Incident: Software Vulnerability Exposed in ArcSight Cyber Defense System.

Published Date: 2017-10-02

Postmortem Analysis
Timeline 1. The software failure incident involving Hewlett Packard Enterprise allowing a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon happened last year [64042]. 2. The software failure incident involving major global technology providers SAP, Symantec, and McAfee allowing Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government occurred in 2017 [67803].
System 1. ArcSight system by Hewlett Packard Enterprise [64042, 67803] 2. SAP HANA database system [67803] 3. Symantec Endpoint Protection antivirus software [67803] 4. McAfee Security Information and Event Management (SIEM) software [67803]
Responsible Organization 1. Russian defense agency, specifically the Federal Service for Technical and Export Control (FSTEC), was responsible for causing the software failure incident by conducting source code reviews on cybersecurity software used by the Pentagon [64042, 67803]. 2. Echelon, a company with close ties to the Russian military, was also involved in conducting the source code reviews on behalf of FSTEC, contributing to the software failure incident [64042, 67803].
Impacted Organization 1. The U.S. military, including the Pentagon, Army, Air Force, and Navy, as well as other federal agencies like the Office of the Director of National Intelligence and the State Department's intelligence unit were impacted by the software failure incident [64042, 67803].
Software Causes 1. The software failure incident was caused by major global technology providers such as SAP, Symantec, and McAfee allowing Russian authorities to review the source code of their software products deeply embedded across the U.S. government, potentially jeopardizing the security of computer networks in federal agencies [67803]. 2. Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to review the source code of their cybersecurity software, ArcSight, used by the Pentagon, which could potentially lead to the discovery of vulnerabilities in the software [64042].
Non-software Causes 1. Business decision to allow Russian authorities to review the source code of cybersecurity software used by the Pentagon [64042, 67803] 2. Tension for U.S. technology companies to balance cybersecurity protection and business interests with adversaries like Russia and China [64042] 3. Requirement by Russian government agencies for source code reviews as a condition for selling products in the Russian market [67803] 4. Concerns raised by U.S. lawmakers about the potential security risks posed by allowing foreign source code reviews [67803]
Impacts 1. The software failure incident involving Hewlett Packard Enterprise's ArcSight software allowed a Russian defense agency to review the source code, potentially leading to the discovery of vulnerabilities that could be exploited by attackers, posing a significant security risk to the U.S. military and private sector networks [64042, 67803]. 2. The review process raised concerns about backdoor vulnerabilities and the possibility of attackers being able to blind the U.S. military to cyber attacks, highlighting a major security vulnerability in the cybersecurity nerve center software used by the Pentagon [64042]. 3. The incident underscored the tension faced by U.S. technology companies in balancing their role as protectors of U.S. cybersecurity while pursuing business with countries like Russia and China, known adversaries in the cyber realm [64042]. 4. The potential risks from Russian source code reviews were found to be more widespread than initially reported, with major global technology providers like SAP, Symantec, and McAfee also allowing Russian authorities to hunt for vulnerabilities in their software used across a broad swath of the U.S. government, including sensitive areas like the Pentagon, NASA, and the intelligence community [67803]. 5. The practice of allowing Russian source code reviews jeopardized the security of computer networks in at least a dozen federal agencies, raising concerns among U.S. lawmakers and security experts about the integrity of the software protecting critical government systems [67803].
Preventions 1. Implementing strict security protocols and controls to prevent unauthorized access to sensitive software source code, especially when dealing with foreign entities like Russian defense agencies [64042, 67803]. 2. Conducting thorough security assessments and audits of software products to identify and address vulnerabilities before they can be exploited by potential attackers [64042, 67803]. 3. Enforcing regulations or legislation that require vendors to disclose when they allow foreign governments to access source code, providing transparency and accountability in such practices [67803]. 4. Refusing to allow source code reviews by foreign entities, especially those with potential adversarial relationships, to mitigate the risk of exposing critical software vulnerabilities [67803]. 5. Enhancing cybersecurity training and awareness within tech companies to ensure that decision-makers understand the potential risks associated with allowing source code reviews by foreign governments [67803].
Fixes 1. Implement stricter regulations or legislation to ensure that sensitive software used by government agencies undergoes thorough security evaluations and source code reviews by trusted entities to prevent potential vulnerabilities from being exploited [67803]. 2. Encourage tech companies to prioritize security over market access by refusing to allow foreign governments, especially those with adversarial relationships, to conduct source code reviews of critical software [67803]. 3. Enhance cybersecurity measures within government agencies by continuously monitoring and updating software to address any identified vulnerabilities, even if the software has undergone source code reviews in the past [67803]. 4. Increase transparency between tech companies and government agencies regarding the security evaluations and source code reviews conducted on software products to ensure all parties are aware of potential risks and can take appropriate actions to mitigate them [67803]. 5. Strengthen partnerships between government cybersecurity agencies and tech companies to share best practices and collaborate on improving the security of software used to protect critical infrastructure and sensitive information [64042, 67803].
References 1. Former U.S. intelligence officials, former ArcSight employees, and independent security experts [64042] 2. Echelon president and majority owner Alexey Markov [64042] 3. Russian Federal Service for Technical and Export Control (FSTEC) [64042] 4. HPE spokeswoman [64042] 5. Pentagon’s Defense Information Systems Agency [64042] 6. Pentagon spokeswoman [64042] 7. U.S. lawmakers and security experts [67803] 8. SAP, Symantec, and McAfee [67803] 9. U.S. federal procurement documents and Russian regulatory records [67803] 10. Micro Focus, McAfee, SAP, Symantec, and Trend Micro [67803] 11. Democratic Senator Jeanne Shaheen [67803] 12. Lamar Smith, Republican chairman of the House Science, Space and Technology Committee [67803] 13. Pentagon [67803] 14. FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC) [67803] 15. SAP spokeswoman [67803] 16. Symantec spokeswoman [67803] 17. McAfee [67803] 18. Echelon president Alexey Markov [67803] 19. Chris Inglis, former deputy director of the National Security Agency [67803]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The software failure incident involving allowing Russian authorities to review source code of software used by the U.S. government has happened again with other major global technology providers besides Hewlett Packard Enterprise. Companies like SAP, Symantec, and McAfee have also allowed Russian authorities to hunt for vulnerabilities in their software deeply embedded across the U.S. government [67803]. (b) The software failure incident having happened again at multiple_organization: - The incident of allowing Russian authorities to review source code of software used by the U.S. government has occurred with multiple organizations. Besides Hewlett Packard Enterprise, other companies like SAP, Symantec, and McAfee have also allowed such reviews, potentially jeopardizing the security of computer networks in at least a dozen federal agencies [67803].
Phase (Design/Operation) operation (a) The articles do not provide information about a software failure incident related to the design phase of system development. (b) The software failure incident related to the operation phase is highlighted in the articles. The incident involves major global technology providers like SAP, Symantec, and McAfee allowing Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government. This practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, including sensitive areas like the Pentagon, NASA, the State Department, the FBI, and the intelligence community [67803]. The software reviewed by Russian authorities is used in various U.S. government agencies, and concerns have been raised about the risks posed by allowing such reviews, as they may expose unknown vulnerabilities that could be used to undermine U.S. network defenses [67803].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the articles is primarily within the system. The incident involves major global technology providers like SAP, Symantec, McAfee, and Hewlett Packard Enterprise allowing Russian authorities to review the source code of their software products used by various U.S. government agencies, including the Pentagon, NASA, the State Department, the FBI, and the intelligence community [64042, 67803]. This internal action of allowing source code reviews by Russian entities raised concerns about potential vulnerabilities in the software that could be exploited by hackers, potentially compromising the security of U.S. government computer networks. However, it's important to note that the failure incident also has elements of outside the system factors. The external factor in this case is the involvement of Russian regulatory agencies and contractors in conducting the source code reviews, which introduces a foreign influence and potential security risks to the software systems used by U.S. government agencies [64042, 67803]. This external involvement poses a threat to the security and integrity of the software systems, highlighting the impact of external factors on the software failure incident.
Nature (Human/Non-human) human_actions (a) The software failure incident occurring due to non-human actions: - The articles do not mention any software failure incident occurring due to non-human actions. (b) The software failure incident occurring due to human actions: - The software failure incident discussed in the articles is related to potential security vulnerabilities introduced by human actions, specifically the decision by major global technology providers like SAP, Symantec, McAfee, and HPE to allow Russian authorities to review the source code of their products [64042, 67803]. This action raised concerns about the security of computer networks in U.S. federal agencies, including the Pentagon, as the source code reviews could potentially expose vulnerabilities that could be exploited by hackers.
Dimension (Hardware/Software) software (a) The articles do not mention any software failure incident occurring due to hardware issues. (b) The software failure incident mentioned in the articles is related to software vulnerabilities that arose from allowing Russian authorities to review the source code of cybersecurity software used by the U.S. military and government agencies. The source code review conducted by Russian entities raised concerns about potential weaknesses in the software that could be exploited by attackers, potentially compromising the cybersecurity of the U.S. military and government networks [64042, 67803].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is related to a malicious objective. The incident involved major global technology providers like SAP, Symantec, and McAfee allowing Russian authorities to review the source code of their software products deeply embedded across the U.S. government, including sensitive areas like the Pentagon, NASA, the State Department, the FBI, and the intelligence community [67803]. The Russian reviews were conducted by a Russian military contractor with close ties to Russia's security services, raising concerns about potential vulnerabilities being exploited by hackers [67803]. The practice of allowing source code reviews by Russian authorities was seen as potentially jeopardizing the security of computer networks in federal agencies, with U.S. lawmakers and security experts expressing worries about the implications of such reviews on U.S. network defenses [67803]. (b) The software failure incident was non-malicious in the sense that there were no reported instances where a source code review played a role in a cyberattack [67803]. Some security experts mentioned that hackers are more likely to find other ways to infiltrate network systems rather than solely relying on vulnerabilities discovered through source code reviews [67803]. However, concerns were raised about the risks associated with allowing foreign governments, like Russia, to review the source code of critical software products used by the U.S. government, as it could potentially expose unknown vulnerabilities that could undermine network defenses [67803].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions The intent of the software failure incident related to poor_decisions was evident in the decision made by major global technology providers like SAP, Symantec, and McAfee to allow Russian authorities to conduct source code reviews on their software products deeply embedded across the U.S. government [67803]. This decision potentially jeopardized the security of computer networks in at least a dozen federal agencies, including sensitive areas like the Pentagon, NASA, the State Department, the FBI, and the intelligence community. Despite concerns raised by U.S. lawmakers and security experts, these companies allowed the reviews as a requirement to sell in the Russian market, which could have introduced vulnerabilities that could be exploited by hackers [67803]. The intent of the software failure incident related to accidental_decisions was seen in the case of Hewlett Packard Enterprise (HPE) allowing a Russian defense agency to review the source code of their cybersecurity software, ArcSight, used by the Pentagon [64042]. This decision was part of HPE's effort to win certification to sell the product to Russia's public sector. The review process could potentially help attackers discover weaknesses in the software, posing a security vulnerability to the U.S. military's cyber defense systems. Despite the potential risks, no hacks or cyber espionage resulting from the review process were reported [64042].
Capability (Incompetence/Accidental) accidental (a) The articles do not provide information about the software failure incident occurring due to development incompetence. (b) The software failure incident reported in the articles is related to accidental factors. The incident involved major global technology providers like SAP, Symantec, and McAfee allowing Russian authorities to hunt for vulnerabilities in their software, potentially jeopardizing the security of computer networks in at least a dozen federal agencies [67803]. This practice of allowing Russian reviews of source code was done in order to sell in the Russian market, but it raised concerns about the security of sensitive areas of the U.S. government, including the Pentagon, NASA, the State Department, the FBI, and the intelligence community [67803]. The accidental exposure of vulnerabilities through these source code reviews could potentially undermine U.S. network defenses [67803].
Duration permanent The software failure incident described in the articles can be considered as a potential permanent failure due to contributing factors introduced by all circumstances. The incident involves major global technology providers like SAP, Symantec, McAfee, and Hewlett Packard Enterprise allowing Russian authorities to review the source code of their software products used across various U.S. government agencies, including sensitive areas like the Pentagon, NASA, the State Department, the FBI, and the intelligence community [67803]. This practice raises concerns about the security of computer networks in federal agencies and the potential risks posed by Russian source code reviews, which could lead to the discovery of vulnerabilities that could be exploited by hackers [67803]. Furthermore, the articles highlight that the software failure incident is not limited to a single instance but is more widespread, with multiple companies and a broader range of government agencies involved in allowing source code reviews by Russian authorities [67803]. The incident has been ongoing since at least 2014, indicating a continuous exposure of critical software systems to potential vulnerabilities due to these reviews [67803]. Overall, the software failure incident described in the articles appears to be a permanent failure as it involves systemic issues related to the security of software products used by key U.S. government agencies, potentially leading to long-term consequences in terms of cybersecurity risks and vulnerabilities.
Behaviour crash, other (a) crash: - The software failure incident related to the potential risks of the U.S. government from Russian source code reviews could lead to a crash as it may render the software incapable of detecting cyber attacks on the military's network, making a response impossible [64042]. - The practice of allowing Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, including products from major global technology providers like SAP, Symantec, and McAfee, could potentially jeopardize the security of computer networks in federal agencies, leading to a crash scenario [67803]. (b) omission: - The behavior of the software failure incident does not directly point to omission as the cause of the failure. (c) timing: - The software failure incident does not directly relate to timing issues where the system performs its intended functions but at incorrect times. (d) value: - The software failure incident does not directly relate to the system performing its intended functions incorrectly. (e) byzantine: - The behavior of the software failure incident does not directly relate to the system behaving with inconsistent responses and interactions. (f) other: - The software failure incident involves the potential risks associated with allowing Russian authorities to review the source code of cybersecurity software used by the U.S. military, which could lead to security vulnerabilities and exploitation by hackers [64042, 67803].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) Property was impacted due to the software failure incident. The software failure incident allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon, potentially exposing vulnerabilities that could be exploited by attackers [64042]. (e) unknown (f) Non-human entities were impacted due to the software failure incident. The software failure incident involved major global technology providers allowing Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, potentially jeopardizing the security of computer networks in at least a dozen federal agencies [67803]. (g) There were no real observed consequences of the software failure incident [64042]. (h) Theoretical consequences were discussed of the software failure incident. The potential risks to the U.S. government from Russian source code reviews were more widespread, and concerns were raised about unknown vulnerabilities that could be used to undermine U.S. network defenses [67803]. (i) unknown
Domain information, knowledge, government (a) The failed system was intended to support the information industry. The software system in question, ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects potential cyber attacks on computer systems (Article 64042). (l) The failed system was also intended to support the government industry. ArcSight, the software system under scrutiny, is used across various U.S. government agencies, including the Pentagon, NASA, the State Department, the FBI, and the intelligence community, to protect against cyber adversaries like Russia (Article 67803).

Sources

Back to List