The Department of Defense and the National Security Agency (NSA) can’t seem to catch a break. Their phenomenally good work in the world of cybersecurity is being undermined by the actions of insiders and well meaning, but wrong-headed contractors.
Today, The Hill loosely suggests connecting the dots between Kaspersky labs exploiting their presence on individual computers to the theft of of millions of records from the NSA by Hal Martin (an alternative interpretation could be there has been a separate insider who took NSA secrets out the door). We previously examined the suitcases of classified materials Martin purloined. As time passes it seems more likely the Martin trove may have been the source for the Shadow Brokers coming into possession of intelligence community offensive cyber operations materials. This comes on the heels of Senator Jeanne Shaheen ‘s (D-ME) tersely worded NY Times op-ed in September, which castigated the lack of security and the continued use of Kaspersky Labs security products.
Defending Russia and American Cyberdefenses – Simultaneously
Earlier this week we learned via a Reuters special report that HP Enterprise has been sharing data on the DoD’s cyberdefense system as part of their sales pitch.
Reuters sourced the information to regulatory records in Russia (we did not have the access to determine if such records exist, so we’re taking Reuters at their word). Here’s what the Russians were given access to,
“The Russian review of ArcSight’s source code, the closely guarded internal instructions of the software, was part of HPE’s effort to win the certification required to sell the product to Russia’s public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman.
HP Enterprise noted that during the Russian review, “no backdoor vulnerabilities” were discovered, and this is business as usual. The source code wasn’t left with the Russians, their third-party testing regime and processes were conducted outside of Russia and in HP’s facilities. From their perspective, there is no compromise. There is no security issue. They hope they get certified to allow their products to be sold in Russia.
Meanwhile over at the Pentagon, they are reportedly tight-lipped on whether or not their provider intended to reveal to the Russians the source code of the products which provide analytic support to the Pentagon.
Do defense contractors have a choice?
Yes, they have a choice. They can say ‘no’ to the business opportunity and basically pick sides. Instead, they went for the Russian certification. This is far from the first instance of defense contractors allowing controlled reviews of its products.
It is difficult to imagine that some over at the DoD are not channeling a bit of Laurel and Hardy, “Well, here’s another nice mess you’ve gotten me into” as they get their mops out to clean-up another cybersecurity puddle.