French whistleblowers have gone public with explosive claims that could trigger a wholesale review of how American law enforcment agencies collaborate with other agencies around the world — at least, as far as software procurement is concerned. The two whistleblowers claim that their former employer knowingly sold the Federal Bureau of Investigation a fingerprint analysis software package that it knew contained code developed by Papillon Systems, a Russian firm with close ties to the Kremlin. They also claim that this information was deliberately not-disclosed to the FBI.
Buzzfeed claims that this same software package was deployed to more than 18,000 other law enforcement agencies across the country (presumably this refers to local and state police, though the TSA is also mentioned). Buzzfeed notes that Papillon’s own public statements boast of close ties to Russia, including work done for the Federal Security Service (FSB) and close collaboration with the Ministry of the Interior, Ministry of Defense and Ministry of Justice of Russia. The Internal Affairs Ministry is listed as providing “methodic assistance” to Papillon.
Simply having bought code built a Russian firm isn’t proof that the code is automatically compromised. It’s impossible to judge the severity of a security breach before you know what the code is and how it works, and we don’t have data yet on either point. But at a time when the government has locked down the purchase of Kaspersky products and Russia has been credibly accused of multiple high-profile hacks, including the DNC, US energy infrastructure, and the unclassified computers used by the Joint Chiefs of Staff, it’s clear there’s been a high-level effort to generally compromise US infrastructure and vulnerable systems. How this compares to the efforts the US undoubtedly makes against Russian efforts and targets is, of course, a matter of conjecture — the US is scarcely going to reveal such projects and Russia has every reason to keep quiet about any penetration it’s aware of.
Papillon’s software in action. Image by Buzzfeed
This potential security risk dates back almost a decade. A French software company, MorphoTrak, signed an agreement with Papillon to license the latter’s fingerprint software, with the hopes of using it to land a lucrative FBI contract. An NDA agreement required both companies to remain silent on where the software came from, and Papillon agreed to provide five years of bug fixes and other services. All parties agreed that the provenance of the fingerprint analysis software had to remain private, lest it jeopardize US contracts.
The FBI has not issued much in the way of comment, beyond saying that the software they licensed passed internal review procedures. To reiterate, there is no proof, at present, of any backdoor. But it’s an unsettling reminder of the ways commercial business and national security may not always dovetail, and the risks engendered when one model is blithely assumed to be sufficient for very different types of products or services.
Let’s block ads! (Why?)
ExtremeTechExtreme – ExtremeTech