From: InfoSec News (isnc4i.org)
Date: Tue Jul 08 2003 - 02:28:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.nytimes.com/2003/07/07/technology/07BLOW.html

By JOHN MARKOFF
July 7, 2003

Sitting at his laptop computer in a hotel near Toronto one day last
October, Gregory Gabrenya was alarmed by what he discovered in the
sales-support database of his new employer, Platform Software: the
names of more than 30 employees of the United States National Security
Agency.

The security agency, one of many federal supercomputer users that rely
on Platform's software, typically keeps the identities of its
employees under tight wraps. Mr. Gabrenya, who had just joined
Platform as a salesman, found the names on a list of potential
customer contacts for Platform's sales team. The discovery
crystallized his growing concern that the company was perhaps too lax
about the national security needs of its United States government
customers, in the military, intelligence and research.

"Anyone who had an account on the system could see this list," Mr.
Gabrenya recalled in a recent interview. "They shouldn't be seeing
this information and I shouldn't be seeing it."

What really worried him, Mr. Gabrenya said, was that Platform,
although based in Markham, Ontario, maintains a software maintenance
and testing operation in Beijing — which he was not sure the company
had made clear enough to its American government customers.

He repeatedly raised the concerns with Platform executives, who say
his fears were unfounded. In March, Mr. Gabrenya, who had previously
worked for nearly 10 years as a salesman for the supercomputer maker
Silicon Graphics, was let go by Platform. The company said he had not
met sales goals. Mr. Gabrenya said his whistle-blowing led to his
dismissal.

Mr. Gabrenya, a 42-year-old American, stressed that he had seen no
evidence of espionage or other wrongdoing by Platform employees either
in Canada or China. But he said that he was concerned about two
possibilities, that sensitive government information was not receiving
adequate protection and that the Chinese software operation could be
infiltrated by foreign agents who could tamper with software being
used by United States government agencies.

The issues Mr. Gabrenya raised are part of a tension in the
information technology industry, as crucial computer programming is
increasingly performed outside the United States, either in the form
of jobs exported from this country or by a growing array of foreign
competitors.

The trend poses risks, in the view of some American government
officials, because of the potential for foreign spies to sneak illicit
code into critical programs, and simply because the United States is
increasingly losing dominance in information technology.

"Software is so goofy because there is so many lines of code that
hiding Trojans inside the system is the easiest thing in the world to
do," said Keith A. Rhodes, the chief technologist of the General
Accounting Office. "Setting aside national security, we're also
talking about a tremendous advantage you give to your national
competitors."

The concerns cut both ways. The Chinese government has repeatedly
accused the United States military and intelligence organizations of
attempting to conduct espionage by manipulating American products sold
in China. The tracking features in Intel's microprocessors and
Microsoft's operating system software are of particular concern to
Chinese officials, which is one reason China is intent on expanding
its own technology industry.

"The Chinese emergence as a global workshop for information technology
presents us with a new area of export control challenges," said James
Mulvenon, an analyst at the RAND Corporation.

Hong Chen, a Chinese technologist in Silicon Valley, who is not
affiliated with Platform Software, said that there were software
technologies that the United States should jealously guard and not
develop overseas, but that Platform's was not among them.

"I don't think the technologies at stake here are crucial to national
security," said Mr. Chen, an executive who heads the Hua Yuan Science
and Technology Association, a Silicon Valley group of more than 1,000
entrepreneurs and technologists who were born in mainland China.

For the most part, Mr. Chen said, the United States and China should
freely exchange technologies.

Platform Software dominates the market for software that enables
clusters of powerful computers to work together. It has dozens of
United States federal customers, and computer makers including Dell,
I.B.M. and Silicon Graphics also sell its software to federal
customers. The company was co-founded in 1992 by a Chinese-born
computer scientist, Songnian Zhou, who received his Ph.D. from the
University of California at Berkeley, and who remains Platform's chief
technology officer.

Mr. Gabrenya, who lives in Northern California, is still looking for
work. He said that shortly after he was hired by Platform, he began
raising his concerns with company executives, first in person and then
in writing.

In January, he spelled out his concerns in an e-mail message to his
boss: "After spending a little over 90 plus days here at Platform, I
find myself less comfortable in this job than when I began. The
reason? Our China office. It's clear that we now have people in
Beijing doing important development work and we are not, as a company,
telling our U.S. government customers. That's a problem in my mind. Is
this illegal?"

The e-mail message and his persistent queries led the company to
blackball him, Mr. Gabrenya said. His relationship with Platform
deteriorated, he said, after he told the company that his security
concerns made him uncomfortable trying to sell its products to the
NASA Ames Laboratory, a government research center in Silicon Valley.

Executives at Platform Software dispute Mr. Gabrenya's charges, saying
the company has stringent rules in place to separate its foreign
operations from its domestic software development process and computer
systems. The company says that none of its software for customers in
the American government is developed in China and that it has
carefully informed those customers about its test and maintenance
organization in China.

"What I did say to Greg at the time is that there is clear demarcation
with respect to development of software and no code goes to China,"
said Ian Baird, vice president for sales and marketing operations at
Platform.

The company also does not make customer information stored in its
sales support database generally available within the company, he
said, adding that it was unclear how it would have been possible for
Mr. Gabrenya to have the authorization to view the security agency
customer data.

A security agency spokeswoman said last week that the agency was not
prepared to comment.

But several of the company's other United States government customers
said they were aware of Platform's operation in China and were not
concerned.

A spokesman for one customer, the Los Alamos National Laboratory in
New Mexico, said that dealing with software written outside of the
United States was now a normal occurrence.

"Of course we knew that Platform has subsidiary offices all over the
world, including China," said Kevin Roark, a spokesman for the Los
Alamos laboratory. He said the lab reviewed all of the basic
programmer instructions, known as source code, before running software
used in classified applications. "The reality of software in the 21st
century," he said, "is you count on software having source from
foreign sources."

Even before Mr. Gabrenya's complaints, Platform Software said, it had
been taking steps to isolate its overseas divisions from the sale of
its software technology to customers in the United States with
classified military and intelligence applications. The company
recently created a separate board for its unit that sells to the
United States government.

The board includes two former government officials: Oliver Revell,
president of the Revell Group International and former assistant
director of the Federal Bureau of Investigation, and Harry Soyster,
vice president of the Washington consultants Military Professional
Resources Inc. and a former lieutenant general in the Army who
directed the Defense Intelligence Agency.

Mr. Revell said he was unfamiliar with the details of Mr. Gabrenya's
dispute with Platform, but said he thought the company had taken the
necessary steps to insulate itself from potential foreign intelligence
operations.

"I've spent 35 years defending my country and I would not participate
or allow my name to be used in a company that had any potential risk
to the United States," Mr. Revell said. "As far as I'm concerned the
software provided will be thoroughly checked and all of the U.S.
government customers are aware of what's being done and where it's
being done."

Mr. Gabrenya, for his part, said he could have gone to a lawyer and
attempted to reach a financial settlement with the company for what he
considers his wrongful termination, but that "it was not about money."

"I have some moral concerns," he said. "This is about doing the right
thing."

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]