Pentagon Farmed Out Its Coding to Russia by Patrick Malone.
From the post:
The Pentagon was tipped off in 2011 by a longtime Army contractor that Russian computer programmers were helping to write computer software for sensitive U.S. military communications systems, setting in motion a four-year federal investigation that ended this week with a multimillion-dollar fine against two firms involved in the work.
The contractor, John C. Kingsley, said in court documents filed in the case that he discovered the Russians’ role after he was appointed to run one of the firms in 2010. He said the software they wrote had made it possible for the Pentagon’s communications systems to be infected with viruses.
…
The DISA official confirmed that the practice of outsourcing the work to employees in Russia violated both the company’s contract and federal regulations that mandate only U.S. citizens with approved security clearances work on classified systems, Kingsley’s complaint said.
On Monday, NetCracker and the much larger Virginia-based Computer Sciences Corporation—which had subcontracted the work—agreed to pay a combined $12.75 million in civil penalties to close a four-year-long Justice Department investigation into the security breach. They each denied Kingsley’s accusations in settlement documents filed with the court.
…
The sad news is there is no mention of either NetCracker or Computer Sciences Corporation being banned from government contracts in general or defense contracts in particular.
If you were a CIO and discovered that a contractor had violated primary security requirements for a contract, or failed to discovered that a sub-contractor had violated such requirements, how eager would you be to sign up with either one again?
One of the fundamental problems with government IT security is the lack of any meaningful penalty for failing to provide IT security.
Unless and until the government holds its own staff, contractors and sub-contractors liable for accountable in some meaningful way, such as severance (w/o benefits), forfeiture of current contracts plus civil/criminal liability, government IT security will continue to be a sieve.