Some argue the source code review could make it easier for Russia to find weaknesses in ArcSight, a key US military security monitoring tool
Hewlett-Packard Enterprise (HPE) has acknowledged it allowed a firm working on behalf of the Russian military to review the source code of a computer security tool called ArcSight that is an integral part of the cyber defence systems of the Pentagon and other areas of the US military.
Source code exposure
Such reviews are commonly required by some governments, including those of Russia and China, in order to ensure software doesn’t allow surreptitious access by the US government. The reviews are a precondition for companies such as HPE and Microsoft to sell their products to government-linked organisations in those countries.
But some argue that even if carried out under tightly controlled conditions, they may make it easier for experts working on behalf of hostile governments to spot security vulnerabilities in the software that has been reviewed.
“It’s a huge security vulnerability,“ Greg Martin, a former security architect for ArcSight, told Reuters. ”You are definitely giving inner access and potential exploits to an adversary.”
HPE acknowledged the review, which it said took place in its own facility outside of Russia, but said its products’ security and the operations of its customers weren’t compromised.
“All testing was done in HPE controlled sites and entirely under the supervision of HPE’s cyber security specialists, to ensure that our source code and products were in no way compromised,” HPE said in a statement provided to Silicon.
It added that “no backdoor vulnerabilities” were found in ArcSight. A backdoor allows a third party to surreptitiously access and control software.
ArcSight is used across the US military, including the Army, Air Force and Navy, and protects the Pentagon’s Secret Internet Protocol Router Network (SIPRNet), used to transfer classified information, according to military procurement records cited by Reuters.
The tool, first launched in 2000, collects data from sources including PCs, firewalls and servers and alerts system administrators when it detects patterns that may indicate an attack is taking place.
It is also widely used in the private sector and following the Russian source code review is now used by Russian state firms and companies with links to the country’s government, including VTB Bank and the Rossiya Segondnya media group.
The review was conducted by Echelon, a company closely tied to the Russian military, on behalf of Russia’s cyber-espionage agency the Federal Service for Technical and Export Control (FSTEC).
HPE said it ensures clients are kept informed about “any developments that may affect them” but the firm didn’t disclose the review to the Pentagon, according to a Pentagon spokeswoman cited by Reuters.
Cisco and SAP are known to have consented to Russian source code reviews, while Symantec declined due to security concerns.
US concern over Russia’s influence in the country has recently led to a review of Russian-backed online advertising during last year’s US presidential election and briefings by the FBI reportedly urging private US companies to drop computer security tools made by Moscow-based Kaspersky Lab.
The US government has taken measures this year to ban Kaspersky’s products from being used by the Department of Defence, with a congressional panel saying the firm’s tools could be used to carry out “nefarious activities against the United States”.
Russia has repeatedly denied interfering in the US elections, while Kaspersky Lab has denied any involvement or data-sharing with the Russian government. Nevertheless Best Buy dropped the company’s popular tools in September, saying there were “too many unanswered questions”.
Do you know all about security in 2017? Try our quiz!