Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

Tiassa

Tiassa

Let us not launch the boat ...
Valued Senior Member
Why do the words "Gaius Baltar" keep echoing in my head?

Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.

The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.

The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.

(Schectman, Volz, and Stubbs↱)

I mean, really.

The ArcSight review took place last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.

The case highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity while continuing to pursue business with Washington's adversaries such as Russia and China, say security experts.

Seriously.

If I made this up, would you believe me?
____________________

Notes:

Schectman, Joel, Dustin Volz, and Jack Stubbs. "Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon". Reuters. 2 October 2017. Reuters.com. 2 October 2017. http://reut.rs/2xMP6Xo
 
... *blink* ...

I have no words for this... seriously, this is beyond negligence.
 
spidergoat said:
If it was approved for sale to foreign countries, it can't be much of a secret.
Click to expand...
Do you suppose the Pentagon's cybersecurity arrangements and software, including the internal source code for the monitoring and gatekeeping software, is approved for sale to foreign countries?

The fact that this is even possible - not a ridiculous notion too improbable for comedy - tells us all we need to know.
 
iceaura said:
Do you suppose the Pentagon's cybersecurity arrangements and software, including the internal source code for the monitoring and gatekeeping software, is approved for sale to foreign countries?
Click to expand...
Obviously yes, according to the article. It sounds sinister, but apparently it's all legal.
 
Last edited:
iceaura said:
Nothing about selling the internal source code appears - only that they allowed inspection of it, as part of their sales pitch for their security services.

Snowden did less.
Click to expand...
"HPE agreed last year to sell ArcSight and other security products to British tech company Micro Focus International Plc in a transaction that was completed in September."

If they are allowed to sell to the British, that's a foreign country. It means our government doesn't consider the secrecy of this software to be necessary to our national security.
 
spidergoat said:
If they are allowed to sell to the British, that's a foreign country. It means our government doesn't consider the secrecy of this software to be necessary to our national security.
Click to expand...

So, let's get this straight:

• Hi, I hired HPE to provide certain services. Hoping to provide certain services in other countries, HPE has revealed to my competitor what they do for me, so the services they provide me are no longer viable, and my systems were in fact at risk while I thought they were secure.​

That is the problem.
 
spidergoat said:
"HPE agreed last year to sell ArcSight and other security products to British tech company Micro Focus International Plc in a transaction that was completed in September."
Click to expand...
Not the internal source code.
spidergoat said:
If they are allowed to sell to the British, that's a foreign country
Click to expand...
That's an ally. There's all kinds of stuff US military and security companies can sell to the British they can't sell to the Russians.
spidergoat said:
It means our government doesn't consider the secrecy of this software to be necessary to our national security.
Click to expand...
That degree of negligent obliviousness would of course be a major concern, even an emergency.
The fact that it is possible is all we need to know.
 
Tiassa said:
So, let's get this straight:

• Hi, I hired HPE to provide certain services. Hoping to provide certain services in other countries, HPE has revealed to my competitor what they do for me, so the services they provide me are no longer viable, and my systems were in fact at risk while I thought they were secure.​

That is the problem.
Click to expand...
I'm not sure that showing how it works automatically makes it useless.
 
spidergoat said:
I'm not sure that showing how it works automatically makes it useless.
Click to expand...

If they have access to the software, I doubt it would take long for a competent developer to crack it open and get at all the sweet inner-working code that makes it tick.
 
spidergoat said:
I'm not sure that showing how it works automatically makes it useless.
Click to expand...
Knowing the internal source code abets hacking and circumventing. If anonymous Russians know the internal source code of your security software, best replace it if you're guarding anything serious.
Kittamaru said:
If they have access to the software, I doubt it would take long for a competent developer to crack it open and get at all the sweet inner-working code that makes it tick.
Click to expand...
It can be a serious obstacle, according to developers of my acquaintance. Not if you get to inspect it, of course.
 
A lot of people know how many security protocols work. But if you don't have the user's encryption key, it doesn't do you much good.
 
iceaura said:
It can be a serious obstacle, according to developers of my acquaintance. Not if you get to inspect it, of course.
Click to expand...

I know where I work, all the back end code gets rigorous testing (part of my job) - compliance, load testing, stress testing, security, etc is part and parcel for what I and the team I'm on do.

That said - there are very strict rules on what can and cannot be shared outside the company (and we require federal security clearances for our positions). It's... intense, in some ways. And it makes sense - no matter how secure or well designed the software is, if you give someone malicious access to it, they will ultimately figure out how to subvert it.

gmilam said:
A lot of people know how many security protocols work. But if you don't have the user's encryption key, it doesn't do you much good.
Click to expand...
This is true, but having access to the software itself makes it much easier to determine how something is encrypted / what protocols it uses etc. More importantly, though, is you can find other vulnerabilities far more easily when you can get hands on. For example - a mobile application that uses secure socket layer encryption for communication between the hosting server and the users mobile device - that data stream is encrypted, awesome. However, the content of that data stream can still be sent plain text, so you should be aware of what is being passed along.

Now, that in itself doesn't sound too bad in and of itself - if something interjects itself in the middle of that communication, the packet will be malformed and the server should terminate the connection.

However, what if the users device has a bit of malware on it that sits between the app and the OS, and simply captures the information after the app has decrypted it for display? Or, worse, if it can pass malicious data into the app before the encryption and transmission? Yeah, there are (ideally) checks done on the receiving DMZ server prior to allowing it "in" to the network... but those are not infallible.
 
gmilam said:
I think the bigger issue is why is the Pentagon using an off the shelf software package.
Click to expand...

Cost, primarily - COTS products (Consumer Off The Shelf) is a lot cheaper than designing, programming, testing, bugfixing, retesting, testing, retesting, and maintaining your own, in-house solution. *

* until the inevitable security breach... but then, most upper-level managers tend to not look that far into the future, and only see the short term cost savings and the bonuses they can reap from them. See Equifax, Sony, etc etc for examples.
 
We have the largest defense budget in the world and that's where they decide to cut cost?
 
gmilam said:
We have the largest defense budget in the world and that's where they decide to cut cost?
Click to expand...

Of course - God forbid they spend that money wisely... I mean, come on, they need more Tanks (that aren't wanted and will sit unused in the desert)
https://www.cbsnews.com/news/unwanted-tanks-and-other-government-waste-detailed-in-reports/
https://www.dodbuzz.com/2016/02/11/ohio-wins-again-in-armys-budget-for-more-m1-abrams-tanks/
http://www.foxnews.com/politics/2013/04/28/army-says-no-to-more-tanks-but-congress-insists.html
http://www.military.com/daily-news/...-to-stop-buying-equipment-it-doesnt-need.html

Yet in the case of the Abrams tank, there's a bipartisan push to spend an extra $436 million on a weapon the experts explicitly say is not needed.

"If we had our choice, we would use that money in a different way," Gen. Ray Odierno, the Army's chief of staff, told The Associated Press this past week.

Why are the tank dollars still flowing? Politics.

Keeping the Abrams production line rolling protects businesses and good paying jobs in congressional districts where the tank's many suppliers are located.

If there's a home of the Abrams, it's politically important Ohio. The nation's only tank plant is in Lima. So it's no coincidence that the champions for more tanks are Rep. Jim Jordan and Sen. Rob Portman, two of Capitol's Hill most prominent deficit hawks, as well as Democratic Sen. Sherrod Brown. They said their support is rooted in protecting national security, not in pork-barrel politics.
Click to expand...

There's other examples of blatant waste (or even corruption):
https://www.cbsnews.com/news/unwanted-tanks-and-other-government-waste-detailed-in-reports/
For example, in 2012, the U.S. paid an Afghan construction firm nearly $500,000 to build a training exercise facility for the Afghan Special Police. However, just four months after the project was finished, the facility's walls began to disintegrate in the rain. It turns out the contractor constructed the facility out of bricks made of sand, ignoring construction quality standards required by its contract. The U.S. has yet to recoup its money; meanwhile, the contractor is still technically eligible for other U.S. contracts.
Click to expand...

http://www.trentonian.com/article/TT/20170909/NEWS/170909750
The examples are legion, including the $28 million the Pentagon wasted purchasing the wrong kind of camouflage uniforms for the Afghan National Army, the $34 million for a 64,000-square-foot military headquarters facility at Camp Leatherneck in Helmand province that military commanders did not want and never used, the $772 million the Defense Department spent to purchase aircraft that the Afghan military cannot operate or maintain, and the $300 million for a power plant that the Afghan government does not have the expertise to run.

“We’ve built schools that have fallen down, clinics that there are no doctors for, we’ve built roads that are falling apart,” Sopko told AFP in 2014, noting that the amount of waste is “massive.”

To this checkered history we can now add the more than $160 million for a failed effort to implement an electronic payment system to collect and process customs duties.
Click to expand...

One has to wonder... why is there so much waste? Well... it seems obvious - someone somewhere is making bank on all of this...
 
So what does a business set up do? A very high potential new customer says, he needs to know the source code, then either you show him or loose the business or develop the code all over again for new client.

The option left is to negotiate/blackmail with the first buyer to continue giving huge money regularly in lieu of not approaching new customers or I will do what I deem good for my business. The USA as a country has never been ethical in business dealings then why HP should be to US? Balls to ethics with the US.

Develop in house infrastructure, then some disgruntled team member will leak. You have to live in this world only.
 
You must log in or register to reply here.
Back
Top