By Ellen Nakashima and Brian Krebs
Washington Post Staff Writers
Monday, September 24, 2007
The FBI is investigating a major information technology firm with a $1.7 billion Department of Homeland Security contract after it allegedly failed to detect cyber break-ins traced to a Chinese-language Web site and then tried to cover up its deficiencies, according to congressional investigators.
At the center of the probe is Unisys Corp., a company that in 2002 won a $1 billion deal to build, secure and manage the information technology networks for the Transportation Security Administration and DHS headquarters. In 2005, the company was awarded a $750 million follow-on contract.
On Friday, House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) called on DHS Inspector General Richard Skinner to launch his own investigation.
As part of the contract, Unisys, based in Blue Bell, Pa., was to install network-intrusion detection devices on the unclassified computer systems for the TSA and DHS headquarters and monitor the networks. But according to evidence gathered by the House Homeland Security Committee, Unisys's failure to properly install and monitor the devices meant that DHS was not aware for at least three months of cyber-intrusions that began in June 2006. Through October of that year, Thompson said, 150 DHS computers -- including one in the Office of Procurement Operations, which handles contract data -- were compromised by hackers, who sent an unknown quantity of information to a Chinese-language Web site that appeared to host hacking tools.
The contractor also allegedly falsely certified that the network had been protected to cover up its lax oversight, according to the committee.
"For the hundreds of millions of dollars that have been spent on building this system within Homeland, we should demand accountability by the contractor," Thompson said in an interview. "If, in fact, fraud can be proven, those individuals guilty of it should be prosecuted."
A Unisys spokeswoman, Lisa Meyer, said that "no investigative body has notified us formally or informally of a criminal investigation" on the matter and added that she could not comment on specific security incidents.
She said that Unisys has provided DHS "with government-certified and accredited security programs and systems, which were in place throughout 2006 and remain so today."
The DHS intrusions are especially disturbing in light of a rash of attacks on government computer systems linked to Chinese servers, Thompson said. Since last year, hackers have penetrated e-mail and other systems at the Defense, State and Commerce departments. Unisys was not providing information-security services in those cases.
National security and cyber-security experts say the U.S. government and its contractors are the target of a growing cyber-warfare effort that they suspect is being conducted by the Chinese government and its proxies with the aim of stealing military secrets and accessing the computer networks of the world's only military superpower. The trend, they say, reflects the convergence of cyber-crime and espionage, abetted by the availability of hacker tools on the Internet and lax information-technology security.
"This is a warning that our networks are porous and vulnerable to the new breed of hackers," said James Lewis, a senior fellow at the Center for Strategic and International Studies.
DHS, which oversees agencies critical to domestic security, including the TSA and Customs and Border Protection, has insufficiently secured its networks, Thompson said. He said he is "troubled" by what he sees as DHS officials' indifference to the problem.
DHS spokesman Russ Knocke rejected the assertion. "We've taken the committee's allegations very seriously," he said. "At the committee's request, we have provided them with copies of every incident report since the department was created. . . . We have today fully operational security operations capability. That means that every incident, no matter how small, is reported to our operations center."
The FBI is investigating Unisys for criminal fraud, according to a committee aide. The panel began its inquiry into the matter in April. And Homeland Security's Internal Affairs division is conducting a probe as well.
FBI spokesman Richard J. Kolko said he could not confirm or deny whether the FBI is investigating the matter.
In the 2006 attacks on the DHS systems, hackers often took over computers late at night or early in the morning, "exfiltrating" or copying and sending out data over hours -- in one case more than five hours, according to evidence collected by the committee.
The House panel said its investigation has yielded the following results:
It is not clear how the hackers breached the DHS systems. But once inside, they used special software to crack a user account password for a network administrator who had privileges to modify key system files on thousands of computers on the DHS network.
Then the attackers began installing malicious software on dozens of computers that not only masked the intrusion but also copied and transferred files to an outside Web site.
In July 2006, a Unisys employee detected a possible intrusion but "downplayed it and low-level DHS security managers ignored it," the committee aide said.
It was not until Sept. 27, 2006, that two DHS systems managers noticed that their machines had been accessed with a hacking tool.
Unisys information technology employees began a probe and determined that the break-in affected more computers. They discovered that it reached back as far as June 13 that year and had continued through at least Oct. 1, eventually reaching 150 computers.
Among the security devices Unisys had been hired to install and monitor were seven "intrusion-detection systems," which flag suspicious or unauthorized computer network activity that may indicate a break-in. The devices were purchased in 2004, but by June 2006 only three had been installed -- and in such a way that they could not provide real-time alerts, according to the committee. The rest were gathering dust in DHS storage closets and under desks in their original packaging, the aide said.
Although the hackers lifted data from unclassified systems, Paul Kurtz, a former White House cyber-security adviser, said that even unclassified data, if stolen in large enough quantities, could provide important clues about U.S. military and corporate trade secrets.
"Clearly there's cause for concern as to how Unisys has conducted itself and the security it has provided," committee member Rep. Jim Langevin (D-R.I.) said in an interview. "There were some basic things that should have been done -- installation of these intrusion-detection devices -- that very well would have given us a strong indication and an alert that our systems were penetrated."
Unisys spokeswoman Meyer disputed the committee's version of events. She said that Unisys had installed five network-intrusion devices and added a sixth in September 2006. Moreover, she said, under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway.
Knocke said that the claims are "entirely baseless and disingenuous." He added that although "Unisys is not prohibited" from bidding on the next IT contract, "previous performance can be a factor" in selection.
The committee obtained documents indicating that Unisys was trying to "hide gaps" from the government in an apparent attempt to obscure the scope of the network security breaches, an aide said. Unisys also failed to disclose to DHS that the data were being sent to the Chinese-language Web site, the aide said.
Langevin, who chairs the panel's subcommittee on emerging threats and cyber-security, complained that senior DHS officials failed to recognize the situation's gravity. In a letter sent Friday to Skinner, Langevin and Thompson also said that DHS officials "preferred to complete the fiscal year's financial transactions rather than immediately take steps to mitigate the problem."
Knocke disputed that assertion. "We have spent innumerable man hours responding to the committee's inquiries and requests. . . . We are aware of, and have responded to, malicious cyber-activity directed at the U.S. government over the past few years. We remain concerned that this malicious activity is growing more sophisticated and frequent."
In fact, the techniques and tools used in the DHS break-ins were similar to incidents at the Defense and Commerce departments, the lawmakers said.
Experts said the attacks, which have also hit Germany, Britain and France, are part of a series that began several years ago, when U.S. officials reported that the unclassified Pentagon and contractors running national labs had been under relentless attack from computers in China. The intelligence and computer-security communities remain divided over whether the intrusions, code-named Titan Rain by federal investigators, were carried out by state-sponsored cyber-spies or merely opportunistic hackers.
A senior military technology officer warned last fall that China downloaded "10 to 20 terabytes of data" from the Pentagon's non-classified Internet Protocol router network. "They are looking for your identity so they can get into the network as you," Maj. Gen. William Lord, Director of Information Services and Integration in the Air Force Office of Warfighting Integration, said at an Air Force technology conference. "There is a nation-state threat by the Chinese."
The Chinese government has vigorously denied the charges of cyber-espionage and Chinese officials have leveled their own allegations of cyber-hacking against the United States.
Krebs is a staff writer for washingtonpost.com. Staff researcher Richard Drezen contributed to this report.