Cybersecurity

Pentagon pressed on source code disclosures to Russia

A Democratic senator is pressing the Pentagon on cybersecurity risks after revelations that Russia reviewed the source code for software used on U.S. military systems. 

Sen. Jeanne Shaheen (D-N.H.), a member of the Armed Services Committee, sent a letter to Defense Secretary James Mattis expressing “deep concerns” about reports earlier this month that Hewlett Packard Enterprise (HPE) complied with a Russian defense agency’s request to review source code of its ArcSight cybersecurity software.

{mosads}The software is used by private and public sector entities, including the U.S. military. Shaheen warned Tuesday that the review could allow Russian entities to hack into systems used on U.S. military platforms.

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on DoD platforms,” Shaheen wrote. 

“Such disclosure could also lead to the illicit transfer of valuable intellectual property to domestic Russian competitors.” 

The Democrat is pressing the Pentagon to disclose any “specific risk” it could face from the disclosure and what it is doing to track and mitigate risks to its systems. 

Reuters reported in early October that HPE had complied with the review last year, a requirement to sell the security software to Russian entities. Other U.S. technology companies are said to have complied with similar requests in bids to expand their markets. 

Reviewing source code could allow Russia to discover vulnerabilities in the software, which could theoretically be exploited in a cyberattack.

HPE told The Hill earlier this month that the company “has never and will never take actions that compromise the security of our products or the operations of our customers.” 

The ArcSight review was conducted at sites controlled by HPE, the company said, and “no backdoor vulnerabilities were detected” in the software. Echelon, a Moscow-based company that conducts such reviews for Russia’s FSB intelligence service, oversaw the testing. 

On Tuesday, Shaheen asked Mattis to spell out what steps the Defense Department takes to keep track of whether its private sector IT vendors disclose source code or other sensitive technical information to foreign governments, and how frequently this occurs.

“What is the strategy of the Department, and the broader Administration, to oppose and challenge source code disclosure and similar regime in Russia, China, and other nations?” she asked.