Russia have been given the source code to ArcSight, a cyberdefense system used by the Pentagon and US intelligence. Experts and former employees say the source code review is a huge security blunder:
“Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
Arcsight, which has been around since 2000, is a big data analytics firm that was acquired by Hewlett Packard. The software scans activity from users, firewalls and other sources and then aggregates it and looks for suspicious activity – such as multiple failed login attempts.
The security firm that ran the code review state that they find vulnerabilities in 50% of US/International Software – and are required to report these to the government. The Russian government justifies this code review as a check on foreign software that may be compromised – by other States, malicious actors etc. That is a hard policy to argue against, however it raises the question as to whether US firms should be selling this software at all. I was told by another professor that cryptographic software is considered a weapon and as such subject to the same kinds of restrictions that selling ammunition or firearms would have. Shouldnt this apply more broadly to include cyber defense software?