HPE let a Russian defense agency review ArcSight source code, aka the inner magic of the cybersecurity product, according to Russian regulatory records and interviews with people with direct knowledge of the issue, Reuters reported.
ArcSight is used as a cybersecurity nerve center for much of the U.S. military, raising alerts when something suspicious is happening on the network. The software falls under Security and Event Management Systems (SIEM) and log management solutions.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Now what is the problem with that, you ask?
According to six former U.S. intelligence officials, as wells as independent experts and a former employee of the company, said that the ArcSight source code review could help Russians discover weaknesses in the software, potentially limit the softwares ability to detect future cyber security attacks on U.S. military.
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
The ArcSight Source Code review happened last year at a time where the U.S. was already accusing Russia of an increasing number of cyber attacks on U.S. government agencies, politicians, and agencies. Russia has repeatedly denied anything to do with the cyber attacks.
Here is a picture from Reuters that explains how ArcSight works:
The security news show that the review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage, according to Reuters.
One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software.
You could argue that it is faire game for governmental agencies to review providers codes to make sure they are not vulnerable, but when it comes to a software company that protects the nerve center of U.S. military, some people are concerned. After all, process is key security, and no one wants to be the next Deloitte.