Major IT company Hewlett Packard Enterprise allowed a source code review of ArcSight, a Pentagon cyber defense software, by a Russian defense agency according to Reuters. ArcSight is implemented across much of the U.S. military in order to alert analysts in real time when computer systems are being attacked.
Hewlett had reportedly allowed Russian review of ArcSight as a means to receive required certification for selling the software to the Russian public sector. Experts showcase how an ArcSight review could potentially allow Russian detection of Pentagon software weaknesses and thus blind the U.S military to future cyberattacks.
The review took place in 2016, undertaken by Russian company Echelon as overseen by Russian defense agency Federal Service for Technical and Export Control (FSTEC). FSTEC stated that prior to reporting information security threats involving foreign developers to the government, they inform developers of the discovered vulnerabilities. The Russian government also conducts foreign developer reviews to make sure that no U.S intelligence spy tools are present in the software.
Hewlett stated that their source code reviews had been conducted by Russia for years, that the process is closely supervised by the company and that no code leaves the review premises.
Furthermore, security analysts stated that a source-code review alone is not enough for hackers to access military systems, as there are numerous other security measures that must be bypassed. Nonetheless, former ArcSight employee Allen Pomeroy said that should vulnerabilities within ArcSight’s source code be exploited, the software would be unable to detect cyberattacks upon U.S military networks.
ArcSight itself is so heavily embedded within the Pentagon’s IT infrastructure that the DoD could not consider using other competitors within the foreseeable future.,
The Pentagon’s military network management arm, the Defense Information Systems Agency, indicated that Hewlett did not disclose ArcSight’s review to the department. However, DISA further stated that military contract vendors are not required to reveal source code reviews by foreign nations. The agency instead evaluates software based on the security standards set by the vendors themselves.
Reuters reports that ArcSight is currently being used by numerous Russian companies and state firms, notably the Rossiya Segodyna media group and VTB Bank. Russia has increasingly called for source-code reviews for foreign tech companies hoping to do business in the country amid U.S intelligence agencies accusing the country of cyberattacks on the U.S. mainland.