[raesene9]

Usually companies allow source code review beccause they're trying to sell their solutions in the countries in question.

Look at it from the perspective of those countries

Symantec "hey buy all our security software it's super-great"

Foreign Gov. Customer: "sure can we check the source code first to see if there are any heinous security bugs or NSA backdoors"

Symantec "Oh gee no, allowing to you see the source code of products we want you or companies in your country to run might compromise it's security"

Foreign Gov. Customer: "..."

[PeterisP]

They're completely okay with that response. What they're worried about is that customers in U.S. government would consider their product more secure if they can ensure that the potential attackers in e.g. Russian government don't have access to that source code.

You can't please all customers if customer wants you to protect them from another potential customer of yours, you have to pick a side and stick to it.

[raesene9]

Well in this case it's not a big problem, as stated in the article Symantec didn't do much business in Russia.

However lets extrapolate and say what if the same thing were applied to Apple or Microsoft, who sell a very large amount of software to countries like China.

Should they forbid China access to their source code due to concerns from US customers.....

Would their shareholders be happy if they did? China is a large market, loss of access to that would be bad for a companies finacial health.

[criley2]

Symantec: "No, our code is audited professionally by the most reputable international firms along international standards of quality. You can review our audit reports and engage with the international body responsible for regulating audits to raise any concerns"

Foreign Gov. Customer: "But what I really want is for my tech spooks to scan pre-selected high value modules for already known and suspected zero day exploits for our own clandestine use"

Symantec: "...."

[raesene9]

What "interational body for regulating audits" would that be, I'm not aware of any such body...?

Also If Symantec won't trust their customers to that degree, why should a foreign government or their key industries trust symantec software?

If a US audit firm audits US software, why should an international government trust that there isn't a US backdoor in there? Or perhaps that the US audits have uncovered issues but instead of patching them they handed them to the NSA for later use in their TAO teams... (wannacry anyone?)

Obviously symantec are free to withdraw from a given market as they have here, but to suggest that trust is a one-way street seems well a bit unbalanced.

[criley2]

I do not personally believe in todays world that national security and software can be separated.

As an American, I certainly would not trust any non-American AV software.

I would assume that all AV made in another country is compromised by that countries government intelligence. That would be a safe assumption.

I would be safer user American AV as an American because despite what the anti-gov propaganda wants us to believe, it's far harder for the NSA to spy on Americans than non-Americans.

Regardless, this entire thread (and your post) seems to treat nation-state actors as inherently innocent, which is so blindly naive that it's difficult to rationally respond to.

But this is the nature of cyberwar. Damaging, effective, wide-spread--- and invisible and plausibly deniable.

Symantec giving source to Russia should be seen as a violation of American national security at this point, because it gives a hostile foreign government a blueprint to attack US networks.

[raesene9]

You've picked me up entirely incorrectly if you think I'm of the opinion that nation state actors are innocent.

My point is if the US treats foreign gov's as dangerous then those foreign gov's should treat the US as dangerous equally, including US software.

Given US software companies international sales volumes that's a massive existential threat to the US economy.

If China/Europ/Russia etc stop using US software products then what will happen to the profits of Microsoft/Google/Apple et al....

My other point was the apparent one-way nature of trust that I felt you were implying. that foreign gov's should trust US software whilst at the same time accepting those software companies do not trust them...