Why Avast won't show source code to the government, but others do

Antivirus and security firms that serve enterprise and government customers on occasion disclose their source code to acquire lucrative contracts.
Written by Zack Whittaker, Contributor

NEW YORK -- Ask a chief executive of any security company what the crown jewel of their business is, and they'll tell you it's the source code.

In a day and age of government spying, hackers, and backdoors, there's a great deal of mistrust and paranoia in the tech industry.

Governments particularly are on edge that other states are using tech firms to get access to their most critical systems and data, including the US government, which has been shown to conduct industrial espionage (despite its claims that it doesn't).

It's no surprise that this air of deception has led some countries, like Russia as far back as 2003, and more recently China, to seek access to source code in order to approve or certify products in their countries.

"No, we refuse to hand over source code," said Vince Steckler, chief executive of Avast, in an hour-long conversation in our New York newsroom late last month.

"We kinda feel left out," said Steckler, jokingly. "We got the number one footprint in the world, and we've got the biggest install base in the world, and nobody has ever come to us asking us for our source code," he said.

"We haven't had the chance to say no," he said, smiling.

Avast, a Prague, Czech Republic-based security firm and software antivirus maker, has about 230 million users, which according to Steckler's figures and estimates makes the company's consumer antivirus footprint the largest in the world, taking about 30 percent of the PC market outside China.

So it comes as little surprise that Avast was targeted by the US National Security Agency, a revelation which came from one of the documents leaked by whistleblower Edward Snowden. In an effort known as "Project Camberdada," the US intelligence agency, with help from its British counterpart GCHQ, aimed to subvert and reverse engineer antivirus and security software to find vulnerabilities that would allow the agencies "the highest privileges with just one shot," according to The Intercept, which first reported the story.

A total of 22 other foreign companies were on the NSA's target list, but notably absent was British antivirus provider Sophos and US security firms Symantec and McAfee.

Steckler, who held a number of executive positions at security giant Symantec, said that security firms that have enterprise and government clients open themselves up to more scrutiny. He said some US companies, including his former employer, would share their data with government agencies to secure long-term contracts.

Avast, with a focus on the consumer market, may be a target for the NSA, but not for its code.

Symantec confirmed in an email that it "has permitted source code review in controlled environments to meet government requirements for certain product certifications, such as Common Criteria certification."

This does not include malware signatures and definitions, but the company will share threat data to help prevent cybercrime.

The Sunnyvale, Calif.-based security company is known to serve the US government and military and other nation states. In 2012, hackers stole what the company said was a "segment" of its source code, thought to be stored on an insecure Indian government network, though Symantec said at the time that "nothing indicates that we ever shared any kind of code with the Indian government, ever."

How the Indian government got the source code remains a mystery.

Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country.

Intel, which acquired McAfee in 2011 for $7.7 billion said in a statement that it was company policy "to not share anything with governments or partners that could be used to weaken the effectiveness of our security products."

A spokesperson for Intel said the company would "decline to cooperate" if asked.

Touted as one of the largest providers of security technology to the US government, the company did not respond to numerous requests for further comment when asked if McAfee had at any point prior to the Intel acquisition turned over any of its source code.

Sophos, which provides antivirus and security products to the UK government, said in a statement that it does not give source code to government agencies, and it is "not aware" of any government agency possessing it.

However, a spokesperson added that the company "would provide source code if we are required to do some custom development work and the customer requires that associated code as part of the agreed offer."

Steckler said it's sometimes the price you pay for operating in the security industry, a fragmented market where some companies aren't allowed to operate because of concerns about nation state spying, or because of a geopolitical conflict.

He said US businesses should "think twice" about using Russian security software, just as the Russian government would be "crazy" to use an Israeli hardware, for example.

"Spy agencies exist to spy," said Steckler. "There's nothing is inherently wrong with it, you just need to be aware of it."

Editorial standards