Hewlett Packard Enterprise Let Russia Review the Source Code of a Cyberdefense System Used by Pentagon
Hewlett Packard Enterprise allowed a defense agency in Russia to review the source code of its ArcSight cyberdefense software that is also used by the Pentagon to secure its computer networks, a Reuters report reveals.
The publication, citing "Russian regulatory records and interviews with people with direct knowledge of the issue" suggests that the source code of ArcSight, the HPE system that the US military uses, was reviewed by the Kremlin in an effort on part of HPE to win the defense certification required for companies to sell their products in the country.
The Russian review of ArcSight hasn't been reported or flagged by the US authorities as yet as Reuters appears to be the first to report the review. While the code review has been confirmed by a HPE spokesperson, in its defense, HPE said the review is done under the close supervision of the software maker that ensures no code ever leaves the premises. Those measures ensure "our source code and products are in no way compromised," the company spokesperson added.
The US intelligence officials, however, warn that the review could help Russia discover weaknesses in the software, helping them to "blind the U.S. military to a cyber attack."
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
HPE's ArcSight monitors a network for potential intrusions or attempts at a cyberattack, notifying analysts of these intrusions or any suspicious activities. Knowing the source code and any vulnerabilities in it enables the governments to theoretically circumvent these checks and successfully breach a network (using network security flaws) without being caught - although it is never this straightforward in the real world to break into the networks of the likes of the Pentagon (not impossible, though).
Russia reviews the source code to spot any backdoors introduced by the US
While US might have its reservations, Russian government demands for source code review for the same reasons - to see if the US intelligence agencies have introduced any backdoors to the software that the companies sell to the Russian government agencies and public companies in the country. The private technology companies don't get a choice to avoid these reviews - both in the Russia and the United States itself - if they wish to do business in the country.
"The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage," Reuters said.
The latest report comes at the heels of the US government banning the use of Moscow-based Kaspersky products in the government agencies. While HPE says that the source code didn't reveal any vulnerabilities or backdoors to the Russian government, it is quite possible that company's ArcSight will meet a similar fate.