Symantec will stop governments reviewing the source code of its software to protect the security of its products, as the technology industry becomes increasingly wary of intelligence agencies using vulnerabilities for surveillance and espionage.
Greg Clark, chief executive of Symantec, said he believed the agreements to allow governments to examine source codes posed an unacceptable risk to its customers.
In an interview with Reuters, he said he was willing to sell in any country but “that is a different thing than saying, ‘OK, we’re going to let people crack it open and grind all the way through it to see how it all works’.
But he added Symantec had seen no “smoking gun” that governments’ reviews of source code had led to any breaches.
Mr Clark’s comments come as tensions over the relationship between national governments and technology companies risk dividing the global internet into so-called ‘splinternets’, with separate data centres, and even companies, operating only within national boundaries.
US technology companies have been under pressure to allow the Russian government to examine source code, while Beijing has enacted a cyber security law that has rattled multinationals, which fear it will leave them more vulnerable to spying.
The US government recently banned software made by Russian cyber security company Kaspersky Lab from federal networks. The US Department of Homeland Security said last month that it was “concerned” about ties between Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow intelligence agencies to request or compel assistance from Kaspersky.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalise on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security,” it said in a statement.
Some technology companies have allowed national governments to review their source code in order to comfort them about the presence of a powerful foreign company in their networks. But when examining source code, governments can also discover previously unknown vulnerabilities — known as zero days — which they can hoard and use to spy on users, rather than inform the company of the flaw so it can fix it.
Microsoft criticised the US government earlier this year after a massive cyber attack called WannaCry ripped through networks around the world, making use of a vulnerability in the Windows operating system thought to have been discovered — and leaked from — the US National Security Agency.
Brad Smith, president of Microsoft, said an equivalent scenario would be “the US military having some of its Tomahawk missiles stolen”.