Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity -- such as a high number of failed login attempts -- that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia's Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.
Echelon says it's required to report software vulnerabilities to the Russian government but only after letting the software makers know. And HPE told Reuters that reviews are done at an HPE facility under the supervision of HPE staff and that no vulnerabilities were found during this particular review.
Even if a vulnerability was discovered and not disclosed, it wouldn't allow attackers to just waltz into US military networks, but it could, in theory, make it easier to hide an ongoing attack, delaying defense responses and upping the chance of a successful breach. The review took place around the same time that the US was accusing Russia of initiating cyber attacks against a number of US agencies and politicians.
A Pentagon Defense Information Systems Agency spokesperson told Reuters that HPE didn't let the Pentagon know about the review but that it also wasn't required to. The ArcSight review may not have unearthed any backdoors or resulted in any additional cyber infiltrations, but at the very least it seems that, when it comes to the US military, using popular off-the-shelf security software might be a vulnerability in itself.