Justice Department officials indicted a former defense contractor on Wednesday for “sabotag[ing]” a military computer system that holds personal information about members of the Army Reserve.
Mittesh Das, an Atlanta-based contractor, faces ten years’ imprisonment if convicted. “As charged, Mr. Das allegedly exploited his position as a cleared defense contractor to sabotage the U.S. Army Reserve’s personnel system and disrupt pay to our nation’s soldiers,” said Director Daniel Andrews of the U.S. Army’s Computer Crime Investigative Unit.
The indictment brings a long-awaited conclusion to an investigation of the December 2014 breach of the Regional Level Application Software (RLAS), the Army Reserve’s human resources system. Publicly, the military described the outage as a computer “glitch,” but the Army Criminal Investigations Division undertook a sustained investigation.
“Cybercrime and insider threats present significant challenges to national security and military operations, and we will continue to root out those responsible and help bring violators to justice,” Andrews said.
Das’ motive for taking down the human resources system remains unknown to the public because the details of the investigation are under seal, and a Justice Department spokesman declined to elaborate. The spokesman also could not say why the investigation took so long to conclude; an Army spokesman estimated in August of 2015 that the announcement was just weeks away.
The RLAS breach caused Army Reserve personnel to endure a 17-day delay of their paychecks, a problem made more inconvenient because it occurred during the holiday season. But the damage could have been worse, because the human resources system contains a host of personally-identifiable information, including information on troop deployments and the history of individual service members.
“The security of our soldiers’ personal information is a top priority for the Army Reserve,” says Lt. Col. Tad Fichtel, an Army Reserve spokesman, said in August. “As such, RLAS is housed on a restricted network that requires users to provide multiple levels of security validation. Additionally, all RLAS operators require access approval by a system administrator.”
Those protections couldn’t thwart a cleared defense contractor. The indictment accuses Das of “intentionally causing damage to a U.S. Army computer program by transmitting malicious information, code, and command on a protected computer.”
For congressional cybersecurity experts, the case evokes memories of National Security Agency leaker Edward Snowden using his post as a defense contractor to obtain a vast array of military secrets. “Two years after Edward Snowden we still have problems, potentially, with insider threats that we haven’t resolved,” a senior congressional aide said in August while discussing the RLAS breach.
