McAfee Ends Government Source Code Reviews

The US security firm has banned future reviews of its products’ source code by governments amidst growing tension over cyber-espionage

Security firm McAfee confirmed it has ended the practice of permitting governments to carry out reviews of its products’ source code, amidst a climate of rising international tensions over cyber-espionage.

women code database programming tech © Semisatch ShutterstockMcAfee said it decided earlier this year it would no longer permit the reviews amidst a broader overhaul of its policies that followed its spin-off from former owner Intel in April. The company declined to give a precise timeline of when it had made the change.

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” McAfee said in a statement. “This decision is a result of this transition effort.”

McAfee said the firm had found no evidence of security problems related to the code inspections, which are carried out in secure facilities.

Source code access

Reuters reported in June that McAfee, along with IBM and other US tech firms, had agreed to source code reviews in recent years as a condition for selling their products in countries including Russia.

They are intended to assure governments a software product contains no “back doors” that could be used for espionage purposes, but some argue they could make it easier for a hostile state to carry out an attack.

Earlier this month Reuters reported HPE had allowed a third party to review the source code of ArcSight, a security tool used by the Pentagon, on behalf of a Russian defence agency.

Tech companies have said such reviews were common in the industry, but since the June report several firms said they have tightened their procedures or will no longer allow the practice.

Micro Focus, which acquired ArcSight in a deal that concluded last month, said earlier in October it would ban future code inspections by “high risk” governments and that the chief executive would be required to sign off on other reviews.

‘Deep concerns’

Symantec has had a policy of barring government source code reviews since early 2016.

Democratic Senator Jeanne Shaheen raised the issue in a letter to Defence Secretary James Mattis following the report on ArcSight, expressing “deep concerns” that Russia could use information gleaned from the review to breach Pentagon internet security systems.

“HPE’s ArcSight system constitutes a significant element of the US military’s cyber defenses,” she wrote. “Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on [Department of Defence] platforms.”

HPE has said the review posed no security risk and resulted in the detection of no vulnerabilities.

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers,” the company said.

Ironically, as US security firms are restricting access to their source code, Moscow-based antivirus firm Kaspersky Lab last week moved to open up its own code to third-party scrutiny.

Kaspersky’s move is part of an effort to stem US government-led concerns the firm’s popular tools could be used to spy on firms or carry out attacks.

Kaspersky has denied its products pose a security risk or that it has ties to the country’s government.

Do you know all about security in 2017? Try our quiz!