Hewlett Packard Enterprise (HPE) has allowed the Russian government to review the source code of its ArcSight cyber defense software. This software is the same system used by the Pentagon to secure its computer networks from cyber attacks. The code review was part of an effort for HPE to gain the certifications required to sell its products to the Russian private sector.
The incident, first discovered by Reuters, had not been previously reported to any US authorities. This is not illegal though as there is currently no legislation that prevents companies from sharing source code with foreign governments to win contracts. The code review took place last year during a time when the US was blaming many high profile cyber attacks on Russia. HPE has had many similar code reviews with Russia in the past, however, they are not alone in sharing their source code. Cisco, IBM, SAP, and countless others do it regularly to maintain foreign contracts.
According to a former security architect for ArcSight, what is so worrisome about this incident is that it is "giving inner access and potential exploits to an adversary." ArcSight works by monitoring a network for potential intrusions or attempts at a cyber attack. If it discovers any suspicious activity, it notifies security analysts of the incident. Knowing how the source code works could allow an enemy to circumvent its defenses without being caught.
The review was conducted by a company called Echelon and on behalf of Russia's Federal Service for Technical and Export Control. HPE said that there were no backdoor vulnerabilities discovered by Russia in the code and that no source code was allowed to leave the secured building.