and former US officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations.

McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.

The company declined to give a precise timeline for when it stopped allowing such reviews.

"The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space," the spokeswoman said. "This decision is a result of this transition effort."

She added that there had been no evidence of a security issue related to the reviews.

McAfee's decision follows a similar move by competitor Symantec which, in early 2016, adopted a global policy of refusing to comply with any government-mandated source code reviews required to win entry to a market.

Symantec CEO, Greg Clark, said earlier this month the decision resulted from fears the agreements would compromise the security of its products.

It was reported this month that Hewlett Packard Enterprise (HPE) allowed one such testing company, Echelon, to review on behalf of a Russian defense agency the source code of cyber defense software known as ArcSight, which is used by the Pentagon to guard its computer networks.

That arrangement has prompted questions from lawmakers in Washington amid broader concerns about Russia's use of digital means to sow discord and interference in elections in the United States and other Western countries, allegations the Kremlin has repeatedly denied.

In a letter last week to Defense Secretary James Mattis, Democratic Senator Jeanne Shaheen asked how the Pentagon manages risks when using software that has been scrutinized by foreign governments.

HPE has said in the past that such reviews have taken place for years at a research and development center it operates outside of Russia.

The software maker has also said it closely supervised the process and that no code was allowed to leave the premises, ensuring it did not compromise the safety of its products. A company spokeswoman said earlier this month that no current HPE products have undergone Russian source code reviews.

ArcSight was sold to British tech company Micro Focus International in a deal completed in September.

Micro Focus said this month that while source code reviews were a common industry practice, it would restrict future reviews by "high-risk" governments and subject them to chief executive approval.

McAfee also allowed Echelon to review its software source code, it was reported in June. Such tests were conducted in a secure environment at a McAfee facility in the United States where the source code could not be copied, a spokeswoman said.

The company spokeswoman said the new policy would prohibit third-party entities, including Echelon, from doing reviews on behalf of governments.

(Reporting by Dustin Volz and Joel Schectman in Washington; additional reporting by Jack Stubbs in Moscow; Editing by Dan Grebler)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags softwaremcafeeUS



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments