A contractor for the United States Army, Mittesh Das, was sentenced by the Eastern District of North Carolina court to 24 months imprisonment, 3 years supervised release, and ordered to pay $1.5 Million in restitution. His crime, “transmitting malicious code with intent to cause damage to a U.S. Army computer used in the furtherance of national security.” Das implanted a “logic bomb” inside an army computer system.
The indictment and arrest of Mittesh Das
Das was originally arrested in April 2016 following a Grand jury indictment. At that time, the Director Daniel Andrews of the Computer Crime Investigative Unit, U.S. Army Criminal Investigation Command, said, “Mr. Das allegedly exploited his position as a cleared defense contractor to sabotage the U.S. Army Reserve’s personnel system and disrupt pay to our nation’s soldiers.” Andrews continued, “Cybercrime and insider threats present significant challenges to national security and military operations, and we will continue to root out those responsible and help bring violators to justice.”
Trial shows Das placed a “logic bomb” in government system
In September 2017, Das had his jury trial (3 days) in federal court and was found guilty by the jury. During the trial, the extent of the damage attempted by Das was revealed.
Das had placed a “logic bomb” within the computer program responsible for the handling of pay and personnel actions for approximately 200,000 Army reservists. The logic bomb was discovered when this program began experiencing performance issues in November 2014. The investigation into the performance degradation by the Army’s Criminal Investigative Command focused on the five servers supporting the program. These servers were located within Fort Bragg, NC.
Administrative investigation showed that Das (a sub-contractor) had responsibility for maintaining the program and attendant servers, beginning in 2012. In late-2014, the prime contract for this support was re-bid and a new prime contractor chosen. Das and his services would no longer be needed.
Instead of facilitating the turnover from one contractor to another, Das opted to implant the logic bomb with the intent to commit cyber-sabotage. The malicious code began executing as Das had intended, progressively destroying information the day after the changeover.
The Army described how they were required to remove the malicious code and inspect the entire system – which costed the Army approximately $2.6 Million.
Following the sentencing of Das, Director Andrews, commented, “Cybercrime and insider threats present significant challenges to national security and military operations, and today’s sentencing serves as a stark reminder that we will continue to preserve strategic readiness by bringing violators to justice.”
the Reality of the insider threat
The reality which is evidenced by the Das arrest, trial, and conviction is that of the insider threat. When personnel depart, the circumstances of that departure may provide enough motivation for an individual to break trust and engage in destructive behavior. This was the case with Das.
Each entity, both contractor and government has the requirement to maintain and execute on an insider threat program unique to their entity. Rare is the entity with the resources to conduct a code review after the departure of personnel with access to the source/operational codes. For this reason, the personnel managers are in the unique position to raise the flag if they suspect a departing employee’s or contractor’s exit may be sufficiently acrimonious to pose a threat. With this flag raised, then an immediate investigation can be initiated as a prudent cautionary step.