Cyber Warfare: No rifles, bombs, hand grenades,
or tanks —
à la mode: Wireless
keyboards
WASHINGTON & MOSCOW (Reuters)
– Major global technology providers SAP (SAPG),
Symantec (SYMC),
and McAfee (MCAF)
have
allowed Russian authorities to hunt for vulnerabilities in software deeply
embedded across the U.S. government, a Reuters investigation has found.
Pretty startling headlines to this story (my
emphasis is added and key parts are boxed off) – very disturbing to
say the least:
Tech Firms let Russia probe software widely used
by U.S. Government
IMPACT STATEMENT: The practice potentially jeopardizes
the security of computer networks in at least a dozen federal agencies, U.S.
lawmakers and security experts said. It involves more companies and a broader
swath of the government than previously reported.
In order to
sell in the Russian market, the tech companies let a Russian defense agency
scour the inner workings, or source code, of some of their products. Russian
authorities say the reviews are necessary to detect flaws that could be
exploited by hackers.
(I note: So, business deals is the name of the game, um, I see, I see - so, just make a fast buck as it were).
But those same products protect some of the most
sensitive areas of the U.S government, including the Pentagon, NASA, the State
Department, the FBI, and the IC (Intelligence Community), against hacking by
sophisticated cyber adversaries like Russia.
Reuters revealed in October that
Hewlett Packard Enterprise (HPEN)
software known as ArcSight, used to
help secure the Pentagon’s computers, had been reviewed by a Russian military
contractor with close ties to Russia’s security services.
Now, a Reuter’s review of hundreds of U.S. federal
procurement documents and Russian regulatory records shows that the potential
risks to the U.S. government from Russian source code reviews are more
widespread.
Beyond the Pentagon, ArcSight
is used in at least seven other agencies, including the DNI (Director of
National Intelligence office) and the State Department's intelligence unit.
The Pentagon said in a previously unreported letter to
Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may
aid such countries in discovering vulnerabilities in those products.”
Reuters has
not found any instances where a source code review played a role in a
cyberattack, and some security experts say hackers are more likely to find
other ways to infiltrate network systems.
But the Pentagon is not alone in expressing concern.
Private sector cyber experts, former U.S. security officials and some U.S. tech
companies told Reuters that allowing Russia to review the source code may
expose unknown vulnerabilities that could be used to undermine U.S. network defenses.
Many of the Russian reviews have occurred since 2014, when U.S.-Russia
relations plunged to new lows following Moscow’s annexation of Crimea. Western
nations have accused Russia of sharply escalating its use of cyber-attacks
during that time, an allegation Moscow denies.
Most U.S. government agencies declined to comment when
asked whether they were aware technology installed within their networks had
been inspected by Russian military contractors.
Tech
companies wanting to access Russia’s large market are often required to seek
certification for their products from
Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with
countering cyber espionage. FSTEC declined to comment and the FSB did not
respond to requests for comment.
SAP HANA, a
database system, underwent a source code review in order to obtain
certification in 2016, according to Russian regulatory records. The software
stores and analyzes information for the State Department, Internal Revenue
Service, NASA and the Army.
SAP spokeswoman said any source code reviews were
conducted in a secure, company-supervised facility where recording devices or
even pencils “Are strictly forbidden, and all governments and governmental
organizations are treated the same with no exceptions,” the spokeswoman said.
While some companies have since stopped allowing
Russia to review source code in their products, the same products often remain
embedded in the U.S. government, which can take decades to upgrade technology.
Security
concerns caused Symantec to halt all government source code reviews in 2016,
the company’s chief executive told Reuters in October. But Symantec Endpoint
Protection antivirus software, which was reviewed by Russia in 2012, remains in
use by the Pentagon, the FBI, and the Social Security Administration, among
other agencies, according to federal contracting records reviewed by Reuters.
Summary
Extracted from the Story: The cyber firm’s Security Information and Event Management
(SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according
to Russian regulatory documents.
McAfee confirmed this. The Treasury Department
and Defense Security Service, a Pentagon agency tasked with guarding the
military’s classified information, continue to rely on the product to protect
their networks, contracting records show.
McAfee declined to comment, citing customer
confidentiality agreements, but it has previously said the Russian reviews are
conducted at company-owned premises in the United States.
On its website, Echelon describes itself as an
official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey
Markov, the president of Echelon, which also inspected the source code for
ArcSight, said U.S. companies often initially expressed concerns about the
certification process. “Did they have any? Absolutely!!” Markov wrote in an
email and: “The less the person making the decision understands about
programming, the more paranoia they have. However, in the process of clarifying
the details of performing the certification procedure, the dangers and risks
are smoothed out.”
Markov said his team always informs tech companies before
handing over any discovered vulnerabilities to Russian authorities, allowing
the firms to fix the detected flaw. The source code reviews of products
“significantly improves their safety,” he said.
Chris Inglis, the former deputy director of the NSA
(United States premier electronic spy agency), disagrees, saying: “When you’re
sitting at the table with card sharks, you can’t trust anyone. I wouldn’t show
anybody the code.”
I say, amen to that, Mr. Inglis, amen – now what? Punt…
hardly that well, it ~~~ seems out of step.
As I said
at the top this is a very disturbing story – very much so.
Cyber warfare could actually be more dangerous than
gun fire in the long term with only one giant controlling the globe as it were.
Short of all out nuclear war (that would end it for all mankind), cyber warfare
would end it for most countries by simply sending them most back to the
stone-age in caves and wearing goat skin clothing.
Ponder that image.
Stay tuned.
No comments:
Post a Comment