The subcontractor that hired the coders signed a non-prosecution deal to end a criminal investigation.
Russian developers did some of the coding work for a Defense Department software system and stored that code inside a server in Moscow, according to a non-prosecution agreement released Monday.
Those Russian coders only worked on unclassified portions of the Defense Information Systems Agency project, but, in some cases, knew they were helping to develop a highly sensitive system that would attach to Defense Department information networks, according to the agreement between the Justice Department and Netcracker Technology Corp., the subcontractor that hired the Russian coders.
The non-prosecution deal ends a criminal investigation against Netcracker that was led by the Justice Department’s national security division and the U.S. Attorney’s Office for the Eastern District of Virginia.
The agreement comes amid heightened concerns about Russian spy agencies’ efforts to infiltrate U.S. government computer networks.
Government agencies are currently scrambling to rid their computer systems of the Russian anti-virus Kaspersky, which the Homeland Security Department has determined is too closely tied to the Russian government and could be a jumping off point for Russian hackers.
One of Homeland Security’s main public justifications for the Kaspersky order is a Russian law that gives the nation’s security services access to content and other information stored on Russian networks. That law also would have applied to the Netcracker coders, according to the Justice Department.
Even if they only accessed unclassified portions of Defense systems, malicious Russian coders could insert backdoors that beaconed back sensitive information to Russian spies, security experts told Nextgov.
Depending on which software vulnerabilities those backdoors relied on they might withstand moderate or even rigorous security inspections by the Defense Department, the experts said.
Whether the system would have undergone such rigorous vetting isn’t clear and would depend on various factors unique to the project, a former Homeland Security official told Nextgov.
A backdoor into an unclassified system could also be used to search for additional vulnerabilities that could give hackers access to more sensitive or classified data, security experts said.
Even if they didn’t insert a backdoor, the coders could simply share information about the basic structure of Pentagon systems that would make it easier for Russian cyber spies to do their work.
“[The U.S. and Russia] spy on each other heavily and we need to be very careful about who we employ and how the government employs coders who get into the most sensitive things our government does,” said the former Homeland Security official who requested anonymity to discuss the issue freely.
Overall, government and industry have both been slow to understand and protect against the vulnerabilities produced by expansive global supply chains for digital technology and services, the former official said.
U.S. companies have also often opted to outsource coding to nations with lower averages salaries but with outsized digital talent, such as Russia, Ukraine and India, in order to cut down costs.
“I can contract with guys in Ukraine for pennies on the dollar compared with people here in the U.S.,” the former official said.
Russian government access to Netcracker systems could be more concerning than Russian government influence over Kaspersky, Brian Martin, vice president of vulnerability intelligence at the company Risk Based Intelligence told Nextgov, because its software was closer to sensitive Defense Department information.
At the point Homeland Security ordered Kaspersky off government systems in September, the Russian anti-virus had already been scrubbed from all national security systems and was mostly running at smaller agencies, according to officials.
“I think as far as your actual threat models go, it is a bit more of a concern,” Martin said.
Netcracker’s use of Russian coders on the DISA project was the result of a miscommunication, according to the non-prosecution deal.
Netcracker’s understanding when it joined the project as a subcontractor in 2008 was that it was allowed to employ non-Americans abroad provided they didn’t receive any classified or sensitive information specific to the customer, according to the agreement.
That understanding was later codified in a 2011 agreement between Netcracker and the prime contractor, which Justice documents do not name.
It was only after the project was completed that DISA and the Justice Department’s national security division determined Netcracker’s use of Russian coders “resulted in an unacceptable degradation of the level of security DISA had intended to achieve.”
The non-prosecution deals bars Netcracker from accessing any U.S. customers’ information from overseas and requires the company to adopt enhanced security measures and a security plan that’s vetted by the Justice Department. The company must also pay for third-party audits that it will share with government officials.
Netcracker also had two other contracts with DISA.
One was a 2007 contract for the company’s core commercial product, which DISA understood included code produced by Russian and Ukrainian coders. DISA determined in a 2008 investigation that those coders’ work did not pose a substantial risk to government security.
The company also entered into a separate 2007 contract to customize its core commercial code for DISA’s “unique systems.” That contract required that all customizing work would be done by U.S. citizens inside the U.S. with secret or top secret-level security clearances.