HEWLETT PACKARD ENTERPRISE (HPE) allowed a Russian defence agency to inspect the source code of cybersecurity software used by the Pentagon.
The move, which may have provided Russia with information about vulnerabilities in software widely used by the US armed forces and many large businesses, was first reported by Reuters. It claims that HPE allowed Russian authorities to inspect the code base of its ArcSight cyber defence software, which is used to spot intrusions and unusual activity on networks.
HPE allowed the code review last year. It was carried out by Echelon, a company with ties to the Russian military, on behalf of Russia's Federal Service for Technical and Export Control (FSTEC), a defence agency, because it intended to sell the software to Russian public sector institutions and private sector companies.
Allowing code inspections by foreign governments is not unknown, and indeed may be a requirement for tech companies wanting to do business in Russia; SAP and Cisco have submitted to similar processes in order to break into the Russian market. But the fact that ArcSight is used extensively in a defensive capacity by the Pentagon makes it a very sensitive issue. Symantec declined to offer up its code for review for this reason.
The issue illustrates the dangers in using commercial software in a vital defensive role.
A spokesperson for the Pentagon said that HPE had not disclosed the fact of the inspection by Echelon to the US authorities, while HPE declined to say whether it had or not.
While the Russian agency was not permitted to remove the source code from where the review took place, security experts believe that simply studying it could allow a trained reviewer to spot certain vulnerabilities. This view is shared by six former US intelligence officials and previous ArcSight employees (the firm was purchased by Hewlett-Packard in 2010) who said the source code review could potentially aid the Russians in any attack on US defences.
"It's a huge security vulnerability," said Greg Martin, a former security architect at ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
An in-depth understanding of ArcSight's cyber intelligence and intrusion detection software would certainly be advantageous to an attacker, but it would not on its own be sufficient to allow an attacker entry into US defensive systems, being just one in a series of defensive shields.
Nevertheless, it could allow an attacker to conceal their activities and at a time when Russia stands accused of increased hostile activity in cyberspace, including manipulating the US presidential elections, the news that HPE allowed the code inspection, apparently without informing the authorities, will not go down well with ArcSight's user base.
HPE has not disclosed the extent of its commercial activities in Russia, but ArcSight is known to be used by a number of businesses in the country including VTB Bank and the Rossiya Segodnya media group, both of which are known to have Kremlin ties. In the US it is used extensively in the Armed Forces. µ
Staffers are at risk of falling victim to spear phishing attacks
But you probably won't be able to afford it
Squash one bug and another pops up in its place, or so it would seem
Ciaran Martin says it's a matter of 'when, not if' Britain will be hit by a C1 attack