The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector, Reuters reports.
The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
Read alsoRussia used Facebook ads to exploit racial, religious divisions in U.S. – media"It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
Despite the potential risks to the Pentagon, no one Reuters spoke with was aware of any hacks or cyber espionage that were made possible by the review process.
Read alsoU.S. offers $5 mln to help Ukraine boost cybersecurityThe case highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity while continuing to pursue business with Washington’s adversaries such as Russia and China, say security experts.