[ISN] Uneasiness About Security as Government Buys Software

From: InfoSec News (isnat_private)
Date: Tue Jul 08 2003 - 00:28:24 PDT

  • Next message: InfoSec News: "[ISN] Samsung bans camera phones in workplace"

    http://www.nytimes.com/2003/07/07/technology/07BLOW.html
    
    By JOHN MARKOFF
    July 7, 2003
    
    Sitting at his laptop computer in a hotel near Toronto one day last 
    October, Gregory Gabrenya was alarmed by what he discovered in the 
    sales-support database of his new employer, Platform Software: the 
    names of more than 30 employees of the United States National Security 
    Agency.
    
    The security agency, one of many federal supercomputer users that rely 
    on Platform's software, typically keeps the identities of its 
    employees under tight wraps. Mr. Gabrenya, who had just joined 
    Platform as a salesman, found the names on a list of potential 
    customer contacts for Platform's sales team. The discovery 
    crystallized his growing concern that the company was perhaps too lax 
    about the national security needs of its United States government 
    customers, in the military, intelligence and research. 
    
    "Anyone who had an account on the system could see this list," Mr. 
    Gabrenya recalled in a recent interview. "They shouldn't be seeing 
    this information and I shouldn't be seeing it."
    
    What really worried him, Mr. Gabrenya said, was that Platform, 
    although based in Markham, Ontario, maintains a software maintenance 
    and testing operation in Beijing  which he was not sure the company 
    had made clear enough to its American government customers.
    
    He repeatedly raised the concerns with Platform executives, who say 
    his fears were unfounded. In March, Mr. Gabrenya, who had previously 
    worked for nearly 10 years as a salesman for the supercomputer maker 
    Silicon Graphics, was let go by Platform. The company said he had not 
    met sales goals. Mr. Gabrenya said his whistle-blowing led to his 
    dismissal.
    
    Mr. Gabrenya, a 42-year-old American, stressed that he had seen no 
    evidence of espionage or other wrongdoing by Platform employees either 
    in Canada or China. But he said that he was concerned about two 
    possibilities, that sensitive government information was not receiving 
    adequate protection and that the Chinese software operation could be 
    infiltrated by foreign agents who could tamper with software being 
    used by United States government agencies.
    
    The issues Mr. Gabrenya raised are part of a tension in the 
    information technology industry, as crucial computer programming is 
    increasingly performed outside the United States, either in the form 
    of jobs exported from this country or by a growing array of foreign 
    competitors.
    
    The trend poses risks, in the view of some American government 
    officials, because of the potential for foreign spies to sneak illicit 
    code into critical programs, and simply because the United States is 
    increasingly losing dominance in information technology.
    
    "Software is so goofy because there is so many lines of code that 
    hiding Trojans inside the system is the easiest thing in the world to 
    do," said Keith A. Rhodes, the chief technologist of the General 
    Accounting Office. "Setting aside national security, we're also 
    talking about a tremendous advantage you give to your national 
    competitors."
    
    The concerns cut both ways. The Chinese government has repeatedly 
    accused the United States military and intelligence organizations of 
    attempting to conduct espionage by manipulating American products sold 
    in China. The tracking features in Intel's microprocessors and 
    Microsoft's operating system software are of particular concern to 
    Chinese officials, which is one reason China is intent on expanding 
    its own technology industry.
    
    "The Chinese emergence as a global workshop for information technology 
    presents us with a new area of export control challenges," said James 
    Mulvenon, an analyst at the RAND Corporation.
    
    Hong Chen, a Chinese technologist in Silicon Valley, who is not 
    affiliated with Platform Software, said that there were software 
    technologies that the United States should jealously guard and not 
    develop overseas, but that Platform's was not among them. 
    
    "I don't think the technologies at stake here are crucial to national 
    security," said Mr. Chen, an executive who heads the Hua Yuan Science 
    and Technology Association, a Silicon Valley group of more than 1,000 
    entrepreneurs and technologists who were born in mainland China. 
    
    For the most part, Mr. Chen said, the United States and China should 
    freely exchange technologies. 
    
    Platform Software dominates the market for software that enables 
    clusters of powerful computers to work together. It has dozens of 
    United States federal customers, and computer makers including Dell, 
    I.B.M. and Silicon Graphics also sell its software to federal 
    customers. The company was co-founded in 1992 by a Chinese-born 
    computer scientist, Songnian Zhou, who received his Ph.D. from the 
    University of California at Berkeley, and who remains Platform's chief 
    technology officer.
    
    Mr. Gabrenya, who lives in Northern California, is still looking for 
    work. He said that shortly after he was hired by Platform, he began 
    raising his concerns with company executives, first in person and then 
    in writing. 
    
    In January, he spelled out his concerns in an e-mail message to his 
    boss: "After spending a little over 90 plus days here at Platform, I 
    find myself less comfortable in this job than when I began. The 
    reason? Our China office. It's clear that we now have people in 
    Beijing doing important development work and we are not, as a company, 
    telling our U.S. government customers. That's a problem in my mind. Is 
    this illegal?"
    
    The e-mail message and his persistent queries led the company to 
    blackball him, Mr. Gabrenya said. His relationship with Platform 
    deteriorated, he said, after he told the company that his security 
    concerns made him uncomfortable trying to sell its products to the 
    NASA Ames Laboratory, a government research center in Silicon Valley. 
    
    Executives at Platform Software dispute Mr. Gabrenya's charges, saying 
    the company has stringent rules in place to separate its foreign 
    operations from its domestic software development process and computer 
    systems. The company says that none of its software for customers in 
    the American government is developed in China and that it has 
    carefully informed those customers about its test and maintenance 
    organization in China. 
    
    "What I did say to Greg at the time is that there is clear demarcation 
    with respect to development of software and no code goes to China," 
    said Ian Baird, vice president for sales and marketing operations at 
    Platform. 
    
    The company also does not make customer information stored in its 
    sales support database generally available within the company, he 
    said, adding that it was unclear how it would have been possible for 
    Mr. Gabrenya to have the authorization to view the security agency 
    customer data.
    
    A security agency spokeswoman said last week that the agency was not 
    prepared to comment. 
    
    But several of the company's other United States government customers 
    said they were aware of Platform's operation in China and were not 
    concerned.
    
    A spokesman for one customer, the Los Alamos National Laboratory in 
    New Mexico, said that dealing with software written outside of the 
    United States was now a normal occurrence. 
    
    "Of course we knew that Platform has subsidiary offices all over the 
    world, including China," said Kevin Roark, a spokesman for the Los 
    Alamos laboratory. He said the lab reviewed all of the basic 
    programmer instructions, known as source code, before running software 
    used in classified applications. "The reality of software in the 21st 
    century," he said, "is you count on software having source from 
    foreign sources."
    
    Even before Mr. Gabrenya's complaints, Platform Software said, it had 
    been taking steps to isolate its overseas divisions from the sale of 
    its software technology to customers in the United States with 
    classified military and intelligence applications. The company 
    recently created a separate board for its unit that sells to the 
    United States government. 
    
    The board includes two former government officials: Oliver Revell, 
    president of the Revell Group International and former assistant 
    director of the Federal Bureau of Investigation, and Harry Soyster, 
    vice president of the Washington consultants Military Professional 
    Resources Inc. and a former lieutenant general in the Army who 
    directed the Defense Intelligence Agency.
    
    Mr. Revell said he was unfamiliar with the details of Mr. Gabrenya's 
    dispute with Platform, but said he thought the company had taken the 
    necessary steps to insulate itself from potential foreign intelligence 
    operations.
    
    "I've spent 35 years defending my country and I would not participate 
    or allow my name to be used in a company that had any potential risk 
    to the United States," Mr. Revell said. "As far as I'm concerned the 
    software provided will be thoroughly checked and all of the U.S. 
    government customers are aware of what's being done and where it's 
    being done."
    
    Mr. Gabrenya, for his part, said he could have gone to a lawyer and 
    attempted to reach a financial settlement with the company for what he 
    considers his wrongful termination, but that "it was not about money."
    
    "I have some moral concerns," he said. "This is about doing the right 
    thing."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 02:50:30 PDT