No good deed goes unpunished. Federal officials worry that a contractor’s violations of security agreements on a new system to manage the nation’s phone-number switching system may have exposed the code to foreign governments, including China. The story starts, ironically enough, with a decision to move away from a no-bid contract to a firm that had managed the system for almost two decades — and a decision to grant the new contract to a foreign-based firm.
Federal officials fear that national security may have been jeopardized when the company building a sensitive phone-number database violated a federal requirement that only U.S. citizens work on the project.
The database is significant because it tracks nearly every phone number in North America, making it a key tool for law enforcement agencies seeking to monitor criminal or espionage targets.
Now Telcordia, a Swedish-owned firm, is being compelled to rewrite the database computer code — a massive undertaking — to assuage concerns from officials at the FBI and Federal Communications Commission that foreign citizens had access to the project. These officials fear that if other countries gain access to the code, they could reap a counterintelligence bonanza, learning the targets of U.S. law enforcement and espionage investigations.
The Washington Post’s Ellen Nakashima explains that the Number Portability Administration Center (NPAC) had been created and maintained by Neustar, a firm based in northern Virginia, since its 1997 inception. Funding for NPAC comes from the telecoms that use it to allow for accurate call connections, but the FCC has jurisdiction over its operation as a public utility.
However, it’s not just the telecoms that have an interest in NPAC. The FBI and other law-enforcement agencies also use NPAC for its investigations. Its code requires tight security to ensure that foreign governments can’t penetrate the system and identify targets of interest, especially when it comes to counter-intelligence operations. When the telecoms decided to put a new version of NPAC out for bid, the FCC made it clear that only cleared US citizens could work on the code.
Last month, the FBI found out that Telcordia, a subsidiary of Sweden-based Ericsson, had put eight foreign nationals on the code-writing process, including a citizen of China:
The security rewrite began in March after the agencies learned that a Chinese citizen with a U.S. work permit had helped write the system code, said individuals familiar with the matter who spoke on the condition of anonymity to discuss a sensitive matter. Seven other foreign citizens, including a British engineer, also worked on the project, although it was the Chinese engineer who raised red flags for officials.
D’oh! Speaking of good deeds and punishment, how exactly did the FCC and FBI find out about this potential security breach?
In a separate development, a former Telcordia employee in New Jersey alleged in a civil lawsuit made public this week that he was fired in retaliation for blowing the whistle on a foreign worker.
Given that Telcordia now has to rewrite the entire proposed system from scratch, one can understand why they might have wanted to can the person allegedly responsible for the costs it will require. One has to wonder, though, whether firing the person who (allegedly) managed to keep your company from becoming a national-security danger is a good public-relations move. Maybe firing the person who hired the foreign nationals for the project in the first place would have been a better idea.
Speaking of better ideas: If the nature of this project requires the kind of security that means that only cleared US citizens can work on it, then how did a foreign-based company end up with the contract?