Hewlett Packard Enterprise (HPE) allowed a Russian defence agency to review the inner workings of cyber defence software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
The HPE system, called ArcSight, serves as a cybersecurity nerve centre for much of the United States military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.
The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former US intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the US military to a cyber attack.
"It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.
The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, US politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.
The case highlights a growing tension for US technology companies that must weigh their role as protectors of US cybersecurity while continuing to pursue business with Washington's adversaries such as Russia and China, say security experts.
The review was conducted by Echelon, a company with close ties to the Russian military, on behalf of Russia's Federal Service for Technical and Export Control (FSTEC), a defence agency tasked with countering cyber espionage.
Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.
But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE's source code review, citing a non-disclosure agreement with the company.
FSTEC confirmed Markov's account, saying in a statement that Russian testing laboratories immediately inform foreign developers if they discover vulnerabilities, before submitting a report to a government "database of information security threats."
One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that US intelligence services have not placed spy tools in the software.
Sign up for Computerworld eNewsletters.