Federal officials fear that national security may have been jeopardized when the company building a sensitive phone-number database violated a federal requirement that only U.S. citizens work on the project.
The database is significant because it tracks nearly every phone number in North America, making it a key tool for law enforcement agencies seeking to monitor criminal or espionage targets.
Now Telcordia, a Swedish-owned firm, is being compelled to rewrite the database computer code — a massive undertaking — to assuage concerns from officials at the FBI and Federal Communications Commission that foreign citizens had access to the project. These officials fear that if other countries gain access to the code, they could reap a counterintelligence bonanza, learning the targets of U.S. law enforcement and espionage investigations.
The security rewrite began in March after the agencies learned that a Chinese citizen with a U.S. work permit had helped write the system code, said individuals familiar with the matter who spoke on the condition of anonymity to discuss a sensitive matter. Seven other foreign citizens, including a British engineer, also worked on the project, although it was the Chinese engineer who raised red flags for officials.
In a separate development, a former Telcordia employee in New Jersey alleged in a civil lawsuit made public this week that he was fired in retaliation for blowing the whistle on a foreign worker.
Put together, these incidents raise a broader question about the security of a database that is perhaps the most important cog that most people have never heard of in the communications network.
The system was created in 1997 to solve a consumer problem: allowing people to keep their numbers when they switch phone companies. It is also instrumental every time a person makes a call or sends a text message, allowing that person’s carrier to ping the database to learn which other phone service should next receive the call or text. In addition, law enforcement agencies rely on the database to link suspects’ numbers to carriers so that search warrants can be executed.
Telcordia, headquartered in Piscataway, N.J., and owned by Ericsson, said in a statement that the foreigners who worked on the project were all “highly qualified” legal U.S. residents with work permits and that the company’s work now meets all the security requirements of its contract. The company would not comment on whether the Chinese engineer was let go or reassigned but said that no foreign citizens were working on the system any longer.
“There was no indication that there was any issue with any source code but regardless, to mitigate any concerns, the final application will be an entirely new version, designed and coded by U.S. citizens,” Telcordia spokeswoman Sharon Oddy said.
Oddy also said that the former employee’s claims in court were without merit.
From its creation, the system, called the Number Portability Administration Center (NPAC), was run by a Northern Virginia-based firm, Neustar. The firm has run NPAC under a contract with a consortium of phone companies that pay for the database’s operation. But in 2013 for the first time, the work was put up for competitive bid. Last year, Telcordia was given the go-ahead to begin negotiating a contract, which still needs to receive final approval from the FCC.
One of the requirements: Only U.S. citizens could work on the project. Last fall, the FCC learned of a Chinese citizen being employed by Telcordia for the database and contacted the FBI, officials said. The two agencies conducted a review.
“Consistent with that review and in close coordination with the national security agencies, the commission and Telcordia agreed that the company would discard the pre-contract work performed and start entirely anew,” FCC spokesman Mark Wigfield said in a statement to The Washington Post.
The current draft contract “includes rigorous oversight measures and explicitly requires that only appropriately vetted U.S. citizens work on the project,” Wigfield said.
FBI spokesman Christopher Allen confirmed that the FBI is working “closely with the FCC . . . to help identify and mitigate national security and law enforcement risks.”
In addition to the counterintelligence risks, officials are concerned that if access to the database fell into the wrong hands, a hacker could misdirect calls to erroneous or nonexistent networks, which could be especially disruptive during a national emergency.
Some critics have faulted the FCC and the phone company consortium, which wrote the language requesting bids, for not building in adequate security requirements from the start.
“The right time to be addressing the issues is at the [bid] stage, not after you’ve selected a winner and are trying to retrofit security as an afterthought,” said Michael Chertoff, a former secretary of homeland security who was paid by Neustar to help with its bid for the contract.
The United States has long been concerned about Chinese espionage.
The Chinese breach of the Office of Personnel Management’s databases, which exposed sensitive information concerning more than 22 million current and former federal employees and their families, was seen by intelligence officials as a move by Beijing to build dossiers on employees they might target or recruit for spying.
Neustar, which declined to comment for this story, last year appealed the FCC’s selection of Telcordia to a federal court on grounds that the process was unlawful.
Neustar’s contract was worth $496 million a year, whereas Telcordia said it could do the same work for $143 million annually.
Neustar is expected to continue running the NPAC database until the transition to Telcordia has been completed. As part of that transfer, Telcordia must build its own system, a task that Oddy said the company expects to finish by fall 2017 as called for in the draft contract.
The source code for Neustar’s NPAC took hundreds of thousands of hours to write, said an industry official familiar with the project. Some 4,800 telecommunications systems from 2,000 carriers feed information to the database. “It is a major undertaking,” the official said.