Allowing foreign governments to require reviews of software secrets of technology products built by U.S. companies is "problematic," the top White House cyber security official said on Tuesday, adding that the increasingly common arrangements presented both security and intellectual property risks.
Rob Joyce, the White House cyber security coordinator, said that letting countries inspect source code, the closely guarded internal instructions of software, as a condition for entry into foreign markets was a protectionist effort by certain regimes that threatened a "free and open internet" and could "hobble" a product's security and privacy features.
Reuters on Monday reported that Hewlett Packard Enterprise (HPE) last year allowed a Russian defense agency to review the inner workings of cyber defense software known as ArcSight that is used by the Pentagon to guard its computer networks.
Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the practice could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
"There are security aspects of those disclosures (and) they are problematic," Joyce, a former hacker at the U.S. National Security Agency, said at a Washington Post Cybersecurity Summit when asked specifically about the story.
He added that he was more concerned about the intellectual property risks associated with the reviews, however.
"If you give your source code to China as a condition of entering into that market, you've got to wonder if competitors are then going to start to adopt those features," Joyce said at the event, which was sponsored by HPE. "And we've seen some examples of that in the past and that really concerns us."
Asked about Joyce's comments, an HPE spokeswoman said the company "has never and will never take actions that compromise the security of our products or the operations of our customers."
The company said the reviews have taken place for years and are conducted by a Russian testing company at an HPE research and development center outside of Russia, where the software maker closely supervises the process, and that no code is allowed to leave the premises.
HPE has said the inspection process was necessary to obtain certification from Russia's Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage, in order to sell software in Russia. The review of ArcSight's code was conducted by Echelon, a company with close ties to the Russian military, on behalf of FSTEC, according to Russian regulatory records and interviews with people with direct knowledge of the issue.
British tech company Micro Focus International Plc, which purchased ArcSight from HPE last year in a transaction completed in September, did not respond when asked about Joyce's remarks. Micro Focus has not responded to requests for comment on whether it would allow Russia to do similar source code reviews in the future.
Russia in recent years has stepped up demands for source code reviews as a requirement for doing business in the country, Reuters reported in June.
China in May adopted a new cyber security law that western companies have criticized for requiring overly strict data surveillance and storage requirements. The law has raised concern that companies will need to choose between compromising security to protect business and losing out on the enormous Chinese market.
"The idea that you can't enter China’s market without offering up your intellectual property in this way, without agreeing maybe to hobble some of the security and privacy features of it ... Russia is heading that way, a bunch of totalitarian regimes are heading that way," Joyce said.
(Reporting by Dustin Volz; Editing by Andrea Ricci)