Although it took four years, the lawsuit was eventually settled last month for a total of $12.75 million. CSC agreed to pay $1.35 million and NetCracker will pay $11.4 million. The settlement does not prohibit the Justice Department from filing criminal charges in the matter. There are two potential criminal charges, one for contract fraud and one for allowing foreign entities access to classified data. Kingsley reports that the programs written by the Russians contained "numerous viruses" though DISA did not confirm this, citing national security concerns.
Perhaps more concerning than viruses or other malware in the Russian code is that intentional weaknesses could have been baked into the code. Subtle vulnerabilities would be very difficult to detect and would require millions of dollars in auditing to discover. It is unclear at this time how much damage DISA and other DoD agencies suffered from the malware running on their systems. It is also not clear how much of the Russian code ever made it into production and how much is still there.
For reporting the contracting violations, Kingsley reportedly received $2.4 million dollars. It's not often that doing the right thing pays such huge dividends, but in this case it paid off huge for Kingsley.
|Was this the Russian programmer who inserted "numerous viruses" into DISA code?|
The infosec hooks here are clear. When outsourcing your programming, do you really know who you are outsourcing to? What is their security posture? What are your subcontracting agreements? How are they enforced? Do you perform regular code audits to ensure that a contractor is providing secure code that is free of malware and vulnerabilities? Remember that a contractor may be providing malware without willful participation. In this case, CSC claims to be as much a victim as DISA due to the actions taken by NetCracker.
The bottom line is that if Russians can get viruses into DISA's code (even while getting paid to do it), you had better believe that your adversary can too. That makes things the overall situation look pretty bleak. What can you do then to ensure your organization is not a victim? At Rendition Infosec, we recommend the following to clients:
- Work with your legal team to get appropriate language in your contracts to govern what can and can't be subcontracted.
- Maintain your right to audit subcontracting arrangements (if allowed).
- Audit portions of the code (at a minimum) produced under any external contract. Better yet, write in contract provisions that a third party will audit code and that vulnerabilities discovered will be fixed at the contractor's cost. If the contractor is forced to pay for security re-tests of the code, they have a built in motivation to get it right the first time.
- Any auditing you perform on code contributed by a third party (and even that developed in house) should be examined using more than automated scanners. Automated scanners are a good start, but they are just that - a start. Manual testing often unearths subtle vulnerabilities (especially elevation of privilege) not found with any automated scanner.