The federal contractor running three governmentwide websites, including FedBizOpps.gov, is under investigation by the FBI for allegedly trying to access without permission websites of their competitors in the education sector.
The Eastern District Court of Virginia in Alexandria issued a search warrant March 5 to the FBI. The FBI conducted the search before March 19 of Symplicity Corporation’s offices in Arlington, Va.
The FBI stated in its request to the judge for the search warrant that a witness alleges Symplicity tried on several occasions since 2009 to access the networks of its competitors, Maxient LLC of Charlottesville, Va., and Pave Systems of Richardson, Texas. Both Maxient and Pave Systems offer software to colleges and universities, and neither have done any federal business in fiscal 2012, according to USASpending.gov.
“On Nov. 4, 2011, a cooperating witness who formerly had been employed by Symplicity for approximately five years provided information to the FBI concerning the conduct of Ariel Friedler, the Chief Executive Officer of Symplicity. According to the [witness], Ariel Friedler showed the [witness] how to connect to Maxient’s website and to look for specific customers by putting in Maxient’s main URL, , followed by a question mark and a school abbreviation,” the search warrant obtained by Federal News Radio stated. “Friedler told the [witness] that this was how Friedler checked for new customers on Maxient’s website. The [witness] stated that every time Friedler found a new customer on Maxient’s website, Friedler would send an instant message or email to the [witness] about it. The [witness] also stated that Friedler discussed using anonymizers and The Onion Router to hide Friedler’s activity when Friedler was looking at competitor’s networks and that Friedler was very interested in using these technologies.”
The Onion Router Project is intended to enable online anonymity on the Internet.
Suspension a possibility
Symplicity, which is in the Small Business Administration’s 8(a) program, won more than $30 million in contracts so far in 2012 from a variety of agencies, according to USASpending.gov. More than half of their contracts and dollars came from the General Services Administration for providing services and running FedBizOpps.gov, the Electronic Subcontracting Reporting System and the Catalog of Federal Domestic Assistance. It also won $4.4 million in contracts from the Executive Office of the President and $3.2 million from the Veterans Affairs Department.
While the FBI’s search warrant doesn’t put any of Simplicity’s current contracts at risk, the vendor could face suspension or proposed debarment on future federal contracts based on the issuance of the search warrant, said Bill Shook, a procurement attorney with Government Contracts Attorneys.
Under the FAR, an agency could suspend a contractor for the “commission of any other offense indicating a lack of business integrity or business honesty that seriously and directly affects the present responsibility of a government contractor or subcontractor.”
Shook said suspension or debarment based only on the warrant is unlikely, but if Symplicity is indicted, then suspension would surely follow.
GSA spokesman Adam Ellington said the agency is “unable to comment at this time” and referred all questions about the investigation to the FBI.
The FBI would not confirm or deny an investigation is ongoing or even took place.
But the search warrant explains in some detail the allegations against Symplicity.
Audit logs show attempted unauthorized accesses
In the search warrant, the FBI alleges someone using IP addresses assigned to Symplicity tried to access Maxient’s client log-in pages in May 2009. In 2010, Maxient’s audit logs showed someone using a Symplicity IP address again tried several times to log-in to their client pages, the bureau stated.
The search warrant also alleges several other attempts from IP addresses that either belonged to Symplicity or employees of Symplicity.
The FBI also alleges Symplicity used Structured Query Language (SQL) Injection attacks to get inside Maxient’s network.
“Based on my training and experience, I know that attempting to repeatedly submit malformed queries like the ones submitted to Maxient’s website from the Symplicity IP address is a method often used by hackers to attempt to gain unauthorized access to websites,” wrote Michael French, a FBI special agent who is in charge of the investigation.
The FBI also stated Friedler called the owner of Pave Systems, Ghasson Nino in 2010 with an offer to buy the company’s student conduct business. During the call, the search warrant stated, Nino said Friedler mentioned several clients by name even though such a list is confidential and not publicly available.
“The [witness] stated that several years ago Friedler provided the [witness] with a customer list that he said was from another Symplicity competitor, Pave Systems,” the search warrant stated. “Friedler told the [witness] at the time that Pave Systems had no security on their network which made it easy for Friedler to get the list.”
Friedler vehemently denies the allegations.
“Over the past few months, information has been made public by some of our competitors, which deals with a preliminary investigation related to the higher education sector. We believe the legal process should be allowed to run its course, and in deference to the authorities, we cannot comment on the details of the investigation at this time,” Friedler said in a statement. “We understand that a copy of an affidavit related to the investigation has been circulated. It is important to understand that no one at Symplicity has been charged with any crime. The affidavit is nothing more than the government’s one-sided justification for conducting an investigation. It is not evidence of any wrongdoing nor is it admissible in court for that purpose. It would be unfair to draw any conclusions based upon the highly selective content of such an affidavit. We are fully cooperating with the authorities to help them find the answers necessary to resolve this issue as quickly as possible.”
Friedler added all of his clients’ systems are secure and the investigation is not impacting the company’s ability to meet their business goals.
Waiting on the FBI
Aaron Hark, director of product development and co-owner of Maxient, said they are aware of the ongoing FBI investigation.
“[I]t is our belief that the facts laid out by the government in its affidavit are true and accurate,” Hark said in an email to Federal News Radio. “And if that should be proven, we will only be dumbfounded as to why a large company and CEO that have been so clearly successful in so many different areas of the technology industry, would stoop to such tactics for a little extra advantage over a couple small businesses. Any comments regarding the status of the case would need to come from the FBI. We are not privy to the details or progress of their investigation.”
Pave Systems’ Nino said in an email to Federal News Radio, “Due to the ongoing investigation, we respectfully will not be able to provide details at this time.”
An industry source, who requested anonymity because of the sensitive nature of the investigation, said vendors are interested in this case because of the systems Symplicity runs.
“FedBizOpps has a bid submission capability,” the source said. “It isn’t used a lot, but this case begs the question of how secure is that capability. What safeguards are in place? How do we know the data coming through the firewalls are not being read by wrong people?”
Friedler said Symplicity always has had high ethics.
“I am confident that this matter will be resolved in the near future, and I look forward to being able to provide more information at that time,” he said. “All of our clients and stakeholders can rest assured that none of this will have any impact on our product deliveries, our systems or our customer service.”
Search warrant instead of grand jury
John Irving, senior counsel with Holland and Knight and a former Justice Department attorney for 10 years, said the FBI, by asking for a search warrant, doesn’t trust Symplicity not to destroy records.
Irving, who has not reviewed the case and could only comment generally on the what it means typically when the government asks for a search warrant, said DoJ has two paths; a grand jury or a search warrant to collect evidence about a potential crime.
“The search warrant strongly suggests to me that the government doesn’t trust the company to provide records pursuant to a grand jury subpoena and the government has made the decision it is going to go and obtain those records itself and not trust the company to assist in that process. It also means that the government has made the decision that it is worth applying to a court for the search warrant and that is comfortable that it will be able to prove to the court that there is probable cause to believe that the records that the government seeks are in the location that the search warrant is written for.”
Irving said the standard of probable cause is not high as compared to proof beyond reasonable doubt necessary in a criminal case.
“The disadvantage of a search warrant for the government is that it now has a high volume of information, especially electronic records, that it now needs to sort through and investigate, come up with investigative leads and determine who it needs to talk to,” he said. “The government may or may not have a grand jury open at the same time, but I suspect that they would. The government could be expected to approach witnesses and interview them and probably also to subpoena witnesses to testify before the grand jury.”
Irving said there is no specific timetable an investigation such as this is limited to and the FBI tends not to tell the companies involved if they are cleared of any wrongdoing.