Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Tracking a Trojan Horse




Now it's the U.S. State Department's turn to discover just how stupid people can be when it comes to computer security.


State sent out an urgent cable Feb. 2 to about 170 embassies around the world asking them to remove from their computers by Feb. 7 a piece of software they had been using to produce a budget document known as the Mission Performance Plan.


What prompted this recall notice was State's belated realization that the software code had been written by a company, Synergy International Systems Inc., run by citizens of the former Soviet Union. The founder of the company had written a prototype version of the software for a project managed by a U.S. Embassy staffer in Moscow during the mid-1990s.


State feared it had unwittingly purchased a Trojan Horse - on a sole-source contract! Though the software was used only on the department's "sensitive but unclassified" system, officials are now scrambling to determine whether it included hidden code that could download information from U.S. computers, breach their security "fire walls" or cripple operations during a global crisis.


The FBI is now conducting a counter-intelligence probe of the matter, and the State Department's inspector-general is separately investigating the contracting process, according to Bonnie Cohen, undersecretary of state for management. The FBI, aided by the National Security Agency, is examining the code line by line. The goal is to "help identify and eradicate any code that could execute a Trojan Horse, a computer virus or any other type of malicious code," according to a Feb. 1 internal State Department document.


Ashot Hovanesian, founder and president of Synergy International Systems, said Tuesday that he was questioned Monday by the FBI. "I am confident that this investigation will show that there is no problem with this software," he said.


So far, investigators haven't found any evidence that the software contains dangerous bugs, according to State Department officials. They hope the case will prove to be a false alarm. But that doesn't change the fact that security procedures were lax.


"On the face of it, from what we know so far, it's an extraordinary lapse in judgment," Cohen said.


The State Department case is the latest illustration of how vulnerable computer systems are to attack - and how people unwittingly leave the door open for potential intruders.


That cybersloppiness is clear in the case of former CIA Director John Deutch, who brought highly classified files home from the office and used them on his personal computer - which he also used to cruise the Internet in ways that might have allowed an attacker to identify him and download his files. Our society's broader vulnerability was evident in last week's hacker attacks on major web sites, including Yahoo.


The State Department's inattention to security has worried professionals for years. The department only recently adopted the kind of access-control policies that are standard at most high-tech companies, and that was completed only after the Russians had planted a bug in a conference room.


It was the bugging incident that triggered the software review. After the FBI arrested Russian diplomat Stanislav Grusev on Dec. 8, the director of the office that manages the Mission Performance Plan came to visit David Carpenter, who heads State's diplomatic security. She advised him that some former Soviet citizens were visiting State regularly as part of their contract to write software for unclassified systems.


Carpenter immediately referred the case to the FBI, which reported back in late January that it had uncovered what one senior State Department official called "the appearance of some contracting improprieties." State's inspector-general launched an investigation of the contracting issues on Jan. 28.


The software problem began in Moscow in the mid-1990s. The G-7 countries, as major aid donors to Russia, were looking for a database system that would help them keep tabs on a wide range of projects. The software team that became Synergy International Systems, headed by Hovanesian and including several other Armenians, built the system on contract from the U.S. Agency for International Development and other G-7 donors. Their work was supervised by a bright American diplomat in Moscow named Susan Johnson.


The Moscow software worked so well that State Department officials in Washington were impressed. When Johnson finished her Moscow tour, she discussed with a senior State official named Craig Johnstone the possibility of developing a similar system to help embassies around the world compile the Mission Performance Plan.


Among Johnson's supporters was Thomas Pickering, who had been U.S. ambassador in Moscow when she was there and had returned to Washington as undersecretary for political affairs. Johnson stayed in touch with the Synergy team, and they eventually received a contract - without competitive bidding - to design the global software product. Pickering, in a phone interview Tuesday, praised Johnson's work but said, "I had no knowledge of the contract or influence over it." Johnson, who is now deputy chief of mission in Romania, declined to comment because of the investigation.


The lesson of State's software fiasco is simple - but so important it should be hard-wired: As people and organizations grow more dependent on computers, they become more vulnerable. It's easy to forget that every line of code can be a potential spy or saboteur. Computers help us work smarter, but they don't stop us from doing dumb things.


David Ignatius writes for The Washington Post, where this comment initially appeared.