Source Code Review for Thee... But Not For Me...

By Paul Rosenzweig
Monday, October 2, 2017, 12:14 PM

According to this report from Reuters, Hewlett Packard Enterprises (HPE) has allowed the Russian military to review the source code for ArcSight, a cybersecurity alert system widely used in the Pentagon and in the American private sector. The source code review was a condition required by the Russian government before it would purchase ArcSight for use in Russian systems–at least nominally for the reasonable-sounding purpose of assuring the Russians that the American government had not colluded with HPE to put a back door into ArcSight that might be used against the Russians. This troubling episode raises a number of questions:

  • If the Russian request was facially reasonable (and it seems it was) why is HPE allowed to permit the Russians to do a source code review on systems that are used by the U.S. military? Perhaps as a condition of selling to the U.S. government, one ought not to be permitted to allow foreign nations to unpack the product?
  • What vulnerabilities, if any, were potentially revealed to the Russians by virtue of the source code review and how does that effect the security posture of the U.S. military or the private sector users of ArcSight?
  • The report suggests strongly that HPE did not notify the U.S. government that it was going to allow the source code review or that it had done so. Apparently, such disclosure is not required by HPE's contract with the U.S. If not, why not?
  • According to Reuters, the U.S. government does not do source code review for off-the-shelf technology like ArcSight. At first blush that seems reasonable, but is it?
  • ArcSight is so embedded in U.S. systems that it cannot be replaced absent a complete overhaul of the IT infrastructure of the military. Is such dependence on a single system reasonable?

This deeply troubling report requires further examination and review–but at first blush it certainly seems like someone missed the boat somewhere.