|
Foreign government code reviews
'problematic': White House cyber official
Send a link to a friend
 [October 04, 2017]
By Dustin Volz
WASHINGTON (Reuters) - Allowing foreign
governments to require reviews of software secrets of technology
products built by U.S. companies is "problematic," the top White House
cyber security official said on Tuesday, adding that the increasingly
common arrangements presented both security and intellectual property
risks.
Rob Joyce, the White House cyber security coordinator, said that letting
countries inspect source code, the closely guarded internal instructions
of software, as a condition for entry into foreign markets was a
protectionist effort by certain regimes that threatened a "free and open
internet" and could "hobble" a product's security and privacy features.
Reuters on Monday reported that Hewlett Packard Enterprise (HPE) last
year allowed a Russian defense agency to review the inner workings of
cyber defense software known as ArcSight that is used by the Pentagon to
guard its computer networks.
(Read the original Reuters special report:
http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M
)
Cyber security experts, former U.S. intelligence officials and former
ArcSight employees said the practice could help Moscow discover
weaknesses in the software, potentially helping attackers to blind the
U.S. military to a cyber attack.
"There are security aspects of those disclosures (and) they are
problematic," Joyce, a former hacker at the U.S. National Security
Agency, said at a Washington Post Cybersecurity Summit when asked
specifically about the story.
He added that he was more concerned about the intellectual property
risks associated with the reviews, however.
"If you give your source code to China as a condition of entering into
that market, you've got to wonder if competitors are then going to start
to adopt those features," Joyce said at the event, which was sponsored
by HPE. "And we've seen some examples of that in the past and that
really concerns us."
Asked about Joyce's comments, an HPE spokeswoman said the company "has
never and will never take actions that compromise the security of our
products or the operations of our customers."
The company said the reviews have taken place for years and are
conducted by a Russian testing company at an HPE research and
development center outside of Russia, where the software maker closely
supervises the process, and that no code is allowed to leave the
premises.
[to top of second column] |
Cyber defense operations using ArcSight at the U.S. Army
Communications-Electronics Command, Aberdeen Proving Ground,
Maryland, U.S., June 25, 2014. David Vergun/U.S. Army
Services/Handout via REUTERS
HPE has said the inspection process was necessary to obtain
certification from Russia's Federal Service for Technical and Export
Control (FSTEC), a defense agency tasked with countering cyber
espionage, in order to sell software in Russia. The review of
ArcSight's code was conducted by Echelon, a company with close ties
to the Russian military, on behalf of FSTEC, according to Russian
regulatory records and interviews with people with direct knowledge
of the issue.
British tech company Micro Focus International Plc <MCRO.L>, which
purchased ArcSight from HPE last year in a transaction completed in
September, did not respond when asked about Joyce's remarks. Micro
Focus has not responded to requests for comment on whether it would
allow Russia to do similar source code reviews in the future.
Russia in recent years has stepped up demands for source code
reviews as a requirement for doing business in the country, Reuters
reported in June.
China in May adopted a new cyber security law that western companies
have criticized for requiring overly strict data surveillance and
storage requirements. The law has raised concern that companies will
need to choose between compromising security to protect business and
losing out on the enormous Chinese market.
"The idea that you can't enter China’s market without offering up
your intellectual property in this way, without agreeing maybe to
hobble some of the security and privacy features of it ... Russia is
heading that way, a bunch of totalitarian regimes are heading that
way," Joyce said.
(Reporting by Dustin Volz; Editing by Andrea Ricci)
[© 2017 Thomson Reuters. All rights
reserved.]
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
