Bribery Case: Possible IT Security Nightmare in D.C.

Arrest of security exec leaves district officials facing 'huge mess' over potential security issues

After being arrested on bribery charges yesterday, the District of Columbia's top information security official is being held without bail, partly because of uncertainty about whether he still has the ability to access the district's IT systems.

That's just one of many potential security issues facing D.C. government officials after the FBI raided the district's IT offices and arrested Yusuf Acar, its acting chief security officer, and a second man in connection with an alleged bribery scheme.

For instance, Acar had access to personnel data and other confidential information in the district's systems as part of his job. Court documents submitted by the FBI claim that several other district employees were also involved in the bribery scheme. Security analysts warn that Acar and his alleged accomplices could have created backdoors into systems. And since the alleged scheme included misdoings on a purchase of security software, there may be questions about the quality of the district's security tools.

From an IT security standpoint, municipal officials in Washington have a nightmare on their hands, said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center in Bethesda, Md.

As a security official in the IT department, Acar would have had widespread access to the district's networks and probably also its databases and password files, Ullrich said. In addition, he would have been privy to details about its user-access-control procedures. That level of access and knowledge could have enabled him to do a variety of things, virtually undetected, if he so chose, according to Ullrich.

Without a thorough forensics investigation, there's no telling whether anything nefarious was actually done to the district's systems, Ullrich noted. He said some of the classic rogue-insider actions that D.C. officials should look for include installing backdoors, stealing data and planting logic bombs designed to destroy data after a specified period of time has elapsed. Another is tricking other users into installing malware or compromised devices on their systems.

At Acar's arraignment in U.S. District Court yesterday, Assistant U.S. Attorney Thomas Hibarger cited a number of reasons why the IT worker should be held in jail pending a bond hearing scheduled for next Tuesday. First and foremost, Hibarger said there was a "serious risk" that Acar, who has relatives in Turkey, would try to flee the country. But Hibarger also pointed to Acar's broad system-access privileges and said prosecutors didn't know for sure that he would be blocked from accessing the district's network.

Federal investigators haven't said whether they think any of the data in the district's systems was compromised as part of the alleged bribery scheme. A spokesman for the U.S. attorney's office said today that he couldn't comment on the investigative steps being taken.

Besides ensuring that Acar is locked out of the network, D.C. officials should also review network and systems logs to check on his activities, Ullrich advised. He also said that passwords and other access-control mechanisms need to be reset and that the district's security tools should be evaluated in light of the FBI's claim that one of the alleged bribery incidents involved a purchase of software from security vendor McAfee Inc.

In that incident, according to the FBI, a Washington-based outsourcing and IT services vendor named Advanced Integrated Technologies Corp. (AITC) bought 500 licenses from McAfee on behalf of the district's IT department but then charged the government for 2,000 licenses. Sushil Bansal, AITC's CEO, was the second person arrested by the FBI in connection with the alleged scheme.

It's possible, Ullrich said, that some of the security technologies bought through AITC aren't best-in-class or the best fit for the district's needs. "There probably are questions about the quality of the [security] infrastructure," he said. "Who knows what they bought? Who knows if they took money for selling access to the network or the data?"

Gartner Inc. analyst John Pescatore called the situation a "huge mess" for D.C. officials. "So far, the major issues that have been raised publicly are financial shenanigans," Pescatore said. But like Ullrich, he said that a major computer forensics effort is going to be needed to find out what else, if anything, the alleged perpetrators may have been up to.

Because AITC also has done work for the district's Department of Motor Vehicles and its human resources office, there potentially was "a lot of opportunity for data snooping or selling of citizen and employee data," Pescatore added.

Alan Paller, the SANS Institute's director of research, said there's also the possibility of security problems resulting from acts of omission on the part of Acar and Bansal. "The main negative here might be that they weren't paying attention to the job but were more interested in lining their pockets," Paller said. But until an investigation is completed, it's impossible to know for sure, he added.

The alleged scheme was complex, according to the charging documents disclosed at the arraignment hearing. Acar submitted purchase orders for higher numbers of products than were actually delivered, resulting in the district being charged for goods it never received, the FBI said in an affidavit. He also added "ghost employees" to the district's payroll and created timesheets for the fictitious workers so payments could be made to them, the FBI claimed.

The bribery case is getting even more attention than it normally would because President Obama last week appointed Vivek Kundra, who until then was the district's chief technology officer, to be the federal government's first-ever CIO.

There were no indications in the court documents that Kundra had any knowledge of the alleged illegal activities. But the White House confirmed today that Kundra is taking a leave of absence from the CIO job following yesterday's arrests. That calls into question whether his vision of leading a "technology revolution" at the federal level will ever come to pass.

Copyright © 2009 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline