Software, Security, and Ethnicity

By Alex Salkever The 2,000-mile distance from the stark high desert of Los Alamos, N.M., to the high-tech office parks of Boston's suburbs appears to have shrunken dramatically in the past two weeks. I'm referring to the cases of Wen Ho Lee and Oussama Ziade. Both represent the federal government's fears that moles could work their way into the U.S. and achieve positions of trust that they later use to harm national interests. Whether Ziade is in fact such a mole seems unlikely, but expect the scenario playing out in Quincy, Mass., where his company, Ptech, is based, to be often repeated as the war on radical Islamic terrorists ramps up.

The connection between Lee and Ziade? Call it the ghost of Christmas past. On Dec. 23, 1998, Lee, then a computer scientist at Los Alamos National Laboratory, failed a polygraph test. He had been working on semisecret nuclear weapons programs, and the lie-detector results sparked FBI concerns that China had used Lee to steal sensitive U.S. bomb plans. The scientist's eight-month incarceration left a noxious taste in the mouths of thousands of U.S.-based researchers of Chinese nationality or Chinese descent who had to take polygraph tests at the U.S. government's behest. Lee walked free in the end, but the specter of electronic espioniage by foreign nations and terrorist groups has loomed large ever since.

COLLATERAL DAMAGE. This holiday season, the FBI is on the case again, this time investigating Ptech, which makes software used to organize information by a host of clients including the U.S. Navy, the IRS, and many companies in the private sector. Ptech's CEO is Ziade, a Lebanese who has held U.S. citizenship for four years. Ziade, a Harvard-educated physicist, has a handful of employees of Middle Eastern ethnicity or family ties to predominantly Muslim countries, including Egypt.

On Dec. 6, agents from the U.S. Customs Service and the FBI raided Ptech's offices as part of an investigation into whether the company has been used by a Saudi businessman now on the terrorism watch list to channel funds to al Qaeda. Although Ptech's software was not the initial target of the inquiry, as allegations built, Ziade found himself defending his product's integrity. Thus far, nothing untoward has been found in the software despite rigorous audits, and most experts discount any possibility that Ptech's code holds dangerous back doors that would allow unauthorized access to computer systems.

As Lee found himself out of a job days before Christmas, Ziade may find himself in a similar situation. Two banks have closed Ptech accounts, the company claims. Several customers that were in the pipeline have told Ptech they would take a wait-and-see approach. "That's very difficult for a company trying to grow," says Greg White, an attorney representing the software maker.

"CONTINGENCY PLANS." To boot, influential information-technology consultancy Gartner sent out a note warning its clients to steer clear of Ptech software due to concerns that it might not survive the fallout from the publicity. Wrote Gartner on Dec. 9: "Regardless of the eventual outcome, the federal investigation will strain Ptech's finances and divert its management team. Ptech customers should prepare contingency plans, such as obtaining escrow rights to the code and evaluate other vendors."

Of course, neither situation represents an entirely black-and-white case of overzealous government paranoia. Lee brought classified files home against Los Alamos' and Energy Dept. rules. And while U.S. Justice Dept. investigators have said Ptech's software holds no back doors or other intentional security flaws tailor-made for spying, the Saudi Arabian businessman now on the Treasury Dept.'s watch list may have had some ties to funding that Ptech recieved for its operations in 1994. White points out that the Saudi man wasn't on any published lists of people financing terrorism at the time of the investments.

Washington now finds itself in a familiar but uncomfortable position. The Lee case upset many talented researchers of Chinese ancestry or citizenry who were working for the U.S. government. Demoralized by the scrutiny, many of them left jobs at federal labs rather than undergo polygraph tests.

CREDIBLE THREAT. By the same token, the Ptech affair has already cast a dark light upon the wide activities of Middle Eastern or Muslim computer programmers and software executives, many of whom are providing useful innovation to the U.S. and its allies. Witness Hossein Eslambolchi, the CTO of AT&T and holder of 87 patents who has played a key role in developing advanced fiber-optic data links.

Still, the possibility of an insider threat is credible on multiple levels. Israeli software programmers, most of whom learned their trade while serving in the military, occupy high-level positions at numerous computer-security software concerns in the U.S. Gil Shwed, one of the most influential people in the firewall business and the founder of industry leader Check Point Software (CHKP), learned his trade in the Israeli Defense Force, and the company maintains research labs in Israel. Check Point declined to comment for this story.

Likewise, former or current citizens of China have helped build some of the most sensitive information-security software in use today -- such as Feng Deng and Yan Ke, the founders of red-hot security-appliance maker NetScreen (NSCN).

HERCULEAN TASK. Could some of these coders be operatives for their respective intelligence services and be willing to plant back doors in software? To date no such cases have been reported at Check Point, NetScreen, or any other company. And any smart CIO who buys big, custom software projects requests the source code before installing such products. But auditing the source code of any significant piece of software is now an expensive, Herculean task.

The likelihood of back doors inserted somewhere for spying purposes will only grow as the U.S., Israel, China, India, and a host of other countries both friend and foe expand their digital information-warfare operations. These operations aim to exploit technological weakness of opponents to gain military or economic advantage, and might include hacking into secret systems or economic espionage. "Any sort of vulnerability that has been implanted purposely in software can be exploited by a foreign adversary with very broad and potentially significant consequences," says Michael Vatis, the head of Information Security Technology Studies at Dartmouth College in Hanover, N.H.

Adding to the risk is the increasingly blurry geography of software development. In recent months, several leading tech companies -- including Hewlett-Packard (HPQ), IBM (IBM), and others, have announced they would move more research and software development offshore to India, China, or elsewhere. This compounds the existing problem in vetting the billions of lines of code that now make up the digital guts of the global economy. After all, few companies have the resources to do any serious background checks of employees outside the U.S., especially in countries where the reliability of government records is suspect, and the information often incomplete.

TRUSTWORTHY CODE. Also, while the U.S. government uses far stricter controls on software code in the military and other classified units, the boundaries between what's classified and unclassified are shrinking. To save money, the government is buying more off-the-shelf products. And info tech has standardized around the Internet and its XML protocols used to manipulate data. That means the differences between a word processor and a trusted security application are becoming less and less pronounced, making vetting issues all the more daunting. "The reality is the only code you can trust completely is code you wrote yourself," says Gary McGraw, chief technology officer of software-quality research company Cigital and author of the book Building Secure Software.

That said, excessive paranoia on this issue could prove incredibly destructive to the U.S., chasing away valuable intellectual capital that the country sorely needs. The pendulum swung too far in that direction during the Lee case. And it appears to be swinging that way again with Ptech, given media coverage that has stoked fears of Al Qaeda software moles, even though Justice has said no evidence for any exists at Ptech.

So how to strike a balance without striking a chord of McCarthyism and rolling out the polygraphs? For starters, a priority must be placed on building automated tools to audit code for possible back doors. That's a major challenge, considering the amazingly complex algorithms involved in most software today, and no tools that can rapidly handle large volumes of sophisticated code exist today. However, researchers are looking at ways to build such tools, according to Dartmouth's Vatis, and progress could come quickly in the near future, thanks to additional dollars now being thrown at the cybersecurity effort.

HUMANS NEEDED. Another key step is not relying on any one company or product to protect computing infrastructures, according to Carl Landwehr, director of the Trusted Computing Program at the National Science Foundation. That runs somewhat counter to the trend of buying so-called security appliances that combine multiple programs on a single machine. But running several appliances should become less costly in the near future, and the basic security saw of "don't put all your eggs in one cyberbasket" is eminently sensible.

Here's another key area that needs big improvements: actual on-the-ground intelligence. In a digital haystack, the dangerous needles may be more apparent to human brains that can follow a hunch and sift the information more effectively than even the slickest software tools.

While Wen Ho Lee and now Oussama Ziade may shape the national security consciousness, the reality is that FBI mole Robert Hanssen, a seemingly normal U.S. citizen, did the most damage of any insider to date. For 15 years Hanssen turned over key U.S. intelligence information to the former Soviet Union and later to Russian operatives, exposing huge swathes of America's secret spying machinery.

The inherent lesson is that high-tech spying, be it by foreign nationals or natives, will likely become a bigger problem. What's needed are better tools to detect these instances before they happen -- and less invasive ways to check the veracity of the code without singling out large groups of tech innocents who happen to have the wrong last name. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column

Toyota's Hydrogen Man
blog comments powered by Disqus