Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

Why do the words "Gaius Baltar" keep echoing in my head?

Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.

The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.

The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.

(Schectman, Volz, and Stubbs↱)​

I mean, really.

The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.

The case highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity while continuing to pursue business with Washington's adversaries such as Russia and China, say security experts.​

Seriously.

If I made this up, would you believe me?
____________________

Notes:

Schectman, Joel, Dustin Volz, and Jack Stubbs. "Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon". Reuters. 2 October 2017. Reuters.com. 2 October 2017. http://reut.rs/2xMP6Xo

 

Log in or Sign up to hide all adverts.

... *blink* ...

I have no words for this... seriously, this is beyond negligence.

 

Log in or Sign up to hide all adverts.

If it was approved for sale to foreign countries, it can't be much of a secret.

 

Log in or Sign up to hide all adverts.

Privatization of national security tools - what could possibly go wrong?

 

Do you suppose the Pentagon's cybersecurity arrangements and software, including the internal source code for the monitoring and gatekeeping software, is approved for sale to foreign countries?

The fact that this is even possible - not a ridiculous notion too improbable for comedy - tells us all we need to know.

 

Obviously yes, according to the article. It sounds sinister, but apparently it's all legal.

 

Nothing about selling the internal source code appears - only that they allowed inspection of it, as part of their sales pitch for their security services.

Snowden did less.

 

"HPE agreed last year to sell ArcSight and other security products to British tech company Micro Focus International Plc in a transaction that was completed in September."

If they are allowed to sell to the British, that's a foreign country. It means our government doesn't consider the secrecy of this software to be necessary to our national security.

 

So, let's get this straight:

• Hi, I hired HPE to provide certain services. Hoping to provide certain services in other countries, HPE has revealed to my competitor what they do for me, so the services they provide me are no longer viable, and my systems were in fact at risk while I thought they were secure.​

That is the problem.

 

Not the internal source code.

That's an ally. There's all kinds of stuff US military and security companies can sell to the British they can't sell to the Russians.

That degree of negligent obliviousness would of course be a major concern, even an emergency.
The fact that it is possible is all we need to know.

 

I'm not sure that showing how it works automatically makes it useless.

 

If they have access to the software, I doubt it would take long for a competent developer to crack it open and get at all the sweet inner-working code that makes it tick.

 

Knowing the internal source code abets hacking and circumventing. If anonymous Russians know the internal source code of your security software, best replace it if you're guarding anything serious.

It can be a serious obstacle, according to developers of my acquaintance. Not if you get to inspect it, of course.

 

A lot of people know how many security protocols work. But if you don't have the user's encryption key, it doesn't do you much good.

 

I know where I work, all the back end code gets rigorous testing (part of my job) - compliance, load testing, stress testing, security, etc is part and parcel for what I and the team I'm on do.

That said - there are very strict rules on what can and cannot be shared outside the company (and we require federal security clearances for our positions). It's... intense, in some ways. And it makes sense - no matter how secure or well designed the software is, if you give someone malicious access to it, they will ultimately figure out how to subvert it.

This is true, but having access to the software itself makes it much easier to determine how something is encrypted / what protocols it uses etc. More importantly, though, is you can find other vulnerabilities far more easily when you can get hands on. For example - a mobile application that uses secure socket layer encryption for communication between the hosting server and the users mobile device - that data stream is encrypted, awesome. However, the content of that data stream can still be sent plain text, so you should be aware of what is being passed along.

Now, that in itself doesn't sound too bad in and of itself - if something interjects itself in the middle of that communication, the packet will be malformed and the server should terminate the connection.

However, what if the users device has a bit of malware on it that sits between the app and the OS, and simply captures the information after the app has decrypted it for display? Or, worse, if it can pass malicious data into the app before the encryption and transmission? Yeah, there are (ideally) checks done on the receiving DMZ server prior to allowing it "in" to the network... but those are not infallible.

 

I think the bigger issue is why is the Pentagon using an off the shelf software package.

 

Cost, primarily - COTS products (Consumer Off The Shelf) is a lot cheaper than designing, programming, testing, bugfixing, retesting, testing, retesting, and maintaining your own, in-house solution. *

* until the inevitable security breach... but then, most upper-level managers tend to not look that far into the future, and only see the short term cost savings and the bonuses they can reap from them. See Equifax, Sony, etc etc for examples.

 

We have the largest defense budget in the world and that's where they decide to cut cost?

 

Of course - God forbid they spend that money wisely... I mean, come on, they need more Tanks (that aren't wanted and will sit unused in the desert)
https://www.cbsnews.com/news/unwanted-tanks-and-other-government-waste-detailed-in-reports/
https://www.dodbuzz.com/2016/02/11/ohio-wins-again-in-armys-budget-for-more-m1-abrams-tanks/
http://www.foxnews.com/politics/2013/04/28/army-says-no-to-more-tanks-but-congress-insists.html
http://www.military.com/daily-news/...-to-stop-buying-equipment-it-doesnt-need.html

There's other examples of blatant waste (or even corruption):
https://www.cbsnews.com/news/unwanted-tanks-and-other-government-waste-detailed-in-reports/

http://www.trentonian.com/article/TT/20170909/NEWS/170909750

One has to wonder... why is there so much waste? Well... it seems obvious - someone somewhere is making bank on all of this...

 

So what does a business set up do? A very high potential new customer says, he needs to know the source code, then either you show him or loose the business or develop the code all over again for new client.

The option left is to negotiate/blackmail with the first buyer to continue giving huge money regularly in lieu of not approaching new customers or I will do what I deem good for my business. The USA as a country has never been ethical in business dealings then why HP should be to US? Balls to ethics with the US.

Develop in house infrastructure, then some disgruntled team member will leak. You have to live in this world only.