McAfee Says "No" to Foreign Govt Code Reviews
Security giant McAfee has decided to discontinue a policy of allowing foreign governments to analyze its source code for hidden backdoors.
The policy is seen as an essential step for US and other Western tech firms looking to sell into the Russian and other regions, ostensibly intended to allay any security concerns foreign governments may have.
However, it’s increasingly seen as a risk which could actually expose the provider’s software, despite the possibility for such tests to be conducted so that no code is allowed to leave the premises.
McAfee is said to have made the decision after it was spun-off from Intel.
“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokeswoman told Reuters. “This decision is a result of this transition effort.”
McAfee now joins Symantec, which adopted the policy in 2016 amid security fears.
It’s not just the Russian government involved here; a recent Cybersecurity Law passed in China could lead to Beijing demanding code reviews from any “critical information infrastructure” provider wanting to operate in the country.
Again, the government claims such measures are necessary to protect national security, but critics have suggested it could also give agents an opportunity to research their own backdoors.
The value of AV tools as a means for intelligence operatives to monitor targets has been brought to light by the recent showdown between the US government and Russian security firm Kaspersky Lab.
It is claimed Russian intelligence may have used backdoors in its products to spy on and steal info from an NSA contractor.
Kaspersky Lab therefore seems to be going in a different direction to McAfee and Symantec, forced to open up its source code to the US government in a bid to regain trust after Washington banned its products for federal use.
Cesare Garlati, chief security strategist at the non-profit prpl Foundation, argued that all software should be open source, available for scrutiny by all.
“There is consensus in the security community that the so called ‘security through obscurity’ never worked: just look at Windows Microsoft or Adobe Flash if you need proof,” he added.
“Close source software does not make any software more secure. In fact, is the exact opposite. All recent high-profile incidents involve reverse engineering of closed source software, identification of vulnerabilities and their systematic exploit."
Source: Information Security Magazine