Every single day something happens that makes me think that we are living in an alternate universe. And maybe there is no one to “blame” in this instance. I usually like to put the blame on Donald Trump, but I’m not sure this one has a direct correlation. I am not talking about what happened in Las Vegas on Sunday night. That was certainly tragic. I’m talking about the fact that Hewlett Packard Enterprise (HPE) allowed a Russian defence agency to analyze the source code of a cybersecurity software. Maybe there’s some way that this would be ok, but the software is used by the Pentagon. Which, in my opinion, makes this really bad.
The product is called ArcSight, and is an important piece of cyber defence for the Army, the Air Force and the Navy. Essentially, it provides the military with the ability to identify suspicious activity. For example – a high number of failed login attempts might be a sign of an ongoing cyber attack. With the sensitive nature of the software, it makes you wonder why a Russian defence agency was allowed to review the code?
The review was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control. HPE was looking to sell the software in Russia. And while this kind of review is common for outside companies to market these types of products, this could have helped Russian officials. More specifically, it could have helped them find weaknesses in the software. Which could have led to attacks on US military cyber networks. Do you see why this is bad? Echelon says that it’s required to report software vulnerabilities to the Russian government, but only after letting the software makers know.
According to HPE, reviews are done in an HPE facility under the supervision of HPE staff. They also say that no vulnerabilities were found during this particular review. What’s interesting about this entire thing, is that HPE is saying that this wouldn’t have let attackers into military networks, even if they discovered a vulnerability. This is all in theory though. Whereas, six former U.S Intelligence officials, former ArcSight employees, and independent security experts all say that the source code review could help Russia discover weaknesses in the software. Which would have lead to a cyber attack on the U.S. military.
So who do you believe? Officials at the Pentagon aren’t aware of any hacks or cyber espionage as a result of this process. But the review took place last year. During which time, Washington was accusing Moscow of a number of cyberattacks against American companies, U.S. politicians and government agencies – including the Pentagon. So I ask the question again – who do you believe?
Another interesting factor to consider is the process by which Echelon has to report vulnerabilities. They are required to report to both the software company as well as to the Russian government. On one hand, this makes sense. If any government wants to use software, they should also know about its vulnerabilities. But this is such a risky situation because of the issues that the American people have with Russia. And rightfully so. Russia also asks about the vulnerabilities because they too are paranoid. They want to make sure that the U.S. hasn’t placed any espionage tools in the software.
Again, all of this makes sense, in theory. It seems untrustworthy though. Perhaps the issue is not in the review process, but in the fact that HPE can create software for the U.S. military, and then take that code and sell it to the Russians for the same thing? Regardless of who the customer is, vulnerabilities could render the software incapable of detecting an attack on a military’s network. Which would make a response to said attack impossible. Procurement records for the U.S. government indicate that ArcSight is used for cyber defence for the U.S. military – including the Army, the Air Force and the Navy.