Hewlett Packard Enterprise (HPE) allowed a Russian defence agency to review the inner workings of cyber defence software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
The HPE system, called ArcSight, serves as a cybersecurity nerve centre for much of the United States military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former US intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the US military to a cyber attack.
“It’s a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary.”
Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.
The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, US politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.
The case highlights a growing tension for US technology companies that must weigh their role as protectors of US cybersecurity while continuing to pursue business with Washington’s adversaries such as Russia and China, say security experts.
The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia's Federal Service for Technical and Export Control (FSTEC), a defence agency tasked with countering cyber espionage.
Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.
But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE's source code review, citing a non-disclosure agreement with the company.
FSTEC confirmed Markov's account, saying in a statement that Russian testing laboratories immediately inform foreign developers if they discover vulnerabilities, before submitting a report to a government “database of information security threats.”
One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that US intelligence services have not placed spy tools in the software.
HPE said no "backdoor vulnerabilities" were discovered in the Russian review. It declined to provide further details.
HPE said it allows Russian government-accredited testing companies to review source code in order to win the Russian defence certifications it needs to sell products to Russia's public sector.
An HPE spokeswoman said source code reviews are conducted by the Russian testing company at an HPE research and development centre outside of Russia, where the software maker closely supervises the process.
No code is allowed to leave the premises, and HPE has allowed such reviews in Russia for years, she said.
Those measures ensure “our source code and products are in no way compromised,” she said.
Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code.
In a 2014 research paper, Echelon directors said the company discovered vulnerabilities in 50 per cent of the foreign and Russian software it reviewed.
Still, security analysts said the source code review alone, even if it yielded information about vulnerabilities, would not give hackers easy entry into the military systems. To infiltrate military networks, hackers would need to first overcome a number of other security measures, such as firewalls, said Alan Paller, founder of the SANS Institute, which trains cybersecurity analysts
Paller also said HPE's decision to allow the review was not surprising. If tech companies like HPE want to do business in Russia, "they don’t really have any choice,” he said.
HPE declined to disclose the size of its business in Russia, but Russian government tender records show ArcSight is now used by a number of state firms and companies close to the Kremlin, including VTB Bank and the Rossiya Segodnya media group.
Read more on the next page...