McAfee says it no longer will permit government source code reviews

By Dustin Volz and Joel Schectman

WASHINGTON (Reuters) - U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks.

Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment.

The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software.

But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations.

McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.

The company declined to give a precise timeline for when it stopped allowing such reviews.

"The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space," the spokeswoman said. "This decision is a result of this transition effort."

She added that there had been no evidence of a security issue related to the reviews.

McAfee's decision follows a similar move by competitor Symantec, which in early 2016 adopted a global policy of refusing to comply with any government-mandated source code reviews required to win entry to a market.

Symantec Chief Executive Greg Clark told Reuters earlier this month the decision resulted from fears the agreements would compromise the security of its products.

Reuters reported this month that Hewlett Packard Enterprise allowed one such testing company, Echelon, to review on behalf of a Russian defense agency the source code of cyber defense software known as ArcSight, which is used by the Pentagon to guard its computer networks.

That arrangement has prompted questions from lawmakers in Washington amid broader concerns about Russia's use of digital means to sow discord and interference in elections in the United States and other Western countries, allegations the Kremlin has repeatedly denied.

In a letter last week to Defense Secretary James Mattis, Democratic Senator Jeanne Shaheen asked how the Pentagon manages risks when using software that has been scrutinized by foreign governments.

HPE has said in the past that such reviews have taken place for years at a research and development center it operates outside of Russia.

The software maker has also said it closely supervised the process and that no code was allowed to leave the premises, ensuring it did not compromise the safety of its products. A company spokeswoman said earlier this month that no current HPE products have undergone Russian source code reviews.

ArcSight was sold to British tech company Micro Focus International Plc in a deal completed in September.

Micro Focus said this month that while source code reviews were a common industry practice, it would restrict future reviews by "high-risk" governments and subject them to chief executive approval.

McAfee also allowed Echelon to review its software source code, Reuters reported in June. Such tests were conducted in a secure environment at a McAfee facility in the United States where the source code could not be copied, a spokeswoman said.

The company spokeswoman said the new policy would prohibit third-party entities, including Echelon, from doing reviews on behalf of governments.

(Reporting by Dustin Volz and Joel Schectman in Washington; additional reporting by Jack Stubbs in Moscow; Editing by Dan Grebler)