Hewlett Packard Enterprise let Russia review software used by Pentagon: report

Hewlett Packard Enterprise let Russia review software used by Pentagon: report
© Getty

U.S.-based Hewlett Packard Enterprise (HPE) complied with a Russian defense agency's request to review a cybersecurity product used by the Pentagon in order to gain access to the Russian market, Reuters reported.

The company is said to have allowed Russia to review source code for Arcsight, a cyber-defense software produced by HPE that is used broadly in the U.S. private sector and the U.S. military to secure its networks.

Reuters, citing a review of Russian regulatory records, reported that the company permitted the review last year in order to be certified to sell the security software to Russian government entities. Reuters previously reported that other U.S. technology companies, including HPE, IBM and others, had complied with the requests in order to gain access to the Russian market.

Reviewing source code could help Russia find vulnerabilities in the software that could be exploited in a cyberattack. 

The revelation comes amid heightened scrutiny of Russia’s use of cyberattacks, as lawmakers and the federal government continue to investigate Russian interference in the 2016 U.S. presidential election.

The Arcsight review was conducted by Echelon, a Moscow-based company that certifies whether security software complies with guidelines for various Russian defense entities, including Russia’s intelligence service, the FSB. The review was conducted on behalf of Russia’s Federal Service for Technical and Export Control, an agency within Russia’s defense ministry.

Echelon reportedly said it is required to disclose vulnerabilities in software it reviews to the Russian government, but does so after alerting the company that produces the software and getting permission. 

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers," the company said in a statement.

"In the past, HPE worked with select third parties to test a narrow set of products for backdoor vulnerabilities before selling into the Russia market. This is a years-old requirement for all companies that has not changed recently. All testing was done in HPE controlled sites and entirely under the supervision of HPE’s Cyber Security specialists, to ensure that our source code and products were in no way compromised," it added.

"No backdoor vulnerabilities were detected within Arcsight, which is now part of Micro Focus."

--This report was updated on Oct. 3 at 5:33 a.m.