According to a recent report from Reuters, several prominent US-based technology companies have agreed to share product security secrets with the Russian government.
As reporters Joel Schectman, Dustin Volz and Jack Stubbs write: “Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country.”
Russian officials claim these inspections are done to ensure that outside agencies and organizations have not placed any spying mechanisms or backdoors into their equipment. However, critics believe these demands give the Russian government an opportunity to find vulnerabilities in the products' source code, which then could be used in future cyber attacks.
Given the current political climate between Russia and the United States, the mandates from Moscow seem unique and devious. However, this is just the latest chapter in Russian government technological scrutiny.
“Russia’s demands to inspect source code, especially when it comes to sensitive encryption and security functions, is nothing new,” says Kevin Bocek, chief security strategist for Venafi. “In 2016, Russia enacted the counter-terrorism Yarovaya laws, which required Internet businesses to submit their encryption keys to the government. Unfortunately, handing over these keys enabled Russia to spoof the identities of the same business’s machines.”
But, the international scope of Russia’s latest demands is especially alarming. “By targeting Western companies, this disturbing trend will have global consequences,” Bocek continues. “This is part of is an undeniable movement that’s clearly aimed to control free speech, privacy, and the security of machines across the Internet and around the world.”
Of course, Russia is not alone in issuing these kinds of requirements. At the start of the year, the Chinese Cybersecurity Law went into effect. This law also seeks to ‘improve’ the security of the Internet by requiring critical infrastructure, including banking and retail organizations, to submit their systems for government review. The law applies to any business operating in China, including those from the US and Europe. And consequently, costs to comply with the new are estimated to reach $100 million for some businesses.
In addition, many Western governments are currently seeking ways to enforce similar regulations to weaken online security and privacy. “Laws in the United Kingdom and France, such as RIPA and the recently enacted Snooper’s Charter in the UK, enable governments to compel organizations to hand over encryption methods,” says Bocek.
Despite the dangers these regulations pose, its highly probable many more countries will issue similar demands. Bocek concludes: “It is very likely more governments in the West will follow the trends of Russian and Chinese, enabling controls that may seem shocking today but further the control countries seek over encryption and machine identities.”
How can organizations fight back against overzealous government demands? Should businesses share product security secrets with foreign powers?