A handful of tech companies have given a Russian defence agency the opportunity to sort the source code of their software, used by US government agencies, to uncover vulnerabilities that the Russians say they fear could be exploited by bad actors.
McAfee, Symantec, Micro Focus and SAP all have submitted to the practice, sparking concern at the Pentagon and among lawmakers, according to a Reuters review of both US defence contracts and Russian regulatory requirements.
To do business with Russia, US tech companies often must obtain certification from the country's Federal Service for Technical and Export Control (FSTEC), the FSB, the Russian intelligence agency, and other agencies.
“I fear that access to our security infrastructure - whether it be overt or covert - by adversaries may have already opened the door to harmful security vulnerabilities,” US Sen. Jeanne Shaheen, D-N.H., said, according to Reuters.
The software is used not only by the Pentagon, the report said, but also at NASA, the State Department, the FBI and within the intelligence community, where it's used to fend off attacks by nation-states such as Russia.
"Even letting people look at source code for a minute is incredibly dangerous," Reuters quoted Steve Quane, executive vice president for network defence at Trend Micro, as saying.