U.S. to Curb Computer Access by Foreigners

Sparked by heightened security concerns since the Sept. 11 terrorist attacks, the Defense Department has begun laying the groundwork to ban non-U.S. citizens from a wide range of computer projects.

The planned policy--slated for adoption within 90 days--extends restrictions on foreign nationals handling secret information to “sensitive but unclassified positions,” which include the swelling numbers of contract workers who process paychecks, write software, track supplies and maintain e-mail systems.

The move comes amid a growing awareness of the vulnerability of government computer systems in an era when software espionage and malicious hacking have become commonplace.

The Defense Department’s proposal, covering a work force that accounts for one-third of federal civilian employees, would represent the most sweeping implementation of the government’s restrictions on foreign technology workers. The much-smaller Justice Department instituted little-noticed restrictions in July, and the Treasury Department has had a ban on noncitizens working on its communications systems since 1998.

Officials said the restrictions are needed to get a handle on the proliferation of foreign nationals who work on government computer systems, but the plan has raised concerns that the government is being xenophobic and shortsighted.

Experts said barring foreign nationals from certain computer projects opens the prospect that key jobs will go unfilled because of a shortage of qualified citizens--a situation exacerbated by the relatively small number of U.S. students who pursue advanced technology degrees. Costs may also rise sharply as higher-paid U.S. citizens replace foreign workers.

“You can easily create a critical manpower shortage,” said Annalee Saxenian, a professor of city and regional planning at UC Berkeley who has studied the effect of immigrants on the technology industry. “There’s probably no company in Silicon Valley that doesn’t have from 10% to 40% of their work force who are foreign nationals. . . . [Defense Department officials may be] boxing themselves into a situation where they will lose the best talent.”

Even Richard A. Clarke, top cyber-security advisor to President Bush, views the restrictions as a misguided priority.

“Rather than worry about what country somebody was born in, we ought to focus on the design and the architecture of our information systems,” he said, adding that he supports the use of background checks, automatic recorders that log keystrokes by programmers and stricter rules on individuals changing data.

“In general, trying to restrict the [information technology] professional that we use to American citizens is not going to be an effective approach,” Clarke said. “The United States does not produce enough American citizens who are IT-security-trained to operate our networks.”

Computer Security Is Long-Standing Problem

Analysts long have warned about lax security in government computer systems.

“These [software] systems are wide open,” said Ed Yourdon, an independent expert in technology security policy. “The vast majority of bad things done on computer systems are done by insiders--not teenage hackers in Moscow.”

Two years ago, the General Accounting Office, the investigative arm of Congress, studied the use of foreign contractors by federal agencies working to fix year 2000 software problems. It found foreign nationals working on 85 contracts for “mission-critical” software. Yet several of the agencies investigated lacked even rudimentary controls over contractors’ work.

The Navy sent software or data associated with 36 mission-critical systems to a foreign-owned contractor yet “could not readily determine how the code and data were protected during and after transit to the contractor facility,” the GAO report said.

“In many instances, the [Defense Department] was not aware when some programming changes were being done by a contractor who used foreign nationals,” said David L. McClure, who led the GAO study.

The Health and Human Services Department used software engineers from Pakistan, Russia and Ukraine without performing background checks.

Similar lapses were found in the departments of Energy, Agriculture and State, as well as NASA and other federal agencies. None of those agencies is considering new restrictions in the use of foreign nationals, although some require regular employees to be citizens.

The Defense Department previously had been developing a system of security restrictions for foreign nationals working on unclassified computer operations, but Sept. 11 prompted plans for more restrictive measures.

IT Work Routinely Given to Foreigners

“The IT business has become largely contractual, with programming and data work being farmed out to areas where there is cheap labor,” Pete Nelson, the Defense Department’s deputy director for personnel security, wrote in an e-mail to The Times. “If this trend does not simultaneously take into consideration security requirements, there would be reason for concern. Some foreign nationals--those in the most sensitive position--may not be permitted to remain.”

Nelson said no details of the policy would be made public until it becomes final.

The Defense Department had no estimate of how many noncitizens it has as employees or contractors but acknowledged that the shift could prove costly.

Some major defense technology contractors also said they could not readily estimate how many of their employees are foreign nationals. Industry experts believe that thousands of jobs could be involved.

Major technology contractors, such as Science Applications International Corp. in San Diego and Computer Sciences Corp. in El Segundo, said they can meet any new Defense Department requirements.

Smaller contractors may have more difficulty doing so.

Indus Corp., a 300-employee technology contractor in Vienna, Va., that works with the military and other government agencies, fulfills military contracts without tapping its 40 to 45 employees who are not U.S. citizens, said Chief Executive Shiv Krishnan.

“In the future, there may be opportunities we can’t bid on because of the dearth of available talent,” said Krishnan, who came to the U.S. from India to study and gained American citizenship 12 years ago.

Dan Kuehl, a professor of cyber-security at the National Defense University in Washington, said any move to restrict unclassified tasks to U.S. citizens could create a logistical nightmare.

Despite the high-tech recession, the country faces chronic shortages of professionals who can manage the complex computer systems, databases and networks prevalent in government agencies. The high-tech industry relies heavily on Indian, Chinese and other Asian workers--a group that long has complained about being unfairly targeted on issues of U.S. loyalty.

Those shortages prompted Congress to create a special visa program through the Immigration Act of 1990 known as H-1B, which permitted more than 163,000 highly skilled foreign workers to take jobs in this country last year. Many are employed by defense contractors.

A move away from using foreign nationals also could increase contracting costs--building pressure on managers to make do with fewer tech professionals, which would itself be a security liability, said John Pescatore, a security analyst with GartnerGroup Inc.

Relatively few U.S. students are being trained to fill the gap, while foreign student enrollment in technology programs at U.S. universities has soared. From 1991 to 2000, 46% of U.S. doctoral degrees in computer science were awarded to foreign students, the National Science Foundation said.

“The same security concerns are being expressed about the entire critical infrastructure”--both government and private, Yourdon said. “We have foreign nationals working in systems that control electrical power or move billions of dollars around the financial systems or control trades on the Nasdaq.”

But banning noncitizens from sensitive jobs may offer little assurance of security, he said. Three of the most damaging espionage cases in U.S. history--those of the CIA’s Aldrich Ames, the FBI’s Robert Philip Hanssen and the Navy’s Walker family spy ring--involved U.S. citizens who were direct employees of the government and had access to classified computer systems.