HP Enterprise (HPE) reportedly gave a Russian defense agency an inside look at the source code of its ArcSight cyber security platform in a bid to win in-country sales.
HPE apparently let Echelon, a Russian government-approved testing company doing the bidding of Russia’s Federal Service for Technical and Export Control (FSTEC), peer into ArcSight's base code last year, Reuters first reported. An HPE spokesperson has confirmed the report, the news agency said.
You may recall that HPE engaged with Micro Focus a year ago in an $8.8 billion spin-merger of its non-core software assets, including ArcSight, while retaining a controlling interest in the new combined company. It’s unclear if Echelon viewed the ArcSight code before or after the Micro Focus deal. The company has been tight-lipped about the episode, referencing a prior non-disclosure agreement with HPE, Reuters said.
Showing Code to Win Business
Opening backdoors to foreign scrutiny to win sales nods isn’t unusual (in some cases it’s a requirement) but there’s a disturbing distinction in this instance: The Pentagon uses ArcSight to protect its network from cyber security attacks -- as do many large businesses -- making HPE’s decision all the more delicate if not questionable.
Indeed, Reuters said that a number of ex-U.S. intelligence officials, former ArcSight staffers and security pros suggested that Russian eyes on the ArcSight source code could enable it to spot potentially exploitable flaws in the software. On the flip side, Russia and China have repeatedly said ahead of product sales approvals they need assurance that U.S. government spies have not baked in surveillance technology. HPE acknowledged that the Russian ArcSight review yielded no backdoor vulnerabilities, the report said.
Even if the evaluation had uncovered flaws in the ArcSight software, cyber intruders would still need to overcome other security barricades to gain entry into U.S. agencies, Alan Paller, founder of the SANS Institute, told Reuters. Technology companies wanting to conduct business in Russia don’t have a choice but to acquiesce to a source code review, he reportedly said.
Government Headaches?
Still, there’s no brushing off the ill-timing of HPE’s interaction with Echelon and the FSTEC, coming as it did amid allegations last year that Russia meddled in the 2016 U.S. presidential election. Nonetheless, HPE is not alone among IT companies granting Russia scrutiny of its products as Cisco and SAP have complied although Symantec has refused, the report said. While HPE didn’t disclose the review to the Pentagon's Defense Information Systems Agency it has no obligation to do so, an agency spokesperson told Reuters.