Security fears scuttle deals

The collapse of a deal to sell a Columbia software maker to an Israeli company signals a sharp shift in sentiment against foreign ownership of any assets that could possibly have national security implications, experts said yesterday.

Israeli-based Check Point Software Technologies Ltd. bowed out Thursday from its plans to buy the local Sourcefire Inc., a maker of network security technology that is used by a variety of customers, including federal intelligence agencies. The announcement came the same day that a federal panel of 12 government bodies was set to conclude an investigation into the $225 million deal.


The scuttled sale is "just the tip of the iceberg" in the new political climate created by the uproar over the Dubai ports deal, said John Rollins, former chief of staff for intelligence at the Homeland Security department.

"You can make the case on almost any foreign ownership issue that there is a national security nexus," said Rollins, who is now a terrorism and foreign affairs specialist with the Congressional Research Service, the nonpartisan research arm of Congress.


A federal law enforcement source who spoke on condition of anonymity said yesterday that the FBI feared that the sale would give a foreign entity crucial information about where the government's systems are - and aren't - secure. If Check Point had control of the software, it would have been able to "understand what the vulnerabilities would be and therefore be able to exploit them," the official said.

But the U.S. technology industry has sent so much work offshore that a great deal of software used by the government is coded and supported outside the United States, particularly in India, Rollins said. Such arrangements are going unscrutinized, Rollins said.

Sourcefire chief executive Wayne Jackson said yesterday that he had been operating since the deal was struck in October on the assumption that - for whatever reason - it might not be consummated.

"We're emerging from this disappointed, given our hard work associated with the transaction, but gratified that the company's in as good a position as it is," said Jackson, who reported this week that the privately held Sourcefire became profitable last year and increased revenues more than 70 percent. "You can expect that we will continue to be very aggressive."

It's "absolutely a possibility" that Sourcefire will look to acquire rather than be acquired, Jackson said.

Jeffrey W. Englander, an independent analyst who follows the information security industry, said an initial public offering is another possibility this year.

Sourcefire manages an open-source intrusion protection system called Snort and sells software designed to work with that technology, further bolstering network security.

The code for open-source technology is free and available for anyone to see.


About 13 percent of Sourcefire's revenue comes from the government, though it says that what it sells to federal agencies is identical to the products it sells to everyone else.

William Lucyshyn, an information security expert who is director of research at the Center for Public Policy and Private Enterprise at the University of Maryland, College Park, said Snort is widely used inside and outside government.

"Sourcefire is one of the technical leaders in intrusion detection systems," he said.

Federal agencies could have conceivably swapped the Sourcefire software for another company's, but the law enforcement source said that would come at "great cost" because it is so integrated into government computer systems.

Still, the national security implications of a Sourcefire sale seem dubious to some technology experts - particularly a sale to Check Point, which provides firewall protection to a wide swath of corporate America.

Any tech employee, American or otherwise, could try to develop software with malicious code such as "back door" points of entry into a network, the technology experts said.


"If you're afraid of 'back doors,' you better be testing all your software," said John Pescatore, a vice president for Internet security at Gartner Inc., an information technology research and analysis company.

If malicious code were inserted in Microsoft Corp.'s ubiquitous Windows software, it would probably cause more problems than compromised network security software could, added Doug Jacobson, an associate professor at Iowa State University whose specialty is network security.

If Sourcefire's intrusion detection technology didn't work properly, "it'd be like spray-painting over the camera watching over the entrance to the bank," he said. "You still got to break into the bank."

Sourcefire's investors, who include the state of Maryland, stood to make millions if the deal had gone through.

The Maryland Venture Fund funneled $550,000 into Sourcefire in 2002 and was expecting a payout of about $4 million - seven times its investment. At the time the deal was announced, fund manager Elizabeth Good said her team was "absolutely ecstatic."

Yesterday, her mood was more sedate.


"I guess we're not surprised by the breakup because the investigation was going on for so long and the deal was held up for a number of months," said Good, who added that the investigation itself wasn't a shock. "In today's climate, every deal that involves security and foreign companies is getting a high degree of scrutiny."

She said Sourcefire remained a good investment.

"We're still confident that we'll eventually see a good exit. The company is doing very well and will either find another buyer or they'll go public," she said.

Check Point's future is less certain, said Mark Kominsky, chief executive of Bluefire Security Technologies Inc., a Baltimore company that makes security systems to protect hand-held mobile devices.

The Israeli company is among the largest and best-known security businesses outside the United States, but Kominsky said the breakup and the attention paid to the deal has likely quashed "any acquisitions Check Point is going to be able to make in the U.S."

Check Point's stock closed yesterday down $1.02, or 4.9 percent, settling at $20 on the Nasdaq stock market.


The Committee on Foreign Investment in the United States, the panel of 12 government bodies that was examining the sale, has rarely moved for a full investigation. Of the 1,600 deals it's reviewed, only about two dozen were investigated.

It's not unusual for the panel to set restrictions or requirements on sales to settle national security concerns, but in this case the negotiations proved fruitless - though it's not clear whether the committee refused all offers by Check Point and Sourcefire or whether the companies didn't like what it suggested.

The Treasury Department, which chairs the committee, said yesterday that it could not comment on such details. Both Sourcefire and Check Point said the same.

Ultimately, the president has the power to kill a deal that is investigated and shown to be problematic. Only once - in 1990 - has that happened.

The secretive committee, known as CFIUS, has been under intense scrutiny in recent weeks after routinely approving a sale in which Dubai Ports World would have managed some port operations in Baltimore and elsewhere in the United States.

The government-owned United Arab Emirates company pulled out after a public and political firestorm.


Patrick Mulloy, a CFIUS critic who is a commissioner on the U.S.-China Economic and Security Review Commission, said the Sourcefire case shows the need for reforms.

Congress and the public have no idea why a deal was - or wasn't - approved unless it works its way to the president's desk, he said.

"You need more transparency," Mulloy said. "That's a problem here, and I think this case reveals it."

Sen. Richard C. Shelby, chairman of the Banking, Housing and Urban Affairs Committee, which oversees CFIUS, plans to introduce legislation next week that addresses such concerns, his spokesman said.

"Until there is reform, we're going to continually have questions about these deals moving forward," said Andrew Gray, spokesman for the Republican from Alabama.

As for the companies with the recent deal that didn't move forward, Sourcefire said it was a Check Point business partner before they sought to merge, and they planned to continue that relationship. It's almost as if the last few months never happened - though Sourcefire's CEO could hardly forget them.


"It was a crash course in civics for sure," Jackson said.