Updated Hewlett Packard Enterprise handed over the source code for its ArcSight security platform to Russian investigators in exchange for being allowed to sell kit in the former Soviet Union.
That's kinda awkward because the Pentagon is one of ArcSight's most high-profile customers. The US military uses the software, which is designed to trawl through millions of log files looking for suspicious activity, in its Secret Internet Protocol Router Network, aka SIPRNet, that manages secure communications for the US intelligence services.
In other words, if there are any exploitable vulnerabilities in the ArcSight code, and therefore in SIPRNet, then the Russians may well also know about them, which would be very handy in snooping on American spies.
"It's a huge security vulnerability," Greg Martin, a former security architect for ArcSight, told Reuters. "You are definitely giving inner access and potential exploits to an adversary."
Red panic: Best Buy yanks Kaspersky antivirus from shelvesREAD MORE
Over the past three years, Russia has insisted that if Western companies want to sell their wares in the country, they have to hand over their blueprints, ostensibly to protect the nation and its citizens from backdoors that could be exploited by Western snoops. HP, Cisco, IBM, McAfee and SAP have all reportedly done so, although Symantec declined on security grounds.
HPE, which sold ArcSight and some other software companies to Micro Focus in May this year, confirmed that the code was revealed at one of its offices outside Russia, and that none of its source left the building. The Russian researchers found no "backdoor vulnerabilities," according to HPE.
"Our source code and products are in no way compromised," a spokeswoman for the enterprise IT goliath added. She also said HPE "always ensures our clients are kept informed of any developments that may affect them."
A Pentagon spokeswoman said, however, that the IT titan had not mentioned the Russian source code examination to its military customers. She added that US military doesn't check off-the-shelf code it buys from vendors, trusting the manufacturer to get the security of its systems right.
According to an April report by the Pentagon's logistics agency, ArcSight "software and hardware are so embedded," that it would be impossible to remove it "absent an overhaul of the current IT infrastructure."
The examination of ArcSight was carried out by Russian outfit Echelon, which works closely with Russia's FSB spy agency. Echelon boss Alexey Markov said it was required to report any uncovered vulnerabilities to the Russian government, but always told vendors about any discovered bugs first.
"If a vulnerability is found, everyone is happy," Markov said. "The developer is happy that a mistake was detected, since by fixing it the product will become better."
Suffice to say, other nations have inspected source code of products from overseas suppliers – such as China and Microsoft. ®
Updated to add
HPE has sent over a full statement, and here it is:
HPE has never and will never take actions that compromise the security of our products or the operations of our customers.
In the past, HPE worked with select third parties to test a narrow set of products for backdoor vulnerabilities before selling into the Russia market. This is a years-old requirement for all companies that has not changed recently. All testing was done in HPE controlled sites and entirely under the supervision of HPE’s Cyber Security specialists, to ensure that our source code and products were in no way compromised.
No backdoor vulnerabilities were detected within Arcsight, which is now part of Micro Focus.