By Joel Schectman and Dustin Volz
WASHINGTON (Reuters) – British tech firm Micro Focus International Plc <MCRO.L>, the new owner of ArcSight security software, said it would restrict reviews of the core operating instructions in its products by “high-risk” governments, after Reuters reported that the application had been scrutinized by Russia.
Micro Focus did not respond to questions seeking to clarify whether the countries included Russia or how it would determine which reviews were likely to be shared with governments. But a company spokeswoman said future reviews would require approval from Micro Focus’s chief executive.
And a Micro Focus blog posted on Monday by ArcSight head Jason Schmitt defended the reviews of core software operating instructions, known as source code, as common. He said “that dozens of brand-name products have undergone the same type of certification testing.”
“Micro Focus will not allow any source code reviews if we reasonably believe the governments of high risk countries will have access to that review,” the Micro Focus spokeswoman said in an email to Reuters.
Micro Focus purchased the ArcSight product line from Hewlett Packard Enterprise Co <HPE.N> in a sale completed last month. Reuters reported last week that HPE allowed a Moscow defense agency to review the inner workings of ArcSight, a cyber defense software used by the Pentagon to guard its computer networks.
Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the practice could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
Russia’s evaluation of ArcSight concluded last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.
Russia in recent years has stepped up demands for source code reviews as a requirement for doing business in the country, Reuters reported in June, and many companies have complied.
ArcSight, and other HPE security products, were sold to Micro Focus in a transaction completed in September.
Micro Focus also said it would notify the U.S. government and seek feedback before allowing source code reviews “where applicable.” The company spokeswoman did not respond to questions requesting clarification of when such notifications would apply.
Some companies have decided to stop allowing source code reviews as a condition to do business in a foreign market. For example, Symantec decided in 2016 that they would no longer allow such reviews because of security concerns.
HPE did not alert the Defense Information Systems Agency, which purchases ArcSight for the military, that it had allowed the Russian review, a DISA spokeswoman told Reuters.
The DISA spokeswoman said the agency has no immediate plans to pullback on its use of ArcSight or reconsider its procurement rules in light of the Reuters report. The Pentagon continually evaluates software for security risks, the DISA spokeswoman said.
According to Russian regulatory records and interviews with people with direct knowledge of the issue, the review of ArcSight’s code was conducted by Echelon, a company with close ties to the Russian military. The review was done on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency that counters cyber espionage.
HPE said code reviews have taken place for years and are conducted by Russian-government accredited testing companies at an HPE research and development center outside of Russia, where the software maker closely supervises the process.
No code is allowed to leave the premises ensuring “our source code and products were in no way compromised,” an HPE spokeswoman said in an email last week. She said in a phone call on Monday that no current HPE products had gone through the Russian review process.
ArcSight source code was tested in August 2015, the Micro Focus spokeswoman said, several months before HPE was spun off from Hewlett-Packard Inc. The Russian certification process for ArcSight was completed in August 2016, according to Russian regulatory records.
HPE has said the inspection process was necessary to obtain certification from Russia’s FSTEC in order to sell software to the public sector in Russia.
(Reporting by Joel Schectman and Dustin Volz; editing by Grant McCool)