McAfee stops allowing governments to review source code

McAfee stops allowing governments to review source code
© Getty Images

American cybersecurity firm McAfee will no longer allow U.S. or foreign governments to review its products’ source codea company spokesperson confirmed. 

The disclosure comes after Reuters reported earlier this year that some American technology companies, including McAfee, IBM and others, had complied with Russian requests to review source code in order to gain access to the Russian market.


Hewlett Packard Enterprise (HPE) has come under particular scrutiny after it was revealed that it allowed Moscow to review the source code of its ArcSight cybersecurity product, which is used by the Pentagon to secure its systems. 

It is unclear precisely when McAfee stopped allowing the reviews, though Reuters reported that they stopped after the company spun off from Intel as an independent company at the beginning of April. 

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokesperson said in a statement. “This decision is a result of this transition effort.” 

McAfee is a global company with headquarters in Santa Clara, Calif. 

Russia’s security and defense entities have asked for the reviews in order for cybersecurity products to be approved for sale in their country. The reviews are purportedly conducted to check for backdoor vulnerabilities in foreign products, but security experts say they could also allow Russia to find vulnerabilities that could be exploited in cyberattacks. 

McAfee said that any audits it complied with in the past were conducted within company facilities and in "clean room" conditions under supervision of company personnel. Source code was never placed under control of government officials or auditors, the company said, and it was never possible for auditors to make copies of the code and remove them from the facilities. Additionally, McAfee said that recorders, cameras, thumb drives and other devices were never allowed into the facilities. 

Following the reports about Hewlett Packard Enterprise, Sen. Jeanne ShaheenCynthia (Jeanne) Jeanne ShaheenThe Hill's 12:30 Report — Sponsored by Delta Air Lines — White House to 'temporarily reinstate' Acosta's press pass after judge issues order | Graham to take over Judiciary panel | Hand recount for Florida Senate race Overnight Defense — Presented by Raytheon — Border deployment 'peaked' at 5,800 troops | Trump sanctions 17 Saudis over Khashoggi killing | Senators offer bill to press Trump on Saudis | Paul effort to block Bahrain arms sale fails Senators introduce bill to respond to Khashoggi killing MORE (D-N.H.) wrote to Defense Secretary James MattisJames Norman MattisOvernight Defense — Presented by Raytheon — Lawmakers struggle with how to punish Saudi Arabia | Trump regrets not visiting Arlington for Veterans Day | North Korea deports detained American Ousted Bolton aide says it was 'an honor' to serve Trump administration Macron’s 'Euro-army' is an idea whose time has come MORE last week expressing “deep concerns” that Russia could use the information to breach U.S. military systems.

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on [Department of Defense] platforms,” Shaheen wrote. 

HPE insisted in early October that the ArcSight testing was conducted in sites controlled by the company to ensure the products were not compromised and that no vulnerabilities were detected. 

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers,” the company said.

This post has been updated to reflect more information from McAfee.