After exposing DISA data to Russia, contractor agrees to new security controls

Netcracker Technology Corp. signed an agreement to keep U.S. customer data in U.S. systems, settling a case that goes back to the Bush administration.

The Department of Justice announced an agreement Dec. 11 with contractor Netcracker Technology Corp. that would result in the company implementing additional security protocols that would ensure its U.S.-based technology clients do not store sensitive information and data overseas.

The agreement allows NTC to avoid prosecution over a series of potential contract violations, possibly dating back to the Bush administration, that U.S. investigators believe may have left the Defense Information Systems Network vulnerable to access by Russian nationals and hacking groups. In exchange, NTC agreed to a series of enhanced security protocols, including a new monitoring system to detect unauthorized access of U.S. customer data, additional background checks for NTC employees. In addition, NTC will agree to locate infrastructure for U.S. customers in the United States.

"We are pleased Netcracker has agreed to invest in enhanced security protocols that will reduce the risk of unauthorized access to its clients' sensitive data," said Acting Assistant Attorney General Boente in a statement announcing the agreement. "As threats to our critical infrastructure increase, especially from abroad, these protocols serve as a model for the kind of security that U.S. critical infrastructure should expect from the firms they use to develop, install, and maintain technology in their networks."

The alleged violations relate to NTC's work as a subcontractor under two contracts managed by the Computer Sciences Corporation (since merged with other firms) to provide both software and services as well as customization for core code related to the DISN. Both contracts were agreed upon in 2008 and specified that any contractor personnel working on the DISN must be U.S. citizens with secret or top-secret clearances.

According to the statement of facts, Netcracker, informed the Defense Information Systems Agency in January 2011 that uncleared Russian nationals had been working on DISA-related projects and told officials that they believed this was permitted under the contract agreement.

In July 2011, DISA, NTC and CSC all agreed to revised contract guidelines that would permit the work of foreign nationals under those conditions. DISA subsequently discovered more incongruities that "resulted in an unacceptable degradation of the level of security DISA had intended to achieve," according to government documents. An investigation found project code and other information stored on a server based in Moscow, as well as unspecified evidence that NTC employees in Russia and Ukraine knew they were working on projects related to DISA.

In November 2015, NTC paid an $11.4 million fine for violating the False Claims Act by using uncleared personnel to write software for the DISN. According to court documents, Army contractor John Kingsley alleged that the code written by the programmers included "numerous viruses" that could have harmed DOD networks.

The deal demonstrates the extent to which the U.S. government is concerned about how its data can be sent or stored by contractors across the world, and the ability of nation-state adversaries or hacking groups to access data that is stored or duplicated on foreign networks. U.S. officials operate under the assumption that Russian laws mandate that data stored within its borders be subject to search by the FSB.