According to a Reuters investigation, Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country.
The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems but it will also allow Putin's experts to find vulnerabilities in the products' source code.
While a number of US firms say they are rolling over to stay in the Russian market at least one US firm, Symantec has said "sod this for a game of soldiers" and stopped cooperating with the source code reviews.
US officials say they have warned firms about the risks of allowing the Russians to review their products' source code, because of fears it could be used in cyber attacks. But they say they have no legal authority to stop the practice unless the technology has restricted military applications or violates US sanctions.
Companies say they are under pressure to acquiesce to the demands from Russian regulators or risk being shut out of a lucrative market. The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered.
The demands are being made by Russia’s Federal Security Service (FSB), which the US government says took part in the cyber attacks on Hillary Clinton’s 2016 presidential campaign and the 2014 hack of 500 million Yahoo email accounts. The FSB, which has denied involvement in both the election and Yahoo hacks, doubles as a regulator charged with approving the sale of sophisticated technology products in Russia.
The reviews are also conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defence agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.
IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.