McAfee stops allowing governments to review source code

American cybersecurity firm McAfee will no longer allow U.S. or foreign governments to review its products’ source code, a company spokesperson confirmed. 

The disclosure comes after Reuters reported earlier this year that some American technology companies, including McAfee, IBM and others, had complied with Russian requests to review source code in order to gain access to the Russian market.

{mosads}

Hewlett Packard Enterprise (HPE) has come under particular scrutiny after it was revealed that it allowed Moscow to review the source code of its ArcSight cybersecurity product, which is used by the Pentagon to secure its systems. 

It is unclear precisely when McAfee stopped allowing the reviews, though Reuters reported that they stopped after the company spun off from Intel as an independent company at the beginning of April. 

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokesperson said in a statement. “This decision is a result of this transition effort.” 

McAfee is a global company with headquarters in Santa Clara, Calif. 

Russia’s security and defense entities have asked for the reviews in order for cybersecurity products to be approved for sale in their country. The reviews are purportedly conducted to check for backdoor vulnerabilities in foreign products, but security experts say they could also allow Russia to find vulnerabilities that could be exploited in cyberattacks. 

McAfee said that any audits it complied with in the past were conducted within company facilities and in “clean room” conditions under supervision of company personnel. Source code was never placed under control of government officials or auditors, the company said, and it was never possible for auditors to make copies of the code and remove them from the facilities. Additionally, McAfee said that recorders, cameras, thumb drives and other devices were never allowed into the facilities. 

Following the reports about Hewlett Packard Enterprise, Sen. Jeanne Shaheen (D-N.H.) wrote to Defense Secretary James Mattis last week expressing “deep concerns” that Russia could use the information to breach U.S. military systems.

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on [Department of Defense] platforms,” Shaheen wrote. 

HPE insisted in early October that the ArcSight testing was conducted in sites controlled by the company to ensure the products were not compromised and that no vulnerabilities were detected. 

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers,” the company said.

This post has been updated to reflect more information from McAfee.