Not that you need another reminder that government cybersecurity is screwed, but here we are: After a four-year federal probe, contractors will pay a combined $12.75 million in civil penalties to settle a suit alleging that they let Russian programmers write military code.
This includes code used for the Defense Information Systems Agency, the Department of Defense agency that serves as the DoD’s joint operational arm of defensive cyberspace operations. Imagine hiring Tonya Harding as an armed guard for Nancy Kerrigan. That situation is about as stupid as what these contractors were accused of doing.
John C. Kingsley used to work for Netcracker Technology before he filed a 2011 complaint against his employer and Computer Sciences Corporation, the company that subcontracted Netcracker to do work for DISA. In the recently unsealed complaint, he alleges that Netcracker used Russian programmers who were far cheaper than their clearance-holding US counterparts.
It gets worse. Kingsley alleges that Netcracker gave DISA code that was “not checked for back doors, time bombs or other hidden and malicious triggers by US citizens with the proper security clearances before it was placed on DISA’s networks.”
Neither Netcracker nor CSC admitted liability, and the settlement didn’t establish liability.
The Center for Public Integrity contacted DISA about the case:
Asked to confirm that the Russians’ involvement in the software work led to the presence of viruses in the U.S. military’s communications systems, Alana Johnson, a spokeswoman for the Defense Information Systems Agency, declined to answer on the grounds that doing so could compromise the agency’s “national security posture.”
Since some of the court records about the investigation are still sealed, it’s not clear how much the government’s investigation into Netcracker’s Russian habit turned up. It’s also not clear if the Justice Department will pursue criminal charges.
“Companies that do business with the federal government have a responsibility to fully meet the terms of their contracts,” US Attorney Channing D. Phillips said in a statement. “In addition to holding these two companies accountable for their contracting obligations, this settlement shows that the U.S. Attorney’s Office will take appropriate measures necessary to ensure the integrity of government communications systems.”
It seems that appropriate measures were definitely not taken here “to ensure the integrity of government communications systems.” But OK, the US Attorney’s Office isn’t in charge of hiring DISA programmers.
Image: AP (And not a Russian hacker: It’s computer forensic examiner Gil Moreno at the Department of Defense Cyber Crime Center)