By Patrick Malone, Center for Public Integrity
The Pentagon was tipped off in 2011 by a longtime Army contractor that Russian computer programmers were helping to write computer software for sensitive U.S. military communications systems, setting in motion a four-year federal investigation that ended this week with a multimillion-dollar fine against two firms involved in the work.
The contractor, John C. Kingsley, said in court documents filed in the case that he discovered the Russians’ role after he was appointed to run one of the firms in 2010. He said the software they wrote had made it possible for the Pentagon’s communications systems to be infected with viruses.
Greed drove the contractor to employ the Russian programmers, he said in his March 2011 complaint, which was sealed until late last week. He said they worked for one-third the rate that American programmers with the requisite security clearances could command. His accusations were denied by the firms that did the programming work.
“On at least one occasion, numerous viruses were loaded onto the DISA [Defense Information Systems Agency] network as a result of code written by the Russian programmers and installed on servers in the DISA secure system,” Kingsley said in his complaint, filed under the federal False Claims Act in U.S. District Court in Washington, D.C., on March 18, 2011.
Asked to confirm that the Russians’ involvement in the software work led to the presence of viruses in the U.S. military’s communications systems, Alana Johnson, a spokeswoman for the Defense Information Systems Agency, declined to answer on the grounds that doing so could compromise the agency’s “national security posture.”
“It’s something that we take very seriously,” Johnson said in a telephone interview on Tuesday. “The Department of Defense’s posture on cybersecurity ultimately affects national security.”
Kingsley first told a Defense Information Systems Agency official on Jan. 10, 2011, that Russians had been doing computer programming for Massachusetts-based NetCracker Technology Corporation under a federal contract, through an arrangement that corporate officials referred to as its “Back Office,” he said in his complaint. He said the work had been done in Moscow and elsewhere in Russia.
The DISA official confirmed that the practice of outsourcing the work to employees in Russia violated both the company’s contract and federal regulations that mandate only U.S. citizens with approved security clearances work on classified systems, Kingsley’s complaint said.
On Monday, NetCracker and the much larger Virginia-based Computer Sciences Corporation—which had subcontracted the work—agreed to pay a combined $12.75 million in civil penalties to close a four-year-long Justice Department investigation into the security breach. They each denied Kingsley’s accusations in settlement documents filed with the court.
The agency’s inspector general, Col. Bill Eger, who had investigated Kingsley’s allegations, said the case was a good example of how his office combats fraud. In a separate statement released Monday, Channing D. Phillips, the U.S. Attorney for the District of Columbia, said that “in addition to holding these two companies accountable for their contracting obligations, this settlement shows that the U.S. Attorney’s Office will take appropriate measures necessary to ensure the integrity of government communications systems.”
The $22 million contract the companies were working on dates from 2008, when the Pentagon first asked Computer Sciences Corporation to fortify and administer the computer networks of the Defense Information Systems Agency. The agency supports battlefield operations by running communication systems that enable soldiers, officers, and coalition partners to communicate in secret.
Computer Sciences Corporation collected a total of $1.5 billion from the Pentagon in fiscal year 2014, according to the Federal Procurement Data System. The work at the heart of this case was part of a $613 million contract between the Defense Information Systems Agency and the corporation. Netcracker, which has done direct work for the Air Force and the General Services Administration, worked as a subcontractor on the deal.
In his complaint, Kingsley asserted that Computer Sciences Corporation executives knew about Netcracker’s work in Russia. But a corporation spokeswoman, in a written statement, denied it. “[Computer Sciences Corporation] believes it is as much a victim of NetCracker’s conduct as is our [Defense Information Systems Agency] customer and agreed to settle this case because the litigation costs outweigh those of the settlement,” Heather Williams wrote. “Security is of the utmost importance” to the corporation, she wrote.
Kingsley also said in his whistleblower complaint that when he questioned NetCracker’s general counsel about the propriety of the arrangement, the counsel assured him nothing was wrong. When he asked the company’s board of directors for permission to discuss the Russians’ participation with the Defense Information Systems Agency, his “requests were rebuffed,” he said in the complaint.
The next day, in an email to the board of directors at NetCracker Government Services, the company’s general counsel characterized Kingsley’s conversation with the government official as an “unscheduled, one-on-one meeting” that ended with a “vitriolic rampage” and left the Defense Information Systems Agency officer with the impression that Kingsley was a “lunatic,” according to Kingsley’s complaint. Kingsley said in his complaint that this description of the meeting was incorrect and intended to hurt Kingsley’s reputation with the company’s other board members.
Joanna Larivee, a spokeswoman for Netcracker, responded with a written statement that it “has cooperated fully with the Department of Justice throughout its review of this matter and explicitly denies liability for any wrongdoing. We have always taken responsible steps to ensure that best practices are deployed when managing client information and that NetCracker is compliant with the terms of our contracts. We have decided that it is in the best interest of all stakeholders to settle the matter.”
Of the total fines, NetCracker agreed to pay $11.4 million while the Computer Sciences Corporation agreed to pay $1.35 million. Under the False Claims Act, Kingsley’s share of the settlement is $2.3 million, according to the Justice Department.
Kingsley did not respond to a phone message left at his home in Fairfax, Virginia, on Tuesday. His lawyer, Paul Schleifman, said Kingsley spoke up about the Back Office in Russia because he was worried that it could harm national security. “[Kingsley] believes that his obligation is to the United States first,” Schleifman said, “not to his pocket.”
The settlement agreement leaves the door open for the Justice Department to pursue criminal charges based on Kingsley’s allegations. A Justice Department spokeswoman did not respond before deadline when asked whether any such charges are expected.