Symantec will no longer allow government source code reviews due to unacceptable risk
WASHINGTON (Reuters) – U.S.-based cyber firm Symantec (SYMC.O) is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products, Symantec Chief Executive Greg Clark said in an interview with Reuters.
Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia.
Symantec’s decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington’s adversaries, including Russia and China, according to security experts.
While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
The company’s about-face, which came in the beginning of 2016, was reported by Reuters in June. Clark’s interview is the first detailed explanation a Symantec executive has given about the policy change.
In an hour-long interview, Clark said the firm was still willing to sell its products in any country. But, he added, “that is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’.”
While Symantec had seen no “smoking gun” that foreign source code reviews had led to a cyberattack, Clark said he believed the process posed an unacceptable risk to Symantec customers.
“These are secrets, or things necessary to defend (software),” Clark said of source code. “It’s best kept that way.”
Because Symantec’s market share was still relatively small in Russia, the decision was easier than for competitors heavily invested in the country, Clark said.
“We’re in a great place that says, ‘You know what, we don’t see a lot of product over there’,” Clark said. “We don’t have to say yes.”
Symantec’s decision has been praised by some western cyber security experts, who said the company bucked a growing trend in recent years that has seen other companies accede to demands to share source code.