On Lawfare Paul Rosenzweig notes how Russia got a look at the source code to a critical computer security product in use in the American military:
According to this report from Reuters, Hewlett Packard Enterprises (HPE) has allowed the Russian military to review the source code for ArcSight, a cybersecurity alert system widely used in the Pentagon and in the American private sector. The source code review was a condition required by the Russian government before it would purchase ArcSight for use in Russian systems–at least nominally for the reasonable-sounding purpose of assuring the Russians that the American government had not colluded with HPE to put a back door into ArcSight that might be used against the Russians. This troubling episode raises a number of questions:
- If the Russian request was facially reasonable (and it seems it was) why is HPE allowed to permit the Russians to do a source code review on systems that are used by the U.S. military? Perhaps as a condition of selling to the U.S. government, one ought not to be permitted to allow foreign nations to unpack the product
And even more startling revelations. So why is HPE permitting this Russian access? My suspicion is that HPE, being an international company, believes it must have a more equable attitude towards its customers, rather than an American-centric view.
Which leads to the question of whether American agencies should more carefully vet its suppliers insofar as their allegiance – to the dollar or to America? At this juncture, some critical holes in American cyber-infrastructure maybe assumed.
And HPE should be considered disqualified from all future American contracts, public and private. Maybe they should only expect Russian contracts from here on out.