HP Enterprise let Russia read source code for the Pentagon's cybersecurity systems

William Gayde

William Gayde

Posts: 382   +5
Staff

Hewlett Packard Enterprise (HPE) has allowed the Russian government to review the source code of its ArcSight cyber defense software. This software is the same system used by the Pentagon to secure its computer networks from cyber attacks. The code review was part of an effort for HPE to gain the certifications required to sell its products to the Russian private sector.

The incident, first discovered by Reuters, had not been previously reported to any US authorities. This is not illegal though as there is currently no legislation that prevents companies from sharing source code with foreign governments to win contracts. The code review took place last year during a time when the US was blaming many high profile cyber attacks on Russia. HPE has had many similar code reviews with Russia in the past, however, they are not alone in sharing their source code. Cisco, IBM, SAP, and countless others do it regularly to maintain foreign contracts.

According to a former security architect for ArcSight, what is so worrisome about this incident is that it is "giving inner access and potential exploits to an adversary." ArcSight works by monitoring a network for potential intrusions or attempts at a cyber attack. If it discovers any suspicious activity, it notifies security analysts of the incident. Knowing how the source code works could allow an enemy to circumvent its defenses without being caught.

The review was conducted by a company called Echelon and on behalf of Russia's Federal Service for Technical and Export Control. HPE said that there were no backdoor vulnerabilities discovered by Russia in the code and that no source code was allowed to leave the secured building.

Permalink to story.

https://www.techspot.com/news/71219-hp-enterprise-russia-read-source-code-pentagon-cybersecurity.html

 
How dumb are the pen-pushers at the pentagon that they didnt write into the contract with HP somewhere that "this source code is the property of the US govt and may not be distributed or shared with any foreign entities"?
 
  • Like
Reactions: Capaill, Reehahs and HyperPete
Is it any wonder that we are getting hacked into oblivion? Between a president who is buddy-buddy with the former head of the KGB and companies that are supposed to be protecting our government sharing source code with the Russians we are bound to be hacked. It's no wonder that the presidential election was compromised!
 
MS gave its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
 
mbalensiefer said:
MS gave its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
Click to expand...
MS shared/sold its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
Fixed. Since when has M$ given anything away without benefiting from it?
 
Last edited:
Either HPE are very trusting souls or they'll sell their own mothers into slavery to influence their bottom line positively. I'm strongly suspecting the latter.
 
mbalensiefer said:
MS gave its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
Click to expand...
Why would they ask for permission when there is no law stating that they must do so?

last time I checked, private companies didnt ask anybody for permission if they dont have to, because that gets in the way of profits.
 
HyperPete said:
Is it any wonder that we are getting hacked into oblivion? Between a president who is buddy-buddy with the former head of the KGB and companies that are supposed to be protecting our government sharing source code with the Russians we are bound to be hacked. It's no wonder that the presidential election was compromised!
Click to expand...

Pull your head out of the conspiracy sand - you win the ignorant comment of the day award!
 
  • Like
Reactions: havok585
Who's to say it's the real source code or just the code the CIA/NSA want's you to see. ;)

I'd share too; if I were them. A good way to see just how good your adversaries really are.

"no backdoor vulnerabilities discovered by Russia" Exactly! Now they think they are safe! Got ya right where we want you. hehe
 
  • Like
Reactions: Cycloid Torus
Theinsanegamer said:
How dumb are the pen-pushers at the pentagon that they didnt write into the contract with HP somewhere that "this source code is the property of the US govt and may not be distributed or shared with any foreign entities"?
Click to expand...

I would have assumed the Pentagon would have written its own proprietary software.
 
Lawmakers in Washington, DC are far too busy doing other important things like attempting to repeal Obamacare for the god knows how manyith time, disenfranchising voters of their voting rights, refusing to vote on supreme court justices, rewriting the tax code so that it will skyrocket the US National debt even though they complained ad-infinitum that Obama was skyrockting the national debt and on and on to vote on unimportant matters like this.
 
Quite disappointing comments. Apparently, most people are not aware of the fact that secure systems should NOT rely on obscurity, but on proper design. e.g. a cryptographic algorithm should never be based on the assumption that the adversary doesn't know how it works, but only on the strength of the keys combined with a proper algorithm, which can and should be published.

The same goes for security software in general: if your security depends on no one knowing your code, then your security is non-existent. The code could be stolen or flaws could be discovered independently.

If the code is well written and does not contain any design flaws or backdoors, then knowledge of the code does not confer any benefit to an attacker.

The major goal of such a code review is to establish that there are no backdoors and that's perfectly legitimate.
 
AmadeusITS said:
Quite disappointing comments. Apparently, most people are not aware of the fact that secure systems should NOT rely on obscurity, but on proper design. e.g. a cryptographic algorithm should never be based on the assumption that the adversary doesn't know how it works, but only on the strength of the keys combined with a proper algorithm, which can and should be published.

The same goes for security software in general: if your security depends on no one knowing your code, then your security is non-existent. The code could be stolen or flaws could be discovered independently.

If the code is well written and does not contain any design flaws or backdoors, then knowledge of the code does not confer any benefit to an attacker.

The major goal of such a code review is to establish that there are no backdoors and that's perfectly legitimate.
Click to expand...

Yes, but this is like asking someone convicted of several bank robberies to check the security of a new safe at a bank.

"The fox guarding the henhouse"
 
Theinsanegamer said:
How dumb are the pen-pushers at the pentagon that they didnt write into the contract with HP somewhere that "this source code is the property of the US govt and may not be distributed or shared with any foreign entities"?
Click to expand...

If they code was developed 100% with HP money - no govt funding anyhere, not so much as a single cent - they can't. The DoD can't even give another American defense contractor access to allow for competition on contracts. If a private company builds it themselves, then it is theirs to do with as they see fit.

However, if govt money is used in the development of a product, the government owns that product. They can re-distribute that technology - or block its distribution - as they see fit.

Now, what is surprising is that they didn't work in some kind of disclosure/non-disclosure agreement, so the DoD would be made aware anytime a foreign government or corporation was allowed to review the code.
 
mbrowne5061 said:
And which list does this source code fall under, exactly? NPT? Any of the Dual-use lists? Bio-chem? The only lists it could potentially run afoul of are sanctions lists. Just because we have EX/IM policies in place doesn't mean HP violated them in this particular case..
Click to expand...

IANAL, but maybe this helps.. "the regulations contain an important “catch-all” category known as “EAR 99” for all items not specifically listed on the CCL, but covered by the EAR. Because the EAR is expansive, the items covered by the EAR 99 catch-all are also expansive. By definition, the reach of EAR export controls extends to (I) all items exported from the United States, (ii) all U.S.-origin items wherever located, (iii) foreign-made commodities “bundled” with U.S.-origin software, and (iv) qualified foreign made direct software." (https://www.millercanfield.com/resources-alerts-845.html) Doesn't seem that the recipient has to be or be within an embargoed nation state for the export to be restricted.
 
AmadeusITS said:
Quite disappointing comments. Apparently, most people are not aware of the fact that secure systems should NOT rely on obscurity, but on proper design. e.g. a cryptographic algorithm should never be based on the assumption that the adversary doesn't know how it works, but only on the strength of the keys combined with a proper algorithm, which can and should be published.

The same goes for security software in general: if your security depends on no one knowing your code, then your security is non-existent. The code could be stolen or flaws could be discovered independently.

If the code is well written and does not contain any design flaws or backdoors, then knowledge of the code does not confer any benefit to an attacker.

The major goal of such a code review is to establish that there are no backdoors and that's perfectly legitimate.
Click to expand...
IMO, knowledge of the code gives you knowledge of where the cryptography takes place potentially giving an attacker knowledge of where to inject malicious code. Is this not what hackers do? If they get access to the keys, obviously all bets are off. Strong cryptography and keys are obviously essential in establishing secure environments, however, keeping the source code secret will only enhance the security of the code as I see it.

That Russia claims no vulnerabilities were found is specious at best. If they did find any, I highly doubt they would be upfront about it especially given the fact that the source code is used at what is to them almost certainly a high value target.

mbrowne5061 said:
Cycloid Torus said:
I guess HP (or one of its junior in-house lawyers) felt that this ( https://www.state.gov/strategictrade/overview/ ) didn't apply.
Click to expand...

And which list does this source code fall under, exactly? NPT? Any of the Dual-use lists? Bio-chem? The only lists it could potentially run afoul of are sanctions lists. Just because we have EX/IM policies in place doesn't mean HP violated them in this particular case..
Click to expand...
So? So we should allow everyone making software for every secure environment to share that software with anyone they please? Absence of a restriction should not be an excuse for an action like this, IMO.
 
This topic clearly demonstrates that not many here have coding or business experience at this level, but are reacting to the obvious emotional conjecture that reading code is the same as stealing it. It's common practice to review software implementations when requesting an RFPQ for critical software. I've intentionally left RFPQ undefined as proof of my assertion here.
 
Last edited by a moderator:
wiyosaya said:
IMO, knowledge of the code gives you knowledge of where the cryptography takes place potentially giving an attacker knowledge of where to inject malicious code. Is this not what hackers do? If they get access to the keys, obviously all bets are off. Strong cryptography and keys are obviously essential in establishing secure environments, however, keeping the source code secret will only enhance the security of the code as I see it.

That Russia claims no vulnerabilities were found is specious at best. If they did find any, I highly doubt they would be upfront about it especially given the fact that the source code is used at what is to them almost certainly a high value target.


So? So we should allow everyone making software for every secure environment to share that software with anyone they please? Absence of a restriction should not be an excuse for an action like this, IMO.
Click to expand...

Then write to your senator and get the law changed. But you can't retroactively apply the laws, and the law doesn't currently prevent what just happened.

We also don't know the context of the contract with the DoD. For all we know this software was just used on the computers of the receptionists, systems and networks that would never handle anything more sensitive than basic responses to press inquires. The DoD rarely buys COTS for anything involving national defense, including software. They prefer bespoke just so they know exactly what they are getting, and know that this very situation is covered by existing EX/IM policies.
 
Cycloid Torus said:
IANAL, but maybe this helps.. "the regulations contain an important “catch-all” category known as “EAR 99” for all items not specifically listed on the CCL, but covered by the EAR. Because the EAR is expansive, the items covered by the EAR 99 catch-all are also expansive. By definition, the reach of EAR export controls extends to (I) all items exported from the United States, (ii) all U.S.-origin items wherever located, (iii) foreign-made commodities “bundled” with U.S.-origin software, and (iv) qualified foreign made direct software." (https://www.millercanfield.com/resources-alerts-845.html) Doesn't seem that the recipient has to be or be within an embargoed nation state for the export to be restricted.
Click to expand...

That still assumes the software in question falls under EAR at all. If all they used it for was to protect non-defense systems and networks, it gets pretty difficult to classify this export-restricted IP. Without either of knowing the source code or the what the DoD used the software for exactly, we can't say one way or another whether the software is subject to any export compliance controls, but I put it at long odds that it was.

Companies this size have entire departments dedicated to ensuring compliance with EAR, ITAR, and other export controls. The likelihood they messed up this bad is extremely slim, and if it was illegal, you would have been hearing about the DoD cracking down on them already.
 
You must log in or register to reply here.

Similar threads

midian182
Putin calls for "throttling" Microsoft and Zoom in Russia, urges development of domestic alternatives
Replies
10
Views
255
Squid Surprise
Squid Surprise
midian182
  • Locked
The United States no longer prioritizes Russia as a major cyber threat
4 5 6
Replies
131
Views
3K
GodisanAtheist
GodisanAtheist
A
UK bans gaming controller exports to Russia to hinder military use
2
Replies
27
Views
749
kinetix
K

Latest posts

Back