Source Code Review for Thee... But Not For Me...

Paul Rosenzweig
Monday, October 2, 2017, 12:14 PM

According to this report from Reuters, Hewlett Packard Enterprises (HPE) has allowed the Russian military to review the source code for ArcSight, a cybersecurity alert system widely used in the Pentagon and in the American private sector.

Published by The Lawfare Institute
in Cooperation With
Brookings

According to this report from Reuters, Hewlett Packard Enterprises (HPE) has allowed the Russian military to review the source code for ArcSight, a cybersecurity alert system widely used in the Pentagon and in the American private sector. The source code review was a condition required by the Russian government before it would purchase ArcSight for use in Russian systems–at least nominally for the reasonable-sounding purpose of assuring the Russians that the American government had not colluded with HPE to put a back door into ArcSight that might be used against the Russians. This troubling episode raises a number of questions:

  • If the Russian request was facially reasonable (and it seems it was) why is HPE allowed to permit the Russians to do a source code review on systems that are used by the U.S. military? Perhaps as a condition of selling to the U.S. government, one ought not to be permitted to allow foreign nations to unpack the product?
  • What vulnerabilities, if any, were potentially revealed to the Russians by virtue of the source code review and how does that effect the security posture of the U.S. military or the private sector users of ArcSight?
  • The report suggests strongly that HPE did not notify the U.S. government that it was going to allow the source code review or that it had done so. Apparently, such disclosure is not required by HPE's contract with the U.S. If not, why not?
  • According to Reuters, the U.S. government does not do source code review for off-the-shelf technology like ArcSight. At first blush that seems reasonable, but is it?
  • ArcSight is so embedded in U.S. systems that it cannot be replaced absent a complete overhaul of the IT infrastructure of the military. Is such dependence on a single system reasonable?

This deeply troubling report requires further examination and review–but at first blush it certainly seems like someone missed the boat somewhere.


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare