HP Enterprise shared at least some of the source code used in the Pentagon’s cybersecurity defense systems with Russian defense agencies, Reuters reports, in a bid to win their business. The system in question, ArcSight, is designed to analyze cybersecurity threats, rank them by severity, stream and log real-time network data, provide end-to-end network and security monitoring, and to simplify the audit process.
Russian regulatory records and an ArcSight spokesperson confirmed the Russians were given access to the company’s source code, the report said, though they didn’t state how much of the source code was revealed, or under what conditions the Russians were allowed to analyze it.
“It’s a huge security vulnerability,“ Greg Martin, a former security architect for ArcSight, told Reuters. ”You are definitely giving inner access and potential exploits to an adversary.”
The review was conducted by Echelon, a Russian company with close ties to the Russian military. Echelon’s president, Alexey Markov, confirmed he is required to report any backdoors or security vulnerabilities he finds to the Russian government, though Markov also stated he would first notify the software developer and receive permission from it to disclose the vulnerability in question.
Image by Reuters
This last seems unlikely on its face. Even if we assume Markov is required to notify HPE (or any potential customer) of any security bugs they encounter, the above sentence does not make sense. Either Markov is required to notify the Russian government of any flaws they find, whether the company agrees to this or not, or Echelon isn’t required to disclose potential bugs to the Russian government. One way or the other, someone has veto power over how this information is disclosed and to whom.
HP has said no backdoor vulnerabilities were found by the Russians, and that it allows Russian companies this level of access to verify there are no intelligence tools embedded in the final product.
The Messy Collision Between Commerce and Security
Balancing the need for security against the practical requirements of commerce creates a major fault line between America’s national security interests, Russia’s security interests, and the companies that would like to sell solutions to both. The US government would never adopt critical cybersecurity software if it thought the software contained a backdoor or other flaw that could be exploited by a potential adversary.
The Russians feel the same way, of course. Huawei, a major Chinese vendor, has faced scrutiny and suspicion in the United States and around the world. The typical argument has been Huawei might include backdoors that would give the Chinese government access to information. Huawei denies all of these allegations, though a 2012 investigation found critical vulnerabilities in two of its routers.
But while HPE’s decision to share source code is normal, it’s not without risk. Security audits are difficult and time-consuming, fully auditing a program can take months or even years, and there’s always the chance that something your counterparts find won’t be reported back to you. We don’t even need to invoke Russia to see examples of this: In the 1970s, the NSA found flaws in the Data Encryption Standard algorithm and suggested changes that hardened it against specific types of attacks. Decades later, the NSA promoted a specific elliptic curve algorithm it knew was broken, and paid RSA Security $10 million to make their own Dual_EC_DRBG the default encryption in the RSA BSafe cryptographic library.
In the 1970s, in other words, the NSA worked to create and distribute a safer cryptographic standard. In the early 2000s, they were actively working to distribute a cryptographic standard they already knew they could break. Intelligence agencies, in other words, have every reason to keep vulnerabilities and weak points to themselves, and few would argue a corporate agreement should trump national security–regardless of which side you’re on.
Now read: 20 Best Privacy Tips