Enterprise Security

HPE Gave Russia Deep Dive Into Security Software Used by Pentagon

Hewlett Packard Enterprise has allowed experts working with Russia to review the source code of cybersecurity software that is used by the U.S. Defense Department.

The Pentagon uses HPE’s ArcSight software to protect sensitive computer networks. Hewlett-Packard acquired ArcSight in 2010 in a deal valued at US$1.5 billion.

The review was conducted by Russian firm Echelon on behalf of the Russia Federal Service for Technical and Export Control, a defense agency that deals with cybersecurity issues, according to Reuters, which originally broke the story earlier this week.

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers,” the company said in a statement provided to the E-Commerce Times by spokesperson Kate Holderness.

HPE has “worked with select third parties to test a narrow set of products for backdoor vulnerabilities before selling into the Russian market,” the company said, noting that this is a “year’s old requirement” that has not changed recently.

“All testing was done in HPE controlled sites and entirely under the supervision of HPE’s cybersecurity specialists, to ensure that our source code and products were in no way compromised,” HPE said, adding that “no backdoor vulnerabilities were detected within ArcSight.”

Pentagon Protocol

The Defense Department has policies in place to guard against such vulnerabilities, but the level of exposure in this case is not clear.

“Commercial products and services procured and deployed by DoD are evaluated for security risks,” said Heather Babb, a spokesperson for the Pentagon. “The Department has policies in place to address software assurance and supply chain risk management, as well as established security standards to ensure all procured commercial products and service are rigorously inspected for security vulnerabilities.”

ArcSight was “reviewed under the appropriate cybersecurity processes prior to being employed by DoD, and it is continuously evaluated for performance and risk, consistent with department policies,” Babb told the E-Commerce Times. “ArcSight is a single tool and only one component of DoD’s larger defense posture.”

Tense Relations

The report comes at a time of heightened tension between the U.S. and Russia, as U.S. intelligence agencies have concluded that Russia took steps to interfere in the 2016 presidential election.

Hacking organizations backed by the Russian government have been accused of accessing troves of email data belonging to the Democratic Party and officials from Hillary Clinton’s presidential campaign, and then leaking it to Wikileaks, which published it online.

Wikileaks has a history of publishing classified documents from U.S. intelligence agencies and other governments around the world.

More recently, Russian accounts have been linked to major purchases of targeted advertising and the proliferation of fake news on Facebook during the 2016 campaign. Facebook has been cooperating with federal investigators who are looking into whether U.S. operatives or campaign officials played a role in coordinating any of those transactions or activities.

Symantec, developer of Norton Utilities security software, reportedly has refused to meet Russian demands to review source code information.

“Symantec’s global security policies are intended to ensure our products remain uncompromised by third parties,” said Matt Nagel, senior manager of corporate communications at Symantec.

“We do not permit source code inspections by customers, customer appointed agents, foreign governments, foreign bureaus or foreign test centers,” he told the E-Commerce Times.

However, a number of U.S. technology firms, including IBM, Cisco and SAP, have agreed to Russian demands to review their source code, Reuters reported earlier this year, in order to retain access to the lucrative Russian market.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by David Jones
More in Enterprise Security

E-Commerce Times Channels