UK tech firm Micro Focus to curb code reviews by ‘high risk’ governments

WASHINGTON: British tech firm Micro Focus International Plc, the new owner of ArcSight security software, said it would restrict reviews of the core operating instructions in its products by “high-risk” governments, after Reuters reported that the application had been scrutinized by Russia.

Micro Focus did not respond to questions seeking to clarify whether the countries included Russia or how it would determine which reviews were likely to be shared with governments. But a company spokeswoman said future reviews would require approval from Micro Focus’s chief executive.

And a Micro Focus blog posted on Monday by ArcSight head Jason Schmitt defended the reviews of core software operating instructions, known as source code, as common. He said “that dozens of brand-name products have undergone the same type of certification testing.”

“Micro Focus will not allow any source code reviews if we reasonably believe the governments of high risk countries will have access to that review,” the Micro Focus spokeswoman said in an email to Reuters.

Micro Focus purchased the ArcSight product line from Hewlett Packard Enterprise Co in a sale completed last month. Reuters reported last week that HPE allowed a Moscow defense agency to review the inner workings of ArcSight, a cyber defense software used by the Pentagon to guard its computer networks.

Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the practice could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.

Russia’s evaluation of ArcSight concluded last year, at a time when Washington was accusing Moscow of an increasing number of cyber attacks against American companies, U.S. politicians and government agencies, including the Pentagon. Russia has repeatedly denied the allegations.

Russia in recent years has stepped up demands for source code reviews as a requirement for doing business in the country, Reuters reported in June, and many companies have complied. ArcSight, and other HPE security products, were sold to Micro Focus in a transaction completed in September.