According to an exclusive report from Reuters, Hewlett Packard's enterprise arm allowed the Russian government to review the source code for the Pentagon's most prolific cybersecurity software so they could sell it to the Russians.
The software, called ArcSight, is used by every branch of the U.S. military and, according to a Pentagon spokesperson who spoke to Reuters, they didn't know the Russians were allowed to review the system's source code.
The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
While some former officials who spoke to Reuters warned that this could help the Russians penetrate American networks without being noticed, other sources and company officials say there's nothing to worry about.
An HP spokeswoman told Reuters their products "are in no way compromised,” but I personally don't find that to be very reassuring. The defection of Edward Snowden already made our defense networks vulnerable and HP apparently allowed the Kremlin to peer at the source code of the software behind those networks.
I believe we're still grossly underestimating our vulnerabilities across the entire public and private sector. I'm sure executives at Equifax would have said their products are in no way compromised just six months ago. I understand that's quite a bit different, but we usually only learn about these things after it's too late.
In this case, the investigative journalists at Reuters seem to have alerted the Pentagon to a potential area of vulnerability they didn't know about. Hopefully it won't be too late this time.