|
A Department of Defense (DoD) Inspector General (IG) report released on July 30 found that more than 9,000 commercially available information technology products purchased in fiscal year 2018 — costing at least $32.8 million — could be used to spy, surveille, or sabotage US military personnel and facilities. In contrast to traditional DoD processes for large acquisitions such as weapon systems, aircraft, and command and control systems, these purchases were made via Government Purchase Cards which are intended to simplify procurement of less than $10,000.
However, just because the dollar amounts are small doesn’t mean that risk is reduced, as the products in question have been long identified as security threats. Moreover, many of the most devastating cyber attacks such as those against Target, Equifax, and the Office of Personnel Management were instigated at low levels of approval and control, frequently via contractors or commercial off-the-shelf (COTS) devices. The report warns that “if the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised.” While it is not clear whether it’s discussed in the redacted report, the issue could be that contractors or others with purchasing cards are not up to speed on the vulnerabilities.
Ignoring previous warnings
The IG audit shows that the US Army and Air Force purchased thousands of products already flagged as security risks. They include over 8,000 printers from Lexmark, a company the report notes has “connections to Chinese military, nuclear, and cyberespionage programs. The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer. These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”
The report further highlights the purchase of 117 GoPro action cameras with “vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams. By exploiting these vulnerabilities, a malicious actor could view the video stream, start recording, or take pictures without the user’s knowledge.” The report also notes the purchase of 1,573 Lenovo laptops. Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018.
Four critical issues outstanding
The IG highlighted four crucial issues:
DoD officials responded to these issues, but the IG found most of their answers inadequate. The officials now have until August 26, 2019 to provide further explanation.
Congress must demand answers and action
The IG report characterizes Lenovo, GoPro and Lexmark products as “known cybersecurity risks.” Considering the clear risk, why are they not already banned? The IG report identifies several examples of the federal government not taking action on its own warnings. Why does it take so long to restrict malicious manufacturers?
In 2012, the House Permanent Select Committee on Intelligence issued a report recommending that government systems and contractors not use Huawei or ZTE telecommunications equipment in their systems. Yet the DoD ignored these findings for five years until Congress finally prohibited purchasing products from those manufacturers in 2017. Why don’t authorities ban products based on intelligence rather than on publicity?
The IG report notes that the DoD eventually banned some suspicious manufacturers “in response to cybersecurity incidents or public exposure, not based on risks.” In four of nine COTS manufacturer bans, Congress acted before the DoD, despite armed services secretaries having the authority to do so. It would seem that DoD, with its national security responsibilities, should lead by example, but in this case, Congress has to push it to ensure basic low-level security.
Thankfully, lawmakers are paying attention. Senators Mike Crapo (R-ID) and Mark Warner (D-VA) introduced a bill that would create an agency dedicated to supply chain testing. While this is laudable, effective communication is needed to stop the purchase of restricted products. Building on the groundwork of the White House and the Department of Commerce, Sens. Marco Rubio (R-FL), Richard Blumenthal (D-CT), and Tom Cotton (R-AK) have proposed strengthening restrictions and prohibiting retaliatory abuse by Huawei, measures which could be extended to other dangerous firms. These are elements of the “whole of government” approach needed to address technological threats from firms associated with the Chinese government and military.
A report has found the Department of Defense has purchased thousands of insecure devices, creating major national security risks. Congress must demand answers and action.
|
|
