Tech Firm Claims Its Software “Hacked” in CIA’s Quest for Drone Code
Litigation pits trade secrets against alleged government-contracting abuses
A lawsuit pending in Suffolk County Superior Court in Boston offers a detailed snapshot of a facet of the CIA’s operations inside the United States, specifically what appears to be Agency contracting practices that make veracity the victim of subterfuge.
The litigation involves a breach of contract dispute between two high-tech companies — one a publicly traded computer hardware firm called Netezza Corp. and the other a small, privately owned software firm called Intelligent Integration Systems Inc., or IISI. Both are based in Massachusetts.
The litigation, pending since November 2009, is complex, and has received scant media attention, other than from an online financial publication called thestreet.com, which published a story [link here] last month about the case.
The lawsuit revolves around a series of claims and counterclaims related to a sophisticated, analytical software program developed by IISI that is capable of integrating at high speeds spatial data, such as maps and visual images, with non-visual data, such as names and phone numbers.
Here’s how the software, known as IISI Geospatial, is described in the court pleadings:
[The software allows a data warehouse computer, such as one model made by Netezza] to incorporate and cross-reference vast amounts of … data with geographic location within the same database, and enable events (such as a tornado heading towards a population center or a cell phone signal moving from one tower to another) to be matched with personal characteristics in a database (such as telephone numbers for houses in the path of the tornado, or the identity of the person whose cell phone signal has moved from one tower to another) and mapped and analyzed quickly and efficiently.
The essential argument in the lawsuit between Netezza and IISI boils down to whether IISI was required to develop another version of its Geospatial software for a new data warehouse computer product that was launched by Netezza last year. Both parties in the case agree that IISI did sell a version of Geospatial to Netezza that was designed to operate on that company’s prior data warehouse platform, called the Netezza Performance Server (NPS).
However, IISI argues that, per a contract agreement between the two companies, it was not required to develop a new version of its software to operate on Netezza’s latest hardware product, dubbed the TwinFin — unveiled publicly in 2009.
From IISI’s memorandum of law in support of its motion for summary judgment:
Unbeknownst to IISI at the time [August 2009], Netezza had already represented to the U.S. Government that geospatial was running and available on the TwinFin, when in fact it was not, and had been representing, at trade conferences, that it had a geospatial product that ran on its new TwinFin computer, when in fact it did not.
Netezza, by contrast, contends IISI was required to adapt and enhance the software for the TwinFin, which runs on a completely different platform and processing chip than the NPS.
A judge will soon decide that question, though it is important to note that IISI also argues in its court pleadings that the agreement between it and Netezza includes clear language prohibiting Netezza from “reverse engineering” IISI’s Geospatial software.
And that is precisely the point where the CIA enters the dispute.
Again, from IISI’s pending summary judgment memorandum:
Netezza “hacked” (Netezza’s word) into IISI’s Geospatial sourcecode (in violation of the “no reverse engineering provision of the Agreement) and created a version of Geospatial that ran on TwinFin, though very imperfectly, which it delivered to the CIA in October 2009, and which the CIA accepted.
To be more specific, that “imperfectly” operating software had the following problem, among others, according to an internal Netezza e-mail included as slide 154 in a Powerpoint presentation IISI provided to the court.
The results on the customer’s TwinFin 12 return MUCH faster than the 10100 [the NPS] but for some strange reason, many of the calculations are a little off, from 1 to 13 meters.
The customer referred to in the Netezza internal e-mail is the CIA and it’s need for an operational TwinFin was presented to IISI as a matter of national security, according to the sworn deposition of IISI President and co-founder Richard Zimmerman:
[Zimmerman]: …. [Netezza General Manager] Jon Shepherd called me immediately before that, he called me on the phone. I was in my car – ....
Q: Was that on or about October 10th ?
[Zimmerman]: I believe it was October 9th.
… Q: And what did Mr. Shepherd say to you at that time?
[Zimmerman]: He basically told me the CIA – he had just been informed that the CIA was using – wanted to use spatial [Netezza’s brand name for IISI’s Geospatial] to target predator drones in Afghanistan and that, quote/unquote, it was our patriotic duty to work with them to try to get spatial ported to the TwinFin as fast as possible and that we needed to have a phone conversation the next day to discuss that.
… Q: And who was on the call?
[Zimmerman]: [Netezza president and CEO] Jim Baum was on the call. Jim Baum led the call, myself, Paul Davis [cofounder and CEO of IISI]. Marshall [Peterson, another IISI co-founder] was on the call. Jon Shepherd was on the call. There may have been others.
… Q: And ultimately, did IISI communicate to Netezza after the ... conference call that it would not do what Netezza wanted it to do, produce incremental versions of the software in the way they had been requested, at least without other terms and conditions?
[Zimmerman]: … I think – our message said that your proposal is not – we’re not going to do that without additional terms about – You know, again, coming back to Paul [Davis’] desire not to have IISI code out there that hasn’t been certified and whatnot, without having some sort of terms around that that indemnifies us in case that code kills people …. [Emphasis added.]
Margin of Error
">That’s right, according to IISI’s pleadings, Netezza officials claimed the CIA needed the TwinFin, with operational IISI software, for use in its predator drone program, which involves the use of unmanned aircraft to target and kill people in Pakistan and Afghanistan. So the issue of being off “from 1 to 13 meters” seems problematic, or should, for such a use.
And the fact that Netezza might be doing work for the CIA is not simply the stuff of conspiracy theories. Netezza has engaged in national-security-related work in the past, for Sandia and Lawrence Livermore labs, for example; and it also has obtained an order from the U.S. Securities and Exchange Commission granting the company permission to cloak some of its filings with the agency from public (and investors’) view.
IISI’s pleadings in the litigation allege that once it became clear to Netezza officials that IISI was not going to cooperate, absent new contract language, in upgrading the Geospatial software for the TwinFin, the national security card was played in order to pressure IISI to make available some version of Geospatial for the TwinFin platform, even if it didn’t work quite right.
From IISI’s memorandum of law in support of its motion for summary judgment:
… Netezza suddenly began pressuring IISI to develop a version of geospatial to run on the TwinFin on an accelerated, incremental basis, claiming that “national security” required it, and that the Government would “take whatever we give them.”
And when IISI officials refused to cave into that pressure, IISI’s pleadings claim, Netezza proceeded to “hack” (or develop a pirated version) of IISI’s Geospatial software – resulting in an imperfect end product that allegedly was sold to the CIA for use in its drone program.
"When you sell something that doesn't exist, the risks can be endless,” IISI’s Davis told Narco News.
Leutrell Osborne, a former case officer with the CIA, added another twist to that “risk” by suggesting to Narco News that the U.S. National Geospatial-Intelligence Agency (NGA) might also somehow “be connected” to the Netezza computer purchase.
The NGA, which is part of the Pentagon’s intelligence community, has a support team imbedded inside the CIA that “has been a powerful force in assimilating CIA into the National System for Geospatial Intelligence … integrating geospatial intelligence … into the CIA’s processes, building collaborative partnerships, increasing NGA–CIA developmental opportunities and facilitating cross-training programs,” the NGA’s Web site reveals.
The NGA’s mission, according to its Web site, is to develop “imagery and map-based intelligence solutions for U.S. national defense, homeland security and safety of navigation.” That means the agency also works with the Department of Homeland Security, which also operates, via its Customs and Border Protection agency, several drone aircraft along the U.S./Mexico border.
Susan Meisner of NGA’s public affairs office confirms that her agency has a support team at the CIA, “and at numerous other agencies.” However, she also said “we [NGA] don’t have anything on a contract with Netezza.”
Beyond the one-sentence warning offered by IISI CEO Davis, he and other company officials declined further comment for the story, referring Narco News to the court pleadings.
Likewise, Netezza spokesman Glen Zimmerman declined comment, indicating that it is his company’s policy not to discuss “pending litigation.”
In its pleadings in the case, Netezza argues the following:
This civil action by Netezza Corporation (“Netezza”) arises from an unlawful attempt by Intelligent Integration Systems Inc. (“IISI”) to coerce Netezza to renegotiate a deal that no longer suits IISI and in the process extract additional money to which it is not entitled. IISI’s transparent scheme to hold Netezza and its customers hostage by the improper withholding of software support and services that IISI promised to provide and for which Netezza has paid is not only a material breach, and cause for termination of the contract between the parties, but also tortuous misconduct and an unfair and deceptive trade practice…
In a counterclaim filed against Netezza, IISI alleges that it is Netezza that breached the contract, misappropriated trade secrets and defamed IISI.
The CIA, however, appears to be a silent party to this case so far, with the exception of one of its supposed employees, named Skip McCormick. He makes a late dramatic appearance in the case shortly after Netezza sold a TwinFin computer to a reseller called CompSec. That TwinFin purchase, according to a Netezza e-mail that is part of the court record, was apparently part of an even larger government purchase deal.
From the e-mail [slide 133 in the Powerpoint], sent on Oct. 12, 2009, by Netezza CEO Baum:
Our USG friends [among which, based on a conservative reading of ISSI's court pleadings, is the CIA] have ordered 10 Mustang racks and 14 TwinFin racks (all but 2 are also delivered) since the deals started to flow last year around this time. Add that [to] the deal for TwinFin and SW-only systems that is brewing and I think that total’s getting close to $40 million. Not bad, considering the process only really got started about 18 months ago. Why couldn’t this be more like $100M by the end of 2010. I wouldn’t bet against it.
So, it seems clear, by mid-October of last year, Netezza had a lot riding on this deal with its “USG friends.”
Enter Skip McCormick
A purchase order was delivered to Netezza in mid-September 2009 calling for the acquisition of a TwinFin 12 for a little over $1 million along with system software dubbed “Netezza GeoSpatial for Netezza TwinFin12.” That purchase order [slide 105 in the Powerpoint] was submitted to Netezza from a McLean, Va.-based company called CompSec, court records show.
It is worth nothing that, according to IISI’s pleadings, there was no “Geospatial” software developed by IISI for the TwinFin. So whatever “GeoSpatial” software was delivered to CompSec per the purchase order would appear to be other than an IISI software product.
CompSec bills itself, according to its Web site, as a “small, woman-owned business,” that “is the Intelligence Community’s most trusted source for solving complex IT problems.”
An executive with CompSec, who asked that his name not be used, said the company’s “mission is to help the federal government procure anything.” Essentially, he said, the company is a reseller, primarily serving federal agencies, and that nothing precludes CompSec from selling equipment, such as a TwinFin, to the CIA, though he would not confirm that the company does, in fact, “work with the CIA.”
Whether the TwinFin sold by Netezza to CompSec is the same Netezza TwinFin resold (allegedly with hacked IISI software) to the CIA is for you, kind reader, to decide, as well as the judge in the case.
However, it is clear that an individual named Skip McCormick, who claims to be a CIA employee, did contact IISI’s CEO Davis.
From an affidavit prepared by IISI CEO Davis that is part of the lawsuit:
…. During this same October 2009 time period, I was contacted by telephone by an individual who identified himself as Skip McCormick, claimed to be associated with the U.S. Central Intelligence Agency (“CIA”), and expressed an interest in acquiring a version of geospatial that would operated on the TwinFin. At the time, I was on my way to the hospital having suffered a slight relapse following my Sept. 30, 2009, heart attack, and was in no position to speak with him at any length. I also could not verify that he truly was a representative of the CIA, and told him that I was concerned at being unable to do so.
A few minutes later, I received an email dated Oct. 14, 2009, [link here; see Exhibit C, document page 28] indicating it was from Skip McCormick at an email address designated firstname.lastname@example.org, stating that, “We depend on the geospatial tool here every day,” and “we just upgraded to a P12” – which I knew was Netezza’s numerical designation for a particular size TwinFin – “but it doesn’t yet have the geospatial tools.” The e-mail went on to say, “I’m trying to figure out what options are available for getting them asap.”
… Since I knew there were no geospatial tools in existence to run on the TwinFin at the time I received this e-mail, I assumed, when the e-mail referred to wanting “to figure out what options were available for getting them,” that it was referring to options for a development effort to create a version of geospatial to run on TwinFin.
Ironically, according to court documents prepared by IISI, the alleged hacking of the Geospatial software by Netezza personnel appears to have begun around mid-October 2009 — within days of McCormick contacting Davis — and appears to have been completed by mid-November of 2009.
From the court record:
• Internal Netezza e-mail dated Oct. 13, 2009 [slide 146]: “Guys, this relationship [with IISI] is really taking some ugly turns. … I want to set up some time on Thursday to get on the phone with you guys to talk about some options in the event we need an alternative TwinFin solution. …”
• Internal Netezza e-mail dated Oct. 14, 2009 [slide 147]: “…Whoever we decide to partner with should be ‘clean,’ someone that IISI can’t go after for IP infringement.”
• Internal Netezza e-mail dated Oct. 22, 2009 [slide 158]: “Subject: Re: Spatial Workaround on TwinFin”
… “Here’s a quick summary of what we did. … 3. Modified the install scripts to use the x86 version of the spatial library on the host …. 4. We also added in the line to make the code dependent on the library that we created in step 1. … I can go in and modify the installer this weekend if you want. …”
• Internal Netezza e-mail dated Oct. 23, 2009 [slide 157]: “Spoke to Skip [seemingly Skip McCormick of the CIA]. Sri (tech guy) and Chuck (Skip’s boss) were standing right there. They are satisfied with the TF [TwinFin] spatial performance for right now while we quickly figure out the best path to getting Spatial [Netezza’s brand name for IISI’s Geospatial] fully ported to the TF.”
• Internal Netezza e-mail dated Nov. 12, 2009 [slide 163]: “Suddenly I am seeing a lot of these types of errors in the spatial toolkit hack….” [Emphasis added.]
Narco News did manage to track down McCormick via his Virginia phone number.
When asked directly whether he worked for the CIA or whether he was familiar with, or participated, in any of the alleged “hacking” of IISI’s Geospatial software, McCormick indicated that he was precluded from commenting.
An official spokeswoman for the CIA provided Narco News with the following response when queried about McCormick: “The CIA does not, as a rule, comment on matters pending before US courts.”
Narco News also spoke with a government source who is familiar with the issues raised in the Netezza/IISI lawsuit. That source, who asked to remain anonymous, claims that the TwinFin purchased by the CIA from Netezza was in no way intended for use in a “kinetic operation,” such as the drone program.
“It’s being used in a very boring capacity to consolidate information — just one more vector for use in figuring out if we are dealing with the same person or thing,” the source said.
The source, though, also claims to have no knowledge of the alleged IISI Geospatial software piracy.
Of course, from the point of view of Netezza, modifying the IISI Geospatial software code absent IISI’s approval would not constitute piracy if the judge determines that Netezza owned that software and that IISI was obligated under contract to upgrade it to perform on the TwinFin.
Still, even if we set aside IISI’s vigorous assertion that it controlled the software rights and was under no obligation to upgrade the code for Netezza’s new machine, that doesn’t explain why the CIA would purchase, and put into use, a computer system that was seemingly quite flawed — as the e-mail trail put into evidence seems to indicate was the case with respect to the Netezza “hack.”
Regardless of the software’s use, that would appear to represent a monumental waste of taxpayer dollars. That wrong is only magnified if the computer code is, in fact, to be put to use, as Netezza officials represented to IISI, in targeting and killing people.
That issue of the CIA’s alleged misconduct simply doesn’t seem to be one that can be addressed adequately, if at all, by the state court judge now hearing the Netezza/ISSI breach-of-contract case.
One former DEA agent, who has plenty of experience dealing with CIA operations overseas, finds nothing surprising about the low standards of accountability that apply to the agency.
Here’s his take on McCormick and the CIA’s role in the Netezza/IISI litigation:
There are as many CIA impersonators out there as Elvis impersonators. The agency itself, after working alongside of them, with them and watching them for these many years, reminds me of a day room at a nut house, where there is a big sign that says, “COME IN AND PLAY ANY ROLE YOU WANT”....
The difference is that the CIA actually pays these guys to pretend they're spies, or soldiers of fortune, or whatever puts sand in your bucket.
… Usually when one tries to unravel CIA "intrigue" all you come up with is JADM (just another dumb move), paid for by your taxpayer dollar.