[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Software, Security, and Ethnicity



http://www.businessweek.com/technology/content/dec2002/tc20021217_3779.htm

DECEMBER 17, 2002 
SECURITY NET 
By Alex Salkever 

The U.S. government's probe at software maker Ptech, owned by a 
Lebanese, has lots in common with the 1998 Wen Ho Lee case.

The 2,000-mile distance from the stark high desert of Los Alamos,
N.M., to the high-tech office parks of Boston's suburbs appears to
have shrunken dramatically in the past two weeks. I'm referring to the
cases of Wen Ho Lee and Oussama Ziade. Both represent the federal
government's fears that moles could work their way into the U.S. and
achieve positions of trust that they later use to harm national
interests. Whether Ziade is in fact such a mole seems unlikely, but
expect the scenario playing out in Quincy, Mass., where his company,
Ptech, is based, to be often repeated as the war on radical Islamic
terrorists ramps up.

The connection between Lee and Ziade? Call it the ghost of Christmas
past. On Dec. 23, 1998, Lee, then a computer scientist at Los Alamos
National Laboratory, failed a polygraph test. He had been working on
semisecret nuclear weapons programs, and the lie-detector results
sparked FBI concerns that China had used Lee to steal sensitive U.S.  
bomb plans. The scientist's eight-month incarceration left a noxious
taste in the mouths of thousands of U.S.-based researchers of Chinese
nationality or Chinese descent who had to take polygraph tests at the
U.S. government's behest. Lee walked free in the end, but the specter
of electronic espioniage by foreign nations and terrorist groups has
loomed large ever since.

COLLATERAL DAMAGE.  This holiday season, the FBI is on the case again,
this time investigating Ptech, which makes software used to organize
information by a host of clients including the U.S. Navy, the IRS, and
many companies in the private sector. Ptech's CEO is Ziade, a Lebanese
who has held U.S. citizenship for four years. Ziade, a
Harvard-educated physicist, has a handful of employees of Middle
Eastern ethnicity or family ties to predominantly Muslim countries,
including Egypt.

On Dec. 6, agents from the U.S. Customs Service and the FBI raided
Ptech's offices as part of an investigation into whether the company
has been used by a Saudi businessman now on the terrorism watch list
to channel funds to al Qaeda. Although Ptech's software was not the
initial target of the inquiry, as allegations built, Ziade found
himself defending his product's integrity. Thus far, nothing untoward
has been found in the software despite rigorous audits, and most
experts discount any possibility that Ptech's code holds dangerous
back doors that would allow unauthorized access to computer systems.

As Lee found himself out of a job days before Christmas, Ziade may
find himself in a similar situation. Two banks have closed Ptech
accounts, the company claims. Several customers that were in the
pipeline have told Ptech they would take a wait-and-see approach.  
"That's very difficult for a company trying to grow," says Greg White,
an attorney representing the software maker.

"CONTINGENCY PLANS."  To boot, influential information-technology
consultancy Gartner sent out a note warning its clients to steer clear
of Ptech software due to concerns that it might not survive the
fallout from the publicity. Wrote Gartner on Dec. 9: "Regardless of
the eventual outcome, the federal investigation will strain Ptech's
finances and divert its management team. Ptech customers should
prepare contingency plans, such as obtaining escrow rights to the code
and evaluate other vendors."

Of course, neither situation represents an entirely black-and-white
case of overzealous government paranoia. Lee brought classified files
home against Los Alamos' and Energy Dept. rules. And while U.S.  
Justice Dept. investigators have said Ptech's software holds no back
doors or other intentional security flaws tailor-made for spying, the
Saudi Arabian businessman now on the Treasury Dept.'s watch list may
have had some ties to funding that Ptech recieved for its operations
in 1994. White points out that the Saudi man wasn't on any published
lists of people financing terrorism at the time of the investments.

Washington now finds itself in a familiar but uncomfortable position.  
The Lee case upset many talented researchers of Chinese ancestry or
citizenry who were working for the U.S. government. Demoralized by the
scrutiny, many of them left jobs at federal labs rather than undergo
polygraph tests.

CREDIBLE THREAT.  By the same token, the Ptech affair has already cast
a dark light upon the wide activities of Middle Eastern or Muslim
computer programmers and software executives, many of whom are
providing useful innovation to the U.S. and its allies. Witness
Hossein Eslambolchi, the CTO of AT&T and holder of 87 patents who has
played a key role in developing advanced fiber-optic data links.

Still, the possibility of an insider threat is credible on multiple
levels. Israeli software programmers, most of whom learned their trade
while serving in the military, occupy high-level positions at numerous
computer-security software concerns in the U.S. Gil Shwed, one of the
most influential people in the firewall business and the founder of
industry leader Check Point Software (CHKP ), learned his trade in the
Israeli Defense Force, and the company maintains research labs in
Israel. Check Point declined to comment for this story.

Likewise, former or current citizens of China have helped build some
of the most sensitive information-security software in use today --
such as Feng Deng and Yan Ke, the founders of red-hot
security-appliance maker NetScreen (NSCN ).

HERCULEAN TASK.  Could some of these coders be operatives for their
respective intelligence services and be willing to plant back doors in
software? To date no such cases have been reported at Check Point,
NetScreen, or any other company. And any smart CIO who buys big,
custom software projects requests the source code before installing
such products. But auditing the source code of any significant piece
of software is now an expensive, Herculean task.

The likelihood of back doors inserted somewhere for spying purposes
will only grow as the U.S., Israel, China, India, and a host of other
countries both friend and foe expand their digital information-warfare
operations. These operations aim to exploit technological weakness of
opponents to gain military or economic advantage, and might include
hacking into secret systems or economic espionage. "Any sort of
vulnerability that has been implanted purposely in software can be
exploited by a foreign adversary with very broad and potentially
significant consequences," says Michael Vatis, the head of Information
Security Technology Studies at Dartmouth College in Hanover, N.H.

Adding to the risk is the increasingly blurry geography of software
development. In recent months, several leading tech companies --
including Hewlett-Packard (HPQ ), IBM (IBM ), and others, have
announced they would move more research and software development
offshore to India, China, or elsewhere. This compounds the existing
problem in vetting the billions of lines of code that now make up the
digital guts of the global economy. After all, few companies have the
resources to do any serious background checks of employees outside the
U.S., especially in countries where the reliability of government
records is suspect, and the information often incomplete.

TRUSTWORTHY CODE.  Also, while the U.S. government uses far stricter
controls on software code in the military and other classified units,
the boundaries between what's classified and unclassified are
shrinking. To save money, the government is buying more off-the-shelf
products. And info tech has standardized around the Internet and its
XML protocols used to manipulate data. That means the differences
between a word processor and a trusted security application are
becoming less and less pronounced, making vetting issues all the more
daunting. "The reality is the only code you can trust completely is
code you wrote yourself," says Gary McGraw, chief technology officer
of software-quality research company Cigital and author of the book
Building Secure Software.

That said, excessive paranoia on this issue could prove incredibly
destructive to the U.S., chasing away valuable intellectual capital
that the country sorely needs. The pendulum swung too far in that
direction during the Lee case. And it appears to be swinging that way
again with Ptech, given media coverage that has stoked fears of Al
Qaeda software moles, even though Justice has said no evidence for any
exists at Ptech.

So how to strike a balance without striking a chord of McCarthyism and
rolling out the polygraphs? For starters, a priority must be placed on
building automated tools to audit code for possible back doors. That's
a major challenge, considering the amazingly complex algorithms
involved in most software today, and no tools that can rapidly handle
large volumes of sophisticated code exist today. However, researchers
are looking at ways to build such tools, according to Dartmouth's
Vatis, and progress could come quickly in the near future, thanks to
additional dollars now being thrown at the cybersecurity effort.

HUMANS NEEDED.  Another key step is not relying on any one company or
product to protect computing infrastructures, according to Carl
Landwehr, director of the Trusted Computing Program at the National
Science Foundation. That runs somewhat counter to the trend of buying
so-called security appliances that combine multiple programs on a
single machine. But running several appliances should become less
costly in the near future, and the basic security saw of "don't put
all your eggs in one cyberbasket" is eminently sensible.

Here's another key area that needs big improvements: actual
on-the-ground intelligence. In a digital haystack, the dangerous
needles may be more apparent to human brains that can follow a hunch
and sift the information more effectively than even the slickest
software tools.

While Wen Ho Lee and now Oussama Ziade may shape the national security
consciousness, the reality is that FBI mole Robert Hanssen, a
seemingly normal U.S. citizen, did the most damage of any insider to
date. For 15 years Hanssen turned over key U.S. intelligence
information to the former Soviet Union and later to Russian
operatives, exposing huge swathes of America's secret spying
machinery.

The inherent lesson is that high-tech spying, be it by foreign
nationals or natives, will likely become a bigger problem. What's
needed are better tools to detect these instances before they happen
-- and less invasive ways to check the veracity of the code without
singling out large groups of tech innocents who happen to have the
wrong last name.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.