Echelon says it’s required to report software vulnerabilities to the Russian government but only after letting the software makers know. And HPE told Reuters that reviews are done at an HPE facility under the supervision of HPE staff and that no vulnerabilities were found during this particular review.
Even if a vulnerability was discovered and not disclosed, it wouldn’t allow attackers to just waltz into US military networks, but it could, in theory, make it easier to hide an ongoing attack, delaying defense responses and upping the chance of a successful breach. The review took place around the same time that the US was accusing Russia of initiating cyber attacks against a number of US agencies and politicians.
A Pentagon Defense Information Systems Agency spokesperson told Reuters that HPE didn’t let the Pentagon know about the review but that it also wasn’t required to. The ArcSight review may not have unearthed any backdoors or resulted in any additional cyber infiltrations, but at the very least it seems that, when it comes to the US military, using popular off-the-shelf security software might be a vulnerability in itself.