[ISN] U.S. to Curb Computer Access by Foreigners

From: InfoSec News (isnat_private)
Date: Thu Mar 07 2002 - 23:42:59 PST

  • Next message: InfoSec News: "[ISN] Agencies outline security changes"

    Forwarded from: bob <bobat_private>
    Los Angeles Times Staff Writer
    March 7 2002
    Sparked by heightened security concerns since the Sept. 11 terrorist
    attacks, the Defense Department has begun laying the groundwork to ban
    non-U.S. citizens from a wide range of computer projects.
    The planned policy--slated for adoption within 90 days--extends
    restrictions on foreign nationals handling secret information to
    "sensitive but unclassified positions," which include the swelling
    numbers of contract workers who process paychecks, write software,
    track supplies and maintain e-mail systems.
    The move comes amid a growing awareness of the vulnerability of
    government computer systems in an era when software espionage and
    malicious hacking have become commonplace.
    The Defense Department's proposal, covering a work force that accounts
    for one-third of federal civilian employees, would represent the most
    sweeping implementation of the government's restrictions on foreign
    technology workers. The much-smaller Justice Department instituted
    little-noticed restrictions in July, and the Treasury Department has
    had a ban on noncitizens working on its communications systems since
    Officials said the restrictions are needed to get a handle on the
    proliferation of foreign nationals who work on government computer
    systems, but the plan has raised concerns that the government is being
    xenophobic and shortsighted.
    Experts said barring foreign nationals from certain computer projects
    opens the prospect that key jobs will go unfilled because of a
    shortage of qualified citizens--a situation exacerbated by the
    relatively small number of U.S. students who pursue advanced
    technology degrees. Costs may also rise sharply as higher-paid U.S.
    citizens replace foreign workers.
    "You can easily create a critical manpower shortage," said Annalee
    Saxenian, a professor of city and regional planning at UC Berkeley who
    has studied the effect of immigrants on the technology industry.
    "There's probably no company in Silicon Valley that doesn't have from
    10% to 40% of their work force who are foreign nationals. . . .
    [Defense Department officials may be] boxing themselves into a
    situation where they will lose the best talent."
    Even Richard A. Clarke, top cyber-security advisor to President Bush,
    views the restrictions as a misguided priority.
    "Rather than worry about what country somebody was born in, we ought
    to focus on the design and the architecture of our information
    systems," he said, adding that he supports the use of background
    checks, automatic recorders that log keystrokes by programmers and
    stricter rules on individuals changing data.
    "In general, trying to restrict the [information technology]
    professional that we use to American citizens is not going to be an
    effective approach," Clarke said. "The United States does not produce
    enough American citizens who are IT-security-trained to operate our
    Computer Security Is Long-Standing Problem
    Analysts long have warned about lax security in government computer
    "These [software] systems are wide open," said Ed Yourdon, an
    independent expert in technology security policy. "The vast majority
    of bad things done on computer systems are done by insiders--not
    teenage hackers in Moscow."
    Two years ago, the General Accounting Office, the investigative arm of
    Congress, studied the use of foreign contractors by federal agencies
    working to fix year 2000 software problems. It found foreign nationals
    working on 85 contracts for "mission-critical" software. Yet several
    of the agencies investigated lacked even rudimentary controls over
    contractors' work.
    The Navy sent software or data associated with 36 mission-critical
    systems to a foreign-owned contractor yet "could not readily determine
    how the code and data were protected during and after transit to the
    contractor facility," the GAO report said.
    "In many instances, the [Defense Department] was not aware when some
    programming changes were being done by a contractor who used foreign
    nationals," said David L. McClure, who led the GAO study.
    The Health and Human Services Department used software engineers from
    Pakistan, Russia and Ukraine without performing background checks.
    Similar lapses were found in the departments of Energy, Agriculture
    and State, as well as NASA and other federal agencies. None of those
    agencies is considering new restrictions in the use of foreign
    nationals, although some require regular employees to be citizens.
    The Defense Department previously had been developing a system of
    security restrictions for foreign nationals working on unclassified
    computer operations, but Sept. 11 prompted plans for more restrictive
    IT Work Routinely Given to Foreigners
    "The IT business has become largely contractual, with programming and
    data work being farmed out to areas where there is cheap labor," Pete
    Nelson, the Defense Department's deputy director for personnel
    security, wrote in an e-mail to The Times. "If this trend does not
    simultaneously take into consideration security requirements, there
    would be reason for concern. Some foreign nationals--those in the most
    sensitive position--may not be permitted to remain."
    Nelson said no details of the policy would be made public until it
    becomes final.
    The Defense Department had no estimate of how many noncitizens it has
    as employees or contractors but acknowledged that the shift could
    prove costly.
    Some major defense technology contractors also said they could not
    readily estimate how many of their employees are foreign nationals.
    Industry experts believe that thousands of jobs could be involved.
    Major technology contractors, such as Science Applications
    International Corp. in San Diego and Computer Sciences Corp. in El
    Segundo, said they can meet any new Defense Department requirements.
    Smaller contractors may have more difficulty doing so.
    Indus Corp., a 300-employee technology contractor in Vienna, Va., that
    works with the military and other government agencies, fulfills
    military contracts without tapping its 40 to 45 employees who are not
    U.S. citizens, said Chief Executive Shiv Krishnan.
    "In the future, there may be opportunities we can't bid on because of
    the dearth of available talent," said Krishnan, who came to the U.S.
    from India to study and gained American citizenship 12 years ago.
    Dan Kuehl, a professor of cyber-security at the National Defense
    University in Washington, said any move to restrict unclassified tasks
    to U.S. citizens could create a logistical nightmare.
    Despite the high-tech recession, the country faces chronic shortages
    of professionals who can manage the complex computer systems,
    databases and networks prevalent in government agencies. The high-tech
    industry relies heavily on Indian, Chinese and other Asian workers--a
    group that long has complained about being unfairly targeted on issues
    of U.S. loyalty.
    Those shortages prompted Congress to create a special visa program
    through the Immigration Act of 1990 known as H-1B, which permitted
    more than 163,000 highly skilled foreign workers to take jobs in this
    country last year. Many are employed by defense contractors.
    A move away from using foreign nationals also could increase
    contracting costs--building pressure on managers to make do with fewer
    tech professionals, which would itself be a security liability, said
    John Pescatore, a security analyst with GartnerGroup Inc.
    Relatively few U.S. students are being trained to fill the gap, while
    foreign student enrollment in technology programs at U.S. universities
    has soared. From 1991 to 2000, 46% of U.S. doctoral degrees in
    computer science were awarded to foreign students, the National
    Science Foundation said.
    "The same security concerns are being expressed about the entire
    critical infrastructure"--both government and private, Yourdon said.
    "We have foreign nationals working in systems that control electrical
    power or move billions of dollars around the financial systems or
    control trades on the Nasdaq."
    But banning noncitizens from sensitive jobs may offer little assurance
    of security, he said. Three of the most damaging espionage cases in
    U.S. history--those of the CIA's Aldrich Ames, the FBI's Robert Philip
    Hanssen and the Navy's Walker family spy ring--involved U.S. citizens
    who were direct employees of the government and had access to
    classified computer systems.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 02:33:36 PST