Pentagon pressed on source code disclosures to Russia

Pentagon pressed on source code disclosures to Russia
© Greg Nash

A Democratic senator is pressing the Pentagon on cybersecurity risks after revelations that Russia reviewed the source code for software used on U.S. military systems. 

Sen. Jeanne ShaheenCynthia (Jeanne) Jeanne ShaheenSenate Democrats introduce bill to sanction Russians over Taliban bounties Trump-backed candidate wins NH GOP Senate primary to take on Shaheen Democratic senator urges Trump to respond to Russian aggression MORE (D-N.H.), a member of the Armed Services Committee, sent a letter to Defense Secretary James MattisJames Norman MattisBiden courts veterans amid fallout from Trump military controversies Trump says he wanted to take out Syria's Assad but Mattis opposed it Gary Cohn: 'I haven't made up my mind' on vote for president in November MORE expressing “deep concerns” about reports earlier this month that Hewlett Packard Enterprise (HPE) complied with a Russian defense agency’s request to review source code of its ArcSight cybersecurity software.

ADVERTISEMENT

The software is used by private and public sector entities, including the U.S. military. Shaheen warned Tuesday that the review could allow Russian entities to hack into systems used on U.S. military platforms.

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on DoD platforms,” Shaheen wrote. 

“Such disclosure could also lead to the illicit transfer of valuable intellectual property to domestic Russian competitors.” 

The Democrat is pressing the Pentagon to disclose any “specific risk” it could face from the disclosure and what it is doing to track and mitigate risks to its systems. 

Reuters reported in early October that HPE had complied with the review last year, a requirement to sell the security software to Russian entities. Other U.S. technology companies are said to have complied with similar requests in bids to expand their markets. 

Reviewing source code could allow Russia to discover vulnerabilities in the software, which could theoretically be exploited in a cyberattack.

HPE told The Hill earlier this month that the company “has never and will never take actions that compromise the security of our products or the operations of our customers.” 

The ArcSight review was conducted at sites controlled by HPE, the company said, and “no backdoor vulnerabilities were detected” in the software. Echelon, a Moscow-based company that conducts such reviews for Russia’s FSB intelligence service, oversaw the testing. 

On Tuesday, Shaheen asked Mattis to spell out what steps the Defense Department takes to keep track of whether its private sector IT vendors disclose source code or other sensitive technical information to foreign governments, and how frequently this occurs.

“What is the strategy of the Department, and the broader Administration, to oppose and challenge source code disclosure and similar regime in Russia, China, and other nations?” she asked.