The universe is an interesting place.
While the Senate and House, among others, are trying to figure out how much damage Russia did during last year’s election cycle, Cisco and others are sharing their source code with the people who supposedly hacked us. Seem strange? It is!
Here is the story.
For some countries, including Russia, the government requires foreign vendors to share source code with supposedly independent testing labs. The objective, they say, is to make sure that there are no back doors in the code that would allow others such as the NSA and CIA to hack into them.
Cisco, IBM, HP and SAP are among those who have agreed to share source code with the Russians and others.
Symantec has told Russia to stick it where ….
As a result, Symantec does almost no business in Russia.
The U.S. government has suggested that this isn’t a great plan, but money usually rules. The government, under most circumstances, has no legal ability to stop U.S. companies from doing that, however.
Who in Russia wants to check out our source code? None other than the FSB, the successsor to the KGB, Russia’s former spy agency.
Also the FSTEC, another Russian agency with strong ties to the spy community is doing some of the source code reviews.
For their part, the U.S. tech companies are trying to reduce the risk. They say that the code reviews are done in the United States, not Russia and they are done in a clean room environment where reviewers cannot take anything in or out. But if the people doing the reviews are skilled Russian hackers, simply the ability to look at the code – to see how the programs work – may be enough to allow them to later hack us.
For companies, they have to make a decision. The Russian tech market is estimated to be worth around $20 billion. Do they let Russian spies look at the source code of their security software in order to be able to take a bite out of a $20 billion apple or do they let their possible share of the market go to a competitor. Without agreeing to Russian demands, it is likely that Russia will not allow U.S. tech companies to sell their products in Russia.
My take – giving Russian spies access to the family jewels is a really bad idea. I understand that sometimes money clouds people’s vision and this is one of those times. It is kind of like giving a burglar both the key to our house and a map telling them where our valuables are. And hoping that they don’t take anything.
WHAT COULD GO WRONG?
Information for this post came from Reuters.