Software at State, Courtesy of Ex-Soviets

What prompted this recall notice was State's belated realization that the software code had been written by a company, Synergy International Systems Inc., run by citizens of the former Soviet Union. The founder of the company had written a prototype version of the software for a project managed by a U.S. Embassy staffer in Moscow during the mid-1990s.

State feared that it had unwittingly purchased a potential Trojan Horse--on a sole-source contract! Even though the software was used only on the department's "sensitive but unclassified" system, officials are now scrambling to determine whether it included hidden code that could download information from U.S. computers, breach their security "fire walls" or cripple their operations during a global crisis.

The FBI is now conducting a counter-intelligence probe of the matter, and the State Department's inspector general is separately investigating the contracting process, according to Bonnie Cohen, undersecretary of state for management. The FBI, aided by the National Security Agency, is examining the code line by line. The goal is to "help identify and eradicate any code that could execute a Trojan Horse, a computer virus or any other type of malicious code," according to a Feb. 1 internal State Department document.

Ashot Hovanesian, founder and president of Synergy International Systems, said yesterday that he was questioned Monday by the FBI. "I am confident that this investigation will show that there is no problem with this software," he said.

So far, investigators haven't found any evidence that the software contains dangerous bugs or hidden code, according to State Department officials. They hope that the case will prove to be a false alarm--and that Synergy International Systems will turn out to be blameless. But that doesn't change the fact that security procedures were lax.

"On the face of it, from what we know so far, it's an extraordinary lapse in judgment," said Cohen.

The State Department case is the latest illustration of how vulnerable computer systems are to attack--and how people unwittingly leave the door open for potential intruders.

That cyber-sloppiness is clear in the case of former CIA director John Deutch, who brought highly classified files home from the office and used them on his personal computer--which he also used to cruise the Internet in ways that might have allowed an attacker to identify him and download his files. Our society's broader vulnerability was evident in last week's hacker attacks on major Web sites, including Yahoo.

The State Department's inattention to security has worried professionals for years. The department only recently adopted the kind of access-control policies that are standard at most high-tech companies--and that was completed only after the Russians had successfully planted a bug in a conference room.

It was the bugging incident that triggered the software review. After the FBI arrested Russian diplomat Stanislav Borisovich Grusev on Dec. 8, the director of the office that manages the Mission Performance Plan came to visit David Carpenter, who heads State's diplomatic security. She advised him that some former Soviet citizens were visiting State regularly as part of their contract to write software for unclassified systems.

Carpenter immediately referred the case to the FBI, which reported back in late January that it had uncovered what one senior State Department official called "the appearance of some contracting improprieties." State's inspector general launched an investigation of the contracting issues on Jan. 28.

The software snafu began in Moscow in the mid-'90s, with what seem to have been the best of intentions. The G-7 countries, as major aid donors to Russia, were looking for a database system that would help them keep tabs on the wide range of projects underway around the country. The software team that became Synergy International Systems, headed by Hovanesian and including several other Armenians, built the system on contract from the U.S. Agency for International Development and other G-7 donors. Their work was supervised by a bright American diplomat in Moscow named Susan Johnson.

The Moscow software worked so well that State Department officials in Washington were impressed. When Johnson finished her Moscow tour, she discussed with a senior State official named Craig Johnstone the possibility of developing a similar database system to help embassies around the world compile the cumbersome Mission Performance Plan.

Among Johnson's supporters was Thomas Pickering, who had been U.S. ambassador in Moscow when she was there and had returned to Washington as undersecretary for political affairs. Johnson stayed in touch with the Synergy team, and they eventually received a contract--without competitive bidding--to design the global software product. Pickering, in a phone interview yesterday, praised Johnson's work but said, "I had no knowledge of the contract or influence over it." Johnson, who is now deputy chief of mission in Romania, declined to comment because of the investigation.

The lesson of State's software fiasco is simple--but so important it should be hard-wired: As people and organizations grow more dependent on computers, they become more vulnerable. It's easy to forget that every line of code can be a potential spy or saboteur. Computers help us work smarter, but they don't stop us from doing dumb things.