Uneasiness About Security as Government Buys Software

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2003/07/07/technology/07BLOW.html

By JOHN MARKOFF
July 7, 2003

Sitting at his laptop computer in a hotel near Toronto one day last 
October, Gregory Gabrenya was alarmed by what he discovered in the 
sales-support database of his new employer, Platform Software: the 
names of more than 30 employees of the United States National Security 
Agency.

The security agency, one of many federal supercomputer users that rely 
on Platform's software, typically keeps the identities of its 
employees under tight wraps. Mr. Gabrenya, who had just joined 
Platform as a salesman, found the names on a list of potential 
customer contacts for Platform's sales team. The discovery 
crystallized his growing concern that the company was perhaps too lax 
about the national security needs of its United States government 
customers, in the military, intelligence and research. 

"Anyone who had an account on the system could see this list," Mr. 
Gabrenya recalled in a recent interview. "They shouldn't be seeing 
this information and I shouldn't be seeing it."

What really worried him, Mr. Gabrenya said, was that Platform, 
although based in Markham, Ontario, maintains a software maintenance 
and testing operation in Beijing — which he was not sure the company 
had made clear enough to its American government customers.

He repeatedly raised the concerns with Platform executives, who say 
his fears were unfounded. In March, Mr. Gabrenya, who had previously 
worked for nearly 10 years as a salesman for the supercomputer maker 
Silicon Graphics, was let go by Platform. The company said he had not 
met sales goals. Mr. Gabrenya said his whistle-blowing led to his 
dismissal.

Mr. Gabrenya, a 42-year-old American, stressed that he had seen no 
evidence of espionage or other wrongdoing by Platform employees either 
in Canada or China. But he said that he was concerned about two 
possibilities, that sensitive government information was not receiving 
adequate protection and that the Chinese software operation could be 
infiltrated by foreign agents who could tamper with software being 
used by United States government agencies.

The issues Mr. Gabrenya raised are part of a tension in the 
information technology industry, as crucial computer programming is 
increasingly performed outside the United States, either in the form 
of jobs exported from this country or by a growing array of foreign 
competitors.

The trend poses risks, in the view of some American government 
officials, because of the potential for foreign spies to sneak illicit 
code into critical programs, and simply because the United States is 
increasingly losing dominance in information technology.

"Software is so goofy because there is so many lines of code that 
hiding Trojans inside the system is the easiest thing in the world to 
do," said Keith A. Rhodes, the chief technologist of the General 
Accounting Office. "Setting aside national security, we're also 
talking about a tremendous advantage you give to your national 
competitors."

The concerns cut both ways. The Chinese government has repeatedly 
accused the United States military and intelligence organizations of 
attempting to conduct espionage by manipulating American products sold 
in China. The tracking features in Intel's microprocessors and 
Microsoft's operating system software are of particular concern to 
Chinese officials, which is one reason China is intent on expanding 
its own technology industry.

"The Chinese emergence as a global workshop for information technology 
presents us with a new area of export control challenges," said James 
Mulvenon, an analyst at the RAND Corporation.

Hong Chen, a Chinese technologist in Silicon Valley, who is not 
affiliated with Platform Software, said that there were software 
technologies that the United States should jealously guard and not 
develop overseas, but that Platform's was not among them. 

"I don't think the technologies at stake here are crucial to national 
security," said Mr. Chen, an executive who heads the Hua Yuan Science 
and Technology Association, a Silicon Valley group of more than 1,000 
entrepreneurs and technologists who were born in mainland China. 

For the most part, Mr. Chen said, the United States and China should 
freely exchange technologies. 

Platform Software dominates the market for software that enables 
clusters of powerful computers to work together. It has dozens of 
United States federal customers, and computer makers including Dell, 
I.B.M. and Silicon Graphics also sell its software to federal 
customers. The company was co-founded in 1992 by a Chinese-born 
computer scientist, Songnian Zhou, who received his Ph.D. from the 
University of California at Berkeley, and who remains Platform's chief 
technology officer.

Mr. Gabrenya, who lives in Northern California, is still looking for 
work. He said that shortly after he was hired by Platform, he began 
raising his concerns with company executives, first in person and then 
in writing. 

In January, he spelled out his concerns in an e-mail message to his 
boss: "After spending a little over 90 plus days here at Platform, I 
find myself less comfortable in this job than when I began. The 
reason? Our China office. It's clear that we now have people in 
Beijing doing important development work and we are not, as a company, 
telling our U.S. government customers. That's a problem in my mind. Is 
this illegal?"

The e-mail message and his persistent queries led the company to 
blackball him, Mr. Gabrenya said. His relationship with Platform 
deteriorated, he said, after he told the company that his security 
concerns made him uncomfortable trying to sell its products to the 
NASA Ames Laboratory, a government research center in Silicon Valley. 

Executives at Platform Software dispute Mr. Gabrenya's charges, saying 
the company has stringent rules in place to separate its foreign 
operations from its domestic software development process and computer 
systems. The company says that none of its software for customers in 
the American government is developed in China and that it has 
carefully informed those customers about its test and maintenance 
organization in China. 

"What I did say to Greg at the time is that there is clear demarcation 
with respect to development of software and no code goes to China," 
said Ian Baird, vice president for sales and marketing operations at 
Platform. 

The company also does not make customer information stored in its 
sales support database generally available within the company, he 
said, adding that it was unclear how it would have been possible for 
Mr. Gabrenya to have the authorization to view the security agency 
customer data.

A security agency spokeswoman said last week that the agency was not 
prepared to comment. 

But several of the company's other United States government customers 
said they were aware of Platform's operation in China and were not 
concerned.

A spokesman for one customer, the Los Alamos National Laboratory in 
New Mexico, said that dealing with software written outside of the 
United States was now a normal occurrence. 

"Of course we knew that Platform has subsidiary offices all over the 
world, including China," said Kevin Roark, a spokesman for the Los 
Alamos laboratory. He said the lab reviewed all of the basic 
programmer instructions, known as source code, before running software 
used in classified applications. "The reality of software in the 21st 
century," he said, "is you count on software having source from 
foreign sources."

Even before Mr. Gabrenya's complaints, Platform Software said, it had 
been taking steps to isolate its overseas divisions from the sale of 
its software technology to customers in the United States with 
classified military and intelligence applications. The company 
recently created a separate board for its unit that sells to the 
United States government. 

The board includes two former government officials: Oliver Revell, 
president of the Revell Group International and former assistant 
director of the Federal Bureau of Investigation, and Harry Soyster, 
vice president of the Washington consultants Military Professional 
Resources Inc. and a former lieutenant general in the Army who 
directed the Defense Intelligence Agency.

Mr. Revell said he was unfamiliar with the details of Mr. Gabrenya's 
dispute with Platform, but said he thought the company had taken the 
necessary steps to insulate itself from potential foreign intelligence 
operations.

"I've spent 35 years defending my country and I would not participate 
or allow my name to be used in a company that had any potential risk 
to the United States," Mr. Revell said. "As far as I'm concerned the 
software provided will be thoroughly checked and all of the U.S. 
government customers are aware of what's being done and where it's 
being done."

Mr. Gabrenya, for his part, said he could have gone to a lawyer and 
attempted to reach a financial settlement with the company for what he 
considers his wrongful termination, but that "it was not about money."

"I have some moral concerns," he said. "This is about doing the right 
thing."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.