AOH :: ISNQ4608.HTM|
Contractor Blamed in DHS Data Breaches
Contractor Blamed in DHS Data Breaches
Contractor Blamed in DHS Data Breaches
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
By Ellen Nakashima and Brian Krebs
Washington Post Staff Writers
September 24, 2007
The FBI is investigating a major information technology firm with a $1.7
billion Department of Homeland Security contract after it allegedly
failed to detect cyber break-ins traced to a Chinese-language Web site
and then tried to cover up its deficiencies, according to congressional
At the center of the probe is Unisys Corp., a company that in 2002 won a
$1 billion deal to build, secure and manage the information technology
networks for the Transportation Security Administration and DHS
headquarters. In 2005, the company was awarded a $750 million follow-on
On Friday, House Homeland Security Committee Chairman Bennie Thompson
(D-Miss.) called on DHS Inspector General Richard Skinner to launch his
As part of the contract, Unisys, based in Blue Bell, Pa., was to install
network-intrusion detection devices on the unclassified computer systems
for the TSA and DHS headquarters and monitor the networks. But according
to evidence gathered by the House Homeland Security Committee, Unisys's
failure to properly install and monitor the devices meant that DHS was
not aware for at least three months of cyber-intrusions that began in
June 2006. Through October of that year, Thompson said, 150 DHS
computers -- including one in the Office of Procurement Operations,
which handles contract data -- were compromised by hackers, who sent an
unknown quantity of information to a Chinese-language Web site that
appeared to host hacking tools.
The contractor also allegedly falsely certified that the network had
been protected to cover up its lax oversight, according to the
"For the hundreds of millions of dollars that have been spent on
building this system within Homeland, we should demand accountability by
the contractor," Thompson said in an interview. "If, in fact, fraud can
be proven, those individuals guilty of it should be prosecuted."
A Unisys spokeswoman, Lisa Meyer, said that "no investigative body has
notified us formally or informally of a criminal investigation" on the
matter and added that she could not comment on specific security
She said that Unisys has provided DHS "with government-certified and
accredited security programs and systems, which were in place throughout
2006 and remain so today."
The DHS intrusions are especially disturbing in light of a rash of
attacks on government computer systems linked to Chinese servers,
Thompson said. Since last year, hackers have penetrated e-mail and other
systems at the Defense, State and Commerce departments. Unisys was not
providing information-security services in those cases.
National security and cyber-security experts say the U.S. government and
its contractors are the target of a growing cyber-warfare effort that
they suspect is being conducted by the Chinese government and its
proxies with the aim of stealing military secrets and accessing the
computer networks of the world's only military superpower. The trend,
they say, reflects the convergence of cyber-crime and espionage, abetted
by the availability of hacker tools on the Internet and lax
"This is a warning that our networks are porous and vulnerable to the
new breed of hackers," said James Lewis, a senior fellow at the Center
for Strategic and International Studies.
DHS, which oversees agencies critical to domestic security, including
the TSA and Customs and Border Protection, has insufficiently secured
its networks, Thompson said. He said he is "troubled" by what he sees as
DHS officials' indifference to the problem.
DHS spokesman Russ Knocke rejected the assertion. "We've taken the
committee's allegations very seriously," he said. "At the committee's
request, we have provided them with copies of every incident report
since the department was created. . . . We have today fully operational
security operations capability. That means that every incident, no
matter how small, is reported to our operations center."
The FBI is investigating Unisys for criminal fraud, according to a
committee aide. The panel began its inquiry into the matter in April.
And Homeland Security's Internal Affairs division is conducting a probe
FBI spokesman Richard J. Kolko said he could not confirm or deny whether
the FBI is investigating the matter.
In the 2006 attacks on the DHS systems, hackers often took over
computers late at night or early in the morning, "exfiltrating" or
copying and sending out data over hours -- in one case more than five
hours, according to evidence collected by the committee.
The House panel said its investigation has yielded the following
It is not clear how the hackers breached the DHS systems. But once
inside, they used special software to crack a user account password for
a network administrator who had privileges to modify key system files on
thousands of computers on the DHS network.
Then the attackers began installing malicious software on dozens of
computers that not only masked the intrusion but also copied and
transferred files to an outside Web site.
In July 2006, a Unisys employee detected a possible intrusion but
"downplayed it and low-level DHS security managers ignored it," the
committee aide said.
It was not until Sept. 27, 2006, that two DHS systems managers noticed
that their machines had been accessed with a hacking tool.
Unisys information technology employees began a probe and determined
that the break-in affected more computers. They discovered that it
reached back as far as June 13 that year and had continued through at
least Oct. 1, eventually reaching 150 computers.
Among the security devices Unisys had been hired to install and monitor
were seven "intrusion-detection systems," which flag suspicious or
unauthorized computer network activity that may indicate a break-in. The
devices were purchased in 2004, but by June 2006 only three had been
installed -- and in such a way that they could not provide real-time
alerts, according to the committee. The rest were gathering dust in DHS
storage closets and under desks in their original packaging, the aide
Although the hackers lifted data from unclassified systems, Paul Kurtz,
a former White House cyber-security adviser, said that even unclassified
data, if stolen in large enough quantities, could provide important
clues about U.S. military and corporate trade secrets.
"Clearly there's cause for concern as to how Unisys has conducted itself
and the security it has provided," committee member Rep. Jim Langevin
(D-R.I.) said in an interview. "There were some basic things that should
have been done -- installation of these intrusion-detection devices --
that very well would have given us a strong indication and an alert that
our systems were penetrated."
Unisys spokeswoman Meyer disputed the committee's version of events. She
said that Unisys had installed five network-intrusion devices and added
a sixth in September 2006. Moreover, she said, under the follow-on
contract, "DHS, citing lack of funding, elected to stop paying for
security monitoring services," but that the firm continued to provide
the monitoring anyway.
Knocke said that the claims are "entirely baseless and disingenuous." He
added that although "Unisys is not prohibited" from bidding on the next
IT contract, "previous performance can be a factor" in selection.
The committee obtained documents indicating that Unisys was trying to
"hide gaps" from the government in an apparent attempt to obscure the
scope of the network security breaches, an aide said. Unisys also failed
to disclose to DHS that the data were being sent to the Chinese-language
Web site, the aide said.
Langevin, who chairs the panel's subcommittee on emerging threats and
cyber-security, complained that senior DHS officials failed to recognize
the situation's gravity. In a letter sent Friday to Skinner, Langevin
and Thompson also said that DHS officials "preferred to complete the
fiscal year's financial transactions rather than immediately take steps
to mitigate the problem."
Knocke disputed that assertion. "We have spent innumerable man hours
responding to the committee's inquiries and requests. . . . We are aware
of, and have responded to, malicious cyber-activity directed at the U.S.
government over the past few years. We remain concerned that this
malicious activity is growing more sophisticated and frequent."
In fact, the techniques and tools used in the DHS break-ins were similar
to incidents at the Defense and Commerce departments, the lawmakers
Experts said the attacks, which have also hit Germany, Britain and
France, are part of a series that began several years ago, when U.S.
officials reported that the unclassified Pentagon and contractors
running national labs had been under relentless attack from computers in
China. The intelligence and computer-security communities remain divided
over whether the intrusions, code-named Titan Rain by federal
investigators, were carried out by state-sponsored cyber-spies or merely
A senior military technology officer warned last fall that China
downloaded "10 to 20 terabytes of data" from the Pentagon's
non-classified Internet Protocol router network. "They are looking for
your identity so they can get into the network as you," Maj. Gen.
William Lord, Director of Information Services and Integration in the
Air Force Office of Warfighting Integration, said at an Air Force
technology conference. "There is a nation-state threat by the Chinese."
The Chinese government has vigorously denied the charges of
cyber-espionage and Chinese officials have leveled their own allegations
of cyber-hacking against the United States.
Krebs is a staff writer for washingtonpost.com. Staff researcher Richard
Drezen contributed to this report.
=C2=A9 2007 The Washington Post Company
Content-Type: text/plain; charset="us-ascii"
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com