HP Enterprise allowed a Russian defense agency for inspecting the source code of cybersecurity software used by the Pentagon.
The move may provide Russia with information about vulnerabilities in software widely used by the US armed forces and many large businesses. It claims that HPE allowed Russian authorities to inspect the code base of its ArcSight cyber defense software, which use to spot intrusions and unusual activity on networks.
HPE allowed the code review last year. The code carried out by Echelon, a company with ties to the Russian military because it intended to sell the software to Russian public-sector institutions and private sector companies.
Allowing code inspections by foreign governments is not unknown, and indeed may requirement for tech companies wanting to do business in Russia. SAP and Cisco submit similar processes to break into the Russian market. But, the fact that ArcSight used extensively in a defensive capacity by the Pentagon makes it a very sensitive issue.
According to the Pentagon, HPE had not disclosed the fact of the inspection by Echelon to the US authorities. While, HPE declined to say whether it had or not.
While the Russian agency not permitted to remove the source code. Security experts believe that it allows a trained reviewer to spot certain vulnerabilities.
This view shared by six former US intelligence officials and previous ArcSight employees who said the source code review could potentially aid the Russians in any attack on US defenses.
“It’s a huge security vulnerability,” said Greg Martin, a former security architect at ArcSight.
However, it allows an attacker to conceal their activities and at a time when Russia stands accused of increased hostile activity in cyberspace, include manipulating the US presidential elections. HPE allowed the code inspection, apparently without informing the authorities, will not go down well with ArcSight’s user base.
HPE has not disclosed the extent of its commercial activities in Russia. But, ArcSight is known to use several businesses in the country.