In June, Reuters reported that several defense contractors, including IBM, Cisco, and Germany’s SAP, had allowed the FSBto inspect key aspects of the source code for various software products. In October, Reuters added to the list an HP Enterprise product called ArcSight, described as “a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack.” Reuters quoted a former senior Commerce Department official saying, “It’s something we have a real concern about.”
Concerns aside, the Pentagon says there was no specific policy or rule to prohibit buying consumer-of-the-shelf equipment or products inspected by the FSB. Pentagon spokesman Army Maj. Jamie Davis said the Defense Department would address concerns about FSB-scanned products in accordance with its 2012 policy on software trust issues: DoDI 5200.44, or the Protection of Mission Critical Functions to Achieve Trusted Systems and Networks.
“There is no plan at this time for a review or investigation, and there is also no plan at this time to require that contractors reveal the source code they have shared,” Davis said.