U.S. senator probes Pentagon on Russian source code
reviews
Send a link to a friend
 [October 18, 2017]
By Dustin Volz and Joel Schectman
WASHINGTON (Reuters) - A U.S. senator on
Tuesday asked the Defense Department to explain how it manages the risks
when it uses software that has been scrutinized by foreign governments,
saying the practice may represent a national security threat.
Reuters reported earlier this month that Hewlett Packard Enterprise Co
allowed a Russian defense agency to review the source code or inner
workings of cyber defense software known as ArcSight, which is used by
the Pentagon to guard its computer networks.
"HPE's ArcSight system constitutes a significant element of the U.S.
military's cyber defenses,” Democratic Senator Jeanne Shaheen wrote in a
letter to Defense Secretary James Mattis seen by Reuters.
Shaheen, a member of the Senate Armed Services Committee, said
disclosure of ArcSight's source code to the Russian agency presented an
"opportunity to exploit a system used on [Defense Department]
platforms."
Shaheen questioned whether the Trump administration was pushing back on
demands for source code from Russia and elsewhere that are imposed on
U.S. companies as a condition for entry into foreign markets.
Such reviews highlight a quandary for U.S. technology companies, as they
weigh U.S. cyber security protections while pursuing business with some
of Washington’s adversaries, including Russia and China, according to
security experts.
"I understand that individual businesses must make decisions weighing
the risk of intellectual property disclosure against the opportunity of
accessing significant overseas markets," Shaheen wrote. "However, when
such products undergird [Defense Department] cyber defenses, our
national security may be at stake in these decisions."
The Pentagon and HPE did not immediately respond to requests for comment
about the letter.
Cyber security experts, former U.S. intelligence officials and former
ArcSight employees said the review of ArcSight’s core instruction, also
known as source code, could help Moscow discover weaknesses in the
software, potentially helping hackers to blind the U.S. military to an
attack.
HPE has said in the past that such reviews, by a Russian
government-accredited testing company, have taken place for years at a
research and development center it operates outside of Russia.
[to top of second column] |
Senator Jeanne Shaheen (D-NH) speaks at the Democratic National
Convention in Philadelphia, Pennsylvania, U.S. July 25, 2016.
REUTERS/Mike Segar
The software maker has also said it closely supervises the process and that no
code is allowed to leave the premises, ensuring it does not compromise the
safety of its products. A company spokeswoman said last week that no current HPE
products have undergone Russian source code reviews.
HPE was spun off from Hewlett-Packard Inc as a separate software company in
2015.
Shaheen's letter asked Mattis whether he foresaw risks associated with the
disclosure of ArcSight's code and whether the Pentagon was monitoring whether
technology vendors share source code or "other sensitive technical data."
She also asked how frequently vendors disclose the source code of products used
by the Pentagon to foreign governments.
Shaheen recently led successful efforts in Congress to ban all government use of
software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations
the company is allied with Russian intelligence. Kaspersky vehemently denies
such links.
Tech companies have been under increasing pressure to allow the Russian
government to examine source code in exchange for approvals to sell products in
Russia. While many Western firms have complied, some, including California-based
cyber firm Symantec, have refused.
ArcSight was sold to British tech company Micro Focus International Plc in a
deal completed in September.
The company said last week that while source code reviews were a common industry
practice, it would restrict future reviews by “high-risk” governments and
subject them to chief executive approval.
(Reporting by Dustin Volz and Joel Schectman; Editing by Jonathan Weber and Tom
Brown)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
