By Dustin Volz and Joel Schectman
WASHINGTON (Reuters) - A U.S. senator on Tuesday asked the Defense Department to explain how it manages the risks when it uses software that has been scrutinized by foreign governments, saying the practice may represent a national security threat.
Reuters reported earlier this month that Hewlett Packard Enterprise Co allowed a Russian defense agency to review the source code or inner workings of cyber defense software known as ArcSight, which is used by the Pentagon to guard its computer networks.
"HPE's ArcSight system constitutes a significant element of the U.S. military's cyber defenses,” Democratic Senator Jeanne Shaheen wrote in a letter to Defense Secretary James Mattis seen by Reuters.
Shaheen, a member of the Senate Armed Services Committee, said disclosure of ArcSight's source code to the Russian agency presented an "opportunity to exploit a system used on [Defense Department] platforms."
Shaheen questioned whether the Trump administration was pushing back on demands for source code from Russia and elsewhere that are imposed on U.S. companies as a condition for entry into foreign markets.
Such reviews highlight a quandary for U.S. technology companies, as they weigh U.S. cyber security protections while pursuing business with some of Washington’s adversaries, including Russia and China, according to security experts.
"I understand that individual businesses must make decisions weighing the risk of intellectual property disclosure against the opportunity of accessing significant overseas markets," Shaheen wrote. "However, when such products undergird [Defense Department] cyber defenses, our national security may be at stake in these decisions."
The Pentagon and HPE did not immediately respond to requests for comment about the letter.
Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the review of ArcSight’s core instruction, also known as source code, could help Moscow discover weaknesses in the software, potentially helping hackers to blind the U.S. military to an attack.
HPE has said in the past that such reviews, by a Russian government-accredited testing company, have taken place for years at a research and development center it operates outside of Russia.
The software maker has also said it closely supervises the process and that no code is allowed to leave the premises, ensuring it does not compromise the safety of its products. A company spokeswoman said last week that no current HPE products have undergone Russian source code reviews.
HPE was spun off from Hewlett-Packard Inc as a separate software company in 2015.
Shaheen's letter asked Mattis whether he foresaw risks associated with the disclosure of ArcSight's code and whether the Pentagon was monitoring whether technology vendors share source code or "other sensitive technical data."
She also asked how frequently vendors disclose the source code of products used by the Pentagon to foreign governments.
Shaheen recently led successful efforts in Congress to ban all government use of software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations the company is allied with Russian intelligence. Kaspersky vehemently denies such links.
Tech companies have been under increasing pressure to allow the Russian government to examine source code in exchange for approvals to sell products in Russia. While many Western firms have complied, some, including California-based cyber firm Symantec, have refused.
ArcSight was sold to British tech company Micro Focus International Plc in a deal completed in September.
The company said last week that while source code reviews were a common industry practice, it would restrict future reviews by “high-risk” governments and subject them to chief executive approval.
(Reporting by Dustin Volz and Joel Schectman; Editing by Jonathan Weber and Tom Brown)