Why Partners Should Care About Russian Mandatory Source Code Reviews

“If we built airplanes the way we run cyberspace, there would be 15 airplanes down I-66 right now,” says Chase Cunningham, principal security and risk analyst at Forrester. “Somebody would go to jail for that because people die.”

When a lack of regulation endangers American lives in most industries, there’s often a public outcry that forces lawmakers and industry titans to create standards of safety and put in place legal consequences for organizations that fail to abide by them. But cyberspace is still a wild frontier, where there’s no real rule of law and heroes in white hats don’t always prevail. The threat of cyberattacks is by and large an intangible one, and it isn’t easy for a vast swath of Americans to put a face to victims of cybercrime or fully grasp ramifications that might not come back to haunt them for years to come.

There has yet to be an incident to serve as the impetus for a public mandate that forces the issue of cybersecurity regulations, but that day of reckoning is inevitably coming. And when it does, odds are that it won’t be by the hands of cybercriminals out for financial gain, but from hostile foreign governments that take advantage of the glaring gaps in U.S. cybersecurity standards.

Late last month, Reuters reported that giant enterprise software providers SAP, Symantec and McAfee allowed Russian authorities to examine their source codes for potential vulnerabilities as a prerequisite to entering the Russian market. While the practice isn’t unusual, alarm bells started ringing from Silicon Valley to Washington, D.C., when it was revealed that at least a dozen federal agencies, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, utilized one or more of the software products in question.

The conversation surrounding the practice of allowing source-code reviews ratcheted up several notches last October when it was revealed that Hewlett Packard Enterprise (HPE) allowed a Russian contractor with close ties to that government’s security agencies to review its security information and event-management software, ArcSight, in an effort to receive permission to participate in the Russian public-sector market. In the wake of the ArcSight revelation, members of Congress called on the Defense Department to show that any security risks that may be associated with source-code reviews by foreign governments are adequately mitigated.

The software providers all issued assurances that the reviews were conducted in secure facilities under close supervision, and that reviewers never had a chance to remove code from the premises. The Reuters report said it had not discovered any instances where a source-code review contributed to a cyberattack, but multiple experts told Channel Futures that the prospect of enemy nations having intimate knowledge of software run by government agencies should raise serious questions. Even the Department of Defense acknowledges a risk. A Dec. 7, 2017, response to the Congressional inquiry reads:

The Department of Defense (DoD) is aware of requirements imposed by certain countries, such as China and Russia, for companies to submit to source code reviews for certain types of security products under certain circumstances. Such disclosures may aid countries in discovering vulnerabilities in those products under review.

“When you’ve got some sort of substantive review of the source code, not only do you learn if it’s susceptible to being hacked, you have an understanding of how that source code is built and you have a road map for vulnerabilities you want to exploit,” says Marcus Harris, a former SAP employee and now an intellectual property attorney at Chicago-based Saul Ewing Arnstein & Lehr. “To allow a company to give access to either the Russian government or companies closely associated with the Russian government carte blanche to review the inner workings of that software is very dangerous.”

While much has been made of the source-code reviews allowed by HPE, SAP, McAfee and Symantec, the companies are far from alone in condoning the practice. Microsoft, Cisco and other providers allow source-code reviews. In fact, though this latest Reuters report calls out McAfee and Symantec by name, that foreign governments have been allowed access to the companies’ source codes is no secret; both providers issued statements last year proclaiming they would no longer permit government source-code reviews. When the U.S. government banned the use of Russia-based Kaspersky’s antivirus software in civilian and military networks that touch the government, Kaspersky volunteered to share its software’s source code. (The offer was declined by the U.S.)

Some in the cybersecurity space argue that banning source-code review actually hinders organizations’ abilities to protect their networks from exploitation of source-code vulnerabilities. The Electronic Frontier Foundation, an advocate for “civil liberties in the digital world,” says that prohibitions on mandatory source-code reviews, such as those proposed in the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP), set to be signed into law this year, could impede legitimate efforts to ensure the safety of software, advocating instead for free and open code-review practices.

“Security researchers and experts have made it explicit time and time again that relying solely on security through obscurity simply does not work,” said the EFF in a blog. “Even worse, it gives engineers a false sense of safety, and can encourage further bad security practices.”

Ron Culler, CTO of managed security provider Secure Designs, says that there is a legitimate argument to be made for mandatory source-code reviews.

“On one hand I can completely understand a government wanting to inspect software that will have access to the government’s inner workings, especially software that originates in a foreign country,” says Culler. “Depending on the environment and use, it should be required; that’s just basic operational security.”

But Harris says this situation is different. Russia isn’t demanding to review software that will potentially be used by its government; instead, it has mandated source-code reviews as a condition of entry into the Russian market. In Harris’ view, the only rational motivation for such a demand is to get an understanding of vulnerabilities in that software that Russian government agents can exploit.

Considering recent headlines, it isn’t an unreasonable conclusion. In the last two years, we’ve seen breach after breach with Russia’s fingerprints on them. As details continue to emerge about the country’s purported cyber-meddling in the U.S. 2016 presidential elections, lawmakers, security professionals and the general public alike are understandably worried about the possibility of Russia having access to the inner workings of the software that runs much of U.S. infrastructure and defense systems.

“The fact those vendors have technology in place with government agencies in the United States, and they share source code with what you would classify as an enemy nation, would make the hair on the back of my neck stand up if I [were] anybody in the government that had that software,” says Cunningham. “And everybody’s got it.”

Channel Implications

The concerns extend beyond the governmental realm. There are big implications for businesses, too, and Harris says managed service providers (MSP) shouldn’t just shrug this off.

“The very software you think you’re getting to protect you potentially has huge vulnerability,” he says. “There’s tremendous liability associated with that.”

The legal ramifications associated with data breaches are far from clear, but Harris stresses that there’s a logic chain that might implicate MSPs in breaches stemming from known source-code reviews. If a service provider knows a hostile nation has knowledge of vulnerabilities in software it installed on a customer’s network and fails to erect adequate safeguards to protect against possible attacks, does that partner bear some responsibility in the case of a breach? The answer is far from clear.

The problem isn’t only limited to these few companies or to Russia. The experts we spoke to say the pool of technology companies engaging in source code review processes could be vast, and that Russia probably is not the only unfriendly nation-state demanding reviews.

“These are the only ones we know about, and it’s because they’ve got marquee names,” says Harris. There are dozens of software providers whose products underpin the SMB market on that handle highly sensitive data like Intuit, PeopleSoft or Kofax, for instance.

“That’s going to affect small businesses in particular.”

The concerns for the channel aren’t limited to software. Cunningham points out that there have been plenty of instances in the past where the Chinese, for example, have figured out ways to install secret “backdoors” on hardware manufactured in the country.

“The problem with the global supply chain today is it’s hard to really understand just where all the pieces originated from: chips from here, system boards from there, software from over there, the UI from somewhere else, all assembled in that country sold under the brand of this company,” says Culler. “Unfortunately, too often [in the channel] it’s not about where it was made or who has looked at it, but does it fix my problem and how much does it cost? And from a resell perspective, how much money am I going to make?”

No Change Without Catastrophe?

The experts we spoke with expressed frustration at the federal government’s failure to enact a legal infrastructure that truly addresses the threat to national security and American safety that lax cybersecurity standards present. The problem, they say, is that as of yet, there has been no immediate and tangible consequence to cyberattacks. Even the Russian election-rigging scandal, which directly attacks one of the foundational principles of this nation, seems ephemeral and fuzzy to many Americans.

And while the public understands that breaches like the one at credit reporting agency Equifax last year pose serious threats to their financial well-being, the potential consequences are still abstract. As a result, there has been general grumbling among the public, but no fierce outcry the likes of which would force the government to enact punitive measures and set a legal precedence, our experts say.

Cunningham explains that reactive – rather than proactive – industry safety regulations have always been the norm. Finance, health care, transportation, infrastructure and manufacturing are all examples of industries that came under heavy regulatory scrutiny after the American public demanded consequences to practices that contributed to the harm or death of U.S. citizens. That isn’t the case with cybersecurity — at least, not yet.

“Cyberspace is the last war-fighting domain where anyone anywhere can have an effect at a national level,” says Cunningham. “North Korea [has] the cyber capability to bring down infrastructure. That’s massive. I personally think until we have a major infrastructure outage that’s tied to a cyber attack – water systems or something like that – go wrong, it’s not going to change.”

In the meantime, U.S. businesses will continue to run on software that they know has been examined by a foreign state that condoned and sponsored attacks on American corporate infrastructure. There’s little doubt among experts that the current legal infrastructure is woefully inadequate in its cybersecurity protections, but it’s hard to say where any reform should start.

“The government has tried to do some right things. But if you look at the working groups and the mandates and all the frameworks and everything else, they’ve created a self-licking ice-cream cone of misery,” says Cunningham. “There’s no way to get it right and be compliant and be secure. It’s just impossible.”

If a widespread attack does hit American businesses as a result of source-code reviews, customers will begin demanding answers from their service providers and from the vendors that supply the solutions that run their businesses’ infrastructure. Inevitably, someone’s head is going to roll. Until that time, MSPs are in a tough place. What channel partner doesn’t incorporate products from HPE, SAP, McAfee, Cisco, Microsoft and untold others into their business solution offerings? Avoiding products with code or components that have been examined or touched by hostile foreign governments is nigh impossible. Unfortunately, according to our experts, it’s also inevitable until disaster strikes, people are hurt and businesses and the government finally get the mandate from the public to the enact substantive reforms they’ve so far been lacking.