HP Enterprise let Russia read source code for the Pentagon's cybersecurity systems

By William Gayde · 27 replies
Oct 2, 2017
Post New Reply
  1. Hewlett Packard Enterprise (HPE) has allowed the Russian government to review the source code of its ArcSight cyber defense software. This software is the same system used by the Pentagon to secure its computer networks from cyber attacks. The code review was part of an effort for HPE to gain the certifications required to sell its products to the Russian private sector.

    The incident, first discovered by Reuters, had not been previously reported to any US authorities. This is not illegal though as there is currently no legislation that prevents companies from sharing source code with foreign governments to win contracts. The code review took place last year during a time when the US was blaming many high profile cyber attacks on Russia. HPE has had many similar code reviews with Russia in the past, however, they are not alone in sharing their source code. Cisco, IBM, SAP, and countless others do it regularly to maintain foreign contracts.

    According to a former security architect for ArcSight, what is so worrisome about this incident is that it is "giving inner access and potential exploits to an adversary." ArcSight works by monitoring a network for potential intrusions or attempts at a cyber attack. If it discovers any suspicious activity, it notifies security analysts of the incident. Knowing how the source code works could allow an enemy to circumvent its defenses without being caught.

    The review was conducted by a company called Echelon and on behalf of Russia's Federal Service for Technical and Export Control. HPE said that there were no backdoor vulnerabilities discovered by Russia in the code and that no source code was allowed to leave the secured building.

    Permalink to story.

  2. Theinsanegamer

    Theinsanegamer TS Evangelist Posts: 1,152   +1,174

    How dumb are the pen-pushers at the pentagon that they didnt write into the contract with HP somewhere that "this source code is the property of the US govt and may not be distributed or shared with any foreign entities"?
    Capaill, Reehahs and HyperPete like this.
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 4,105   +2,597

    Who needs Snowden, our own companies are putting the screws to us!
  4. MoeJoe

    MoeJoe Banned Posts: 837   +440

  5. HyperPete

    HyperPete TS Enthusiast Posts: 31   +12

    Is it any wonder that we are getting hacked into oblivion? Between a president who is buddy-buddy with the former head of the KGB and companies that are supposed to be protecting our government sharing source code with the Russians we are bound to be hacked. It's no wonder that the presidential election was compromised!
  6. mbalensiefer

    mbalensiefer TS Enthusiast Posts: 53   +26

    MS gave its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
  7. That's what I was thinking, whether right or wrong.
  8. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,280

    MS shared/sold its source code to China. Most all DoD computers are Windows-based. HP wouldn't do this w.o permission meaning vetting from US gov.
    Fixed. Since when has M$ given anything away without benefiting from it?
    Last edited: Oct 2, 2017
  9. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,280

    Either HPE are very trusting souls or they'll sell their own mothers into slavery to influence their bottom line positively. I'm strongly suspecting the latter.
  10. VitalyT

    VitalyT Russ-Puss Posts: 3,937   +2,301

    Makes a good-night read, I'd wager.
  11. Theinsanegamer

    Theinsanegamer TS Evangelist Posts: 1,152   +1,174

    Why would they ask for permission when there is no law stating that they must do so?

    last time I checked, private companies didnt ask anybody for permission if they dont have to, because that gets in the way of profits.
  12. BadThad

    BadThad TS Booster Posts: 176   +87

    Pull your head out of the conspiracy sand - you win the ignorant comment of the day award!
    havok585 likes this.
  13. Cycloid Torus

    Cycloid Torus Stone age computing. Posts: 3,491   +914

    Godel likes this.
  14. war59312

    war59312 TS Booster Posts: 132   +11

    Who's to say it's the real source code or just the code the CIA/NSA want's you to see. ;)

    I'd share too; if I were them. A good way to see just how good your adversaries really are.

    "no backdoor vulnerabilities discovered by Russia" Exactly! Now they think they are safe! Got ya right where we want you. hehe
    Cycloid Torus likes this.
  15. namesrejected

    namesrejected TS Guru Posts: 398   +301

    I would have assumed the Pentagon would have written its own proprietary software.
  16. wiyosaya

    wiyosaya TS Evangelist Posts: 2,746   +1,310

    Lawmakers in Washington, DC are far too busy doing other important things like attempting to repeal Obamacare for the god knows how manyith time, disenfranchising voters of their voting rights, refusing to vote on supreme court justices, rewriting the tax code so that it will skyrocket the US National debt even though they complained ad-infinitum that Obama was skyrockting the national debt and on and on to vote on unimportant matters like this.
  17. AmadeusITS

    AmadeusITS TS Rookie

    Quite disappointing comments. Apparently, most people are not aware of the fact that secure systems should NOT rely on obscurity, but on proper design. e.g. a cryptographic algorithm should never be based on the assumption that the adversary doesn't know how it works, but only on the strength of the keys combined with a proper algorithm, which can and should be published.

    The same goes for security software in general: if your security depends on no one knowing your code, then your security is non-existent. The code could be stolen or flaws could be discovered independently.

    If the code is well written and does not contain any design flaws or backdoors, then knowledge of the code does not confer any benefit to an attacker.

    The major goal of such a code review is to establish that there are no backdoors and that's perfectly legitimate.
  18. namesrejected

    namesrejected TS Guru Posts: 398   +301

    Yes, but this is like asking someone convicted of several bank robberies to check the security of a new safe at a bank.

    "The fox guarding the henhouse"
  19. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 929   +469

    If they code was developed 100% with HP money - no govt funding anyhere, not so much as a single cent - they can't. The DoD can't even give another American defense contractor access to allow for competition on contracts. If a private company builds it themselves, then it is theirs to do with as they see fit.

    However, if govt money is used in the development of a product, the government owns that product. They can re-distribute that technology - or block its distribution - as they see fit.

    Now, what is surprising is that they didn't work in some kind of disclosure/non-disclosure agreement, so the DoD would be made aware anytime a foreign government or corporation was allowed to review the code.
  20. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 929   +469

    And which list does this source code fall under, exactly? NPT? Any of the Dual-use lists? Bio-chem? The only lists it could potentially run afoul of are sanctions lists. Just because we have EX/IM policies in place doesn't mean HP violated them in this particular case..
  21. Cycloid Torus

    Cycloid Torus Stone age computing. Posts: 3,491   +914

    IANAL, but maybe this helps.. "the regulations contain an important “catch-all” category known as “EAR 99” for all items not specifically listed on the CCL, but covered by the EAR. Because the EAR is expansive, the items covered by the EAR 99 catch-all are also expansive. By definition, the reach of EAR export controls extends to (I) all items exported from the United States, (ii) all U.S.-origin items wherever located, (iii) foreign-made commodities “bundled” with U.S.-origin software, and (iv) qualified foreign made direct software." (https://www.millercanfield.com/resources-alerts-845.html) Doesn't seem that the recipient has to be or be within an embargoed nation state for the export to be restricted.
  22. wiyosaya

    wiyosaya TS Evangelist Posts: 2,746   +1,310

    IMO, knowledge of the code gives you knowledge of where the cryptography takes place potentially giving an attacker knowledge of where to inject malicious code. Is this not what hackers do? If they get access to the keys, obviously all bets are off. Strong cryptography and keys are obviously essential in establishing secure environments, however, keeping the source code secret will only enhance the security of the code as I see it.

    That Russia claims no vulnerabilities were found is specious at best. If they did find any, I highly doubt they would be upfront about it especially given the fact that the source code is used at what is to them almost certainly a high value target.

    So? So we should allow everyone making software for every secure environment to share that software with anyone they please? Absence of a restriction should not be an excuse for an action like this, IMO.
  23. jobeard

    jobeard TS Ambassador Posts: 11,994   +1,314

    This topic clearly demonstrates that not many here have coding or business experience at this level, but are reacting to the obvious emotional conjecture that reading code is the same as stealing it. It's common practice to review software implementations when requesting an RFPQ for critical software. I've intentionally left RFPQ undefined as proof of my assertion here.
    Last edited: Oct 3, 2017
  24. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 929   +469

    Then write to your senator and get the law changed. But you can't retroactively apply the laws, and the law doesn't currently prevent what just happened.

    We also don't know the context of the contract with the DoD. For all we know this software was just used on the computers of the receptionists, systems and networks that would never handle anything more sensitive than basic responses to press inquires. The DoD rarely buys COTS for anything involving national defense, including software. They prefer bespoke just so they know exactly what they are getting, and know that this very situation is covered by existing EX/IM policies.
  25. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 929   +469

    That still assumes the software in question falls under EAR at all. If all they used it for was to protect non-defense systems and networks, it gets pretty difficult to classify this export-restricted IP. Without either of knowing the source code or the what the DoD used the software for exactly, we can't say one way or another whether the software is subject to any export compliance controls, but I put it at long odds that it was.

    Companies this size have entire departments dedicated to ensuring compliance with EAR, ITAR, and other export controls. The likelihood they messed up this bad is extremely slim, and if it was illegal, you would have been hearing about the DoD cracking down on them already.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...