Skip to main content
banner image
venafi logo

Spy vs Spy: Russia Seizing Source Code Secrets Is the Latest in an Alarming Trend

Spy vs Spy: Russia Seizing Source Code Secrets Is the Latest in an Alarming Trend

russia source code scandal
June 29, 2017 | Emil Hanscom

According to a recent report from Reuters, several prominent US-based technology companies have agreed to share product security secrets with the Russian government.

As reporters Joel Schectman, Dustin Volz and Jack Stubbs write: “Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country.” 

Russian officials claim these inspections are done to ensure that outside agencies and organizations have not placed any spying mechanisms or backdoors into their equipment. However, critics believe these demands give the Russian government an opportunity to find vulnerabilities in the products' source code, which then could be used in future cyber attacks.

Given the current political climate between Russia and the United States, the mandates from Moscow seem unique and devious. However, this is just the latest chapter in Russian government technological scrutiny.

“Russia’s demands to inspect source code, especially when it comes to sensitive encryption and security functions, is nothing new,” says Kevin Bocek, chief security strategist for Venafi. “In 2016, Russia enacted the counter-terrorism Yarovaya laws, which required Internet businesses to submit their encryption keys to the government. Unfortunately, handing over these keys enabled Russia to spoof the identities of the same business’s machines.”

But, the international scope of Russia’s latest demands is especially alarming. “By targeting Western companies, this disturbing trend will have global consequences,” Bocek continues. “This is part of is an undeniable movement that’s clearly aimed to control free speech, privacy, and the security of machines across the Internet and around the world.”

Of course, Russia is not alone in issuing these kinds of requirements. At the start of the year, the Chinese Cybersecurity Law went into effect. This law also seeks to ‘improve’ the security of the Internet by requiring critical infrastructure, including banking and retail organizations, to submit their systems for government review. The law applies to any business operating in China, including those from the US and Europe. And consequently, costs to comply with the new are estimated to reach $100 million for some businesses.

In addition, many Western governments are currently seeking ways to enforce similar regulations to weaken online security and privacy. “Laws in the United Kingdom and France, such as RIPA and the recently enacted Snooper’s Charter in the UK, enable governments to compel organizations to hand over encryption methods,” says Bocek.

Despite the dangers these regulations pose, its highly probable many more countries will issue similar demands. Bocek concludes: “It is very likely more governments in the West will follow the trends of Russian and Chinese, enabling controls that may seem shocking today but further the control countries seek over encryption and machine identities.”

How can organizations fight back against overzealous government demands? Should businesses share product security secrets with foreign powers?

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more