Here’s the scoop on how Russian hackers have managed to conduct cyber attacks against U.S. businesses, politicians and defense organization, including the Pentagon, with ease.
Following a news report by Reuters that the ArcSight security software had been scrutinized by Russia, its owners, Micro Focus International Plc, a British tech firm, stated it would restrict reviews of the source code in its software by “high-risk” governments.
Micro Focus did not get back to questions seeking clarification whether the “high-risk” countries include Russia or what criteria would it evaluate to determine with which government it will share the core code of its apps.
A company’s spokeswoman however clarified, all future reviews would need the approval of Micro Focus’s CEO.
On Monday, in a blog post by Jason Schmitt, ArcSight’s head, said reviews of the source code by governments are a common occurrence and “that dozens of brand-name products have undergone the same type of certification testing.”
“Micro Focus will not allow any source code reviews if we reasonably believe the governments of high risk countries will have access to that review,” said Micro Focus’ spokeswoman.
Last month, Micro Focus acquired the ArcSight product line from Hewlett Packard Enterprise Co. HPE had allowed a defense agency from Moscow to review the inner workings of ArcSight, a cyber defense software used by the Pentagon to guard its computer networks.
According to security experts, including former U.S. officials and former ArcSight employees, the review by Moscow could enable it to discover vulnerabilities in the software and potentially allow it to blind side the U.S. in a cyber attack.
Moscow’s evaluation of ArcSight last year, came at a time when U.S. companies, politicians and government agencies, including the Pentagon, were coming under numerous cyber attacks.
In recent years, Moscow has stepped up demand for reviews of the source code for companies wanting to do business in the country.
On its part, Micro Focus stated it would notify the U.S. government and seek feedback before allowing source code reviews “where applicable.”
Micro Focus did not respond to questions requesting clarification of when such notifications would apply.
In contrast, many companies, including Symantec have decided to not allow the reviewing of the source code, as a condition to do business in a country, citing security concerns.
As per Russian regulatory records and interviews by Reuters with people with direct knowledge of the issue, the review of ArcSight’s source code was conducted by Echelon, a company with close ties to the Russian military.
The review was done on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency that counters cyber espionage.
According to HPE, source code reviews have been conducted by Russian-government accredited testing companies at its R&D center in Russia, since many years with HPE scrutinizing the entire process very closely.
As per HPE spokeswoman, no code is allowed to leave the premises ensuring “our source code and products were in no way compromised”.
As per Micro Focus’ spokeswoman, ArcSight’s source code was tested in August 2015, several months before HPE was spun off from Hewlett-Packard Inc. As per Russian regulatory records, the Russian certification process for ArcSight was completed in August 2016.
HPE stated the inspection of the source code was a necessary process for it to obtain a certificate from Russia’s FSTEC only after which it can sell the software to the public in Russia.