Fingerprint analyzing software used by the Federal Bureau of Investigation and more than 18,000 other law enforcement agencies in the United States might contain Russian code. The apparent finding comes at a time of heightened security concerns over international spying efforts—just three months ago, the Department of Homeland Security banned all federal agencies from using Kaspersky's security products due to reports of Russian hacking.
Regarding the fingerprint analysis software, a French company injected the Russian code into the program, according to a couple of former employees of that firm. At the time, the firm was a subsidiary of Safran, a French multinational outfit and supplier of systems and equipment for aerospace, defense, and security. According to the ex-employees, the company they worked for purchased the Russian code in secret from Papillon Systems, a Russian cybersecurity outfit.
Papillon Systems often works with law enforcement agencies in Russia. The company is not shy about its close relationship with the Federal Security Service (FSB), the intelligence and spying arm of the Russian government that succeeded the Soviet-era KGB. The FSB has been identified in the past as having been involved in U.S. hacks. As such, the two whistleblowers who claim there is Russian code in the FBI's fingerprint scanning software say its presence should raise national security concerns.
According to the former employees, the Safran subsidiary Sagem Sécurité, later renamed Morpho, licensed the code to improve its fingerprint analysis software so the company would have a better shot at winning the presumably lucrative FBI contract. What's unnerving about the deal, however, is that the code could potentially make it easier for Russian hackers to infiltrate computer networks where the software is installed.
"The fact that there connections to the FSB would make me nervous to use this software," Tim Evans, a former director of operational software policy for the National Security Agency's cyberintelligence unit, told BuzzFeed. He and other cybersecurity experts say the full danger can't be adequately assessed without taking a close look at the code.
In a statement, the FBI said it conducts "appropriate security reviews" on all commercial software prior to deployment.