>> US based software companies allowed Russian authorities to examine their source code. The revelation raising fears Russian spies could be able to breach security systems and programs used by the Pentagon, the State Department, the FBI and the intelligence community. Reuters reported in October that Russian military contractors had seen the source code for ArcSight, which is used to secure the Pentagon's computers.
But reporter Joel Schectman has learned the phenomena on maybe far more widespread.>> The U.S. software industry saw Russia as being an area of growth. But in order to tap that market they had to play by Russian rules. Russia does have, in some ways, very justifiable concerns that the US is going to plant spyware inside of the software that's being sold there.
And so for that reason they've demanded these source code reviews to look to see if there's any vulnerabilities that are implanted in there.>> Schectman's review found Russia has scrutinized software and networks responsible for guarding intelligence agencies, NASA, military bases, diplomatic communications and health records coming from major companies like SAP, Symantec and McAfee.
In all, at least a dozen federal agencies are potentially jeopardized according to law makers and security experts.>> There was a time when the US government would commission custom made software for high security systems. But nowadays, by and large, the US government mainly relies upon stuff that's straight off the shelf.
The US Government cannot really control what's done with off the shelf software and who it gets sold to or what process it goes through. At the end of the day, both the US Government and the software manufacturers see the government as just being another customer, it's another company customer relationship, and just like any other customer, they can't really make that kind of demand.
>> While Reuters has not found any instances where a source code review played a role in an actual cyber attack, Capital Hill has still taken notice.>> The Pentagon acknowledged in a recent letter to New Hampshire, Senator Jeanne Shaheen, that allowing source code reviews by Russia or China, quote, may aid such countries in discovering vulnerabilities in those products.
Now Saheen is drafting legislation requiring government contractors to notify government agencies whether technology they purchase has had its code inspected. Most government agencies declined to comment when asked about the software they use. And for now there's no sign that have abandoned any of these systems which have become deeply ingrained in their operations.