Pentagon workers bought thousands of Chinese-made electronics vulnerable to hacks and spying

news
(U.S. Air Force/Master Sgt. Barry Loo)

WASHINGTON — Defense Department employees have procured thousands of printers, cameras and computers that carry known cybersecurity risks, and the practice may be continuing, according to an audit released Tuesday by the Pentagon's inspector general.

More than 9,000 commercially available information technology products bought in fiscal 2018 could be used to spy on or hack U.S. military personnel and facilities, the report said. Without fixing oversight of such purchases, more risks lie ahead, potentially including perils for top-dollar weapons that use such "commercial-off-the-shelf" or COTS devices.


The auditors also wrote that the Pentagon has a pattern of buying products from companies such as Huawei, ZTE or Kaspersky Lab long after other federal agencies have identified the companies as posing cybersecurity risks and right up until the point that Congress outlaws purchases from the companies.

What's more, the report said the department's list of approved commercial products still includes some that can pose cyberrisks, including computers made by Lenovo Group, China's largest computer manufacturer, whose products contain cyberespionage hardware and software, according to U.S. authorities.

"If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised," said the declassified and formerly secret report, which remains partially redacted.

The Pentagon did not immediately reply to a request for comment.

The report is a window into part of a larger, well-documented Defense Department problem with cybersecurity that includes a history of harmful hacks that have led to the loss of vital military information and the continued vulnerability of numerous U.S. military computer systems.

The new audit showed, for example, that Army and Air Force personnel spent at least $33 million in fiscal 2018 on suspect products.

In particular:

  • They procured over 8,000 printers from Lexmark, which has ties to China's security agencies. The printers could have launched denial of service attacks or conducted cyberespionage, the report said.
  • Army and Air Force personnel also purchased 117 GoPro cameras that could access network credentials or video streams and even "take pictures without the user's knowledge."
  • Even though multiple government agencies have reported since 2006 that computers made by China's Lenovo pose cyberespionage risks, Air Force personnel bought 1,378 Lenovo products in fiscal 2018 and the Army bought 195.

As a result of these purchases, the audit said, "the DoD increased its risk that adversaries could exploit known cybersecurity risks."

Military personnel buy commercial products either by using government credit cards or traditional acquisition methods.

The special credit cards may be used for certain items with a value at or below $10,000. Congress has streamlined the process for using the cards and has increased the dollar threshold.

The use of the cards is growing as a result, and so too are the kinds of potentially risky information technology devices that can be procured, the auditors said.

At issue are not just ordinary office products but also systems that connect to high-tech weapons. Even F-35 fighter jets use commercially available "internet of things" products to improve pilots' so-called situational awareness, the report said.

The auditors recommended that the Pentagon take a number of steps to improve the situation.

These include creating a process for identifying, testing and weeding out high-risk commercial products.

Defense Department officials' responses to the audit are included in the report but are blacked out.

Regardless, the audit indicates that the Pentagon "did not address the specifics" of the recommendation for creating a special review process for commercial purchases. As a result, that proposal remains "unresolved."

The Pentagon lacks the proper policy and training to deal with the growing problem of risky purchases of commercial IT products, the audit found. Ellen Lord, the Pentagon acquisition chief, concurred with that recommendation, the report said.

———

©2019 CQ-Roll Call, Inc., All Rights Reserved. Distributed by Tribune Content Agency, LLC.

Army and Air Force Exchange Service officials are warning soldiers and military families to be aware of scammers using the Exchange's logo.

In a news release Wednesday, Exchange officials said scammers using the name "Exchange Inc." have "fooled" soldiers and airmen to broker the sale of used cars, trucks, motorcycles, boats and boat engines.

Read More Show Less

KABUL (Reuters) - The Islamic State (IS) militant group claimed responsibility on Sunday for a suicide blast at a wedding reception in Afghanistan that killed 63 people, underlining the dangers the country faces even if the Taliban agrees a pact with the United States.

The Saturday night attack came as the Taliban and the United States try to negotiate an agreement on the withdrawal of U.S. forces in exchange for a Taliban commitment on security and peace talks with Afghanistan's U.S.-backed government.

Islamic State fighters, who first appeared in Afghanistan in 2014 and have since made inroads in the east and north, are not involved in the talks. They are battling government and U.S.-led international forces and the Taliban.

The group, in a statement on the messaging website Telegram, claimed responsibility for the attack at a west Kabul wedding hall in a minority Shi'ite neighborhood, saying its bomber had been able to infiltrate the reception and detonate his explosives in the crowd of "infidels".

Read More Show Less
U.S. Air Force/Tech. Sgt. Brian Kimball

Editor's Note: This article by Oriana Pawlyk originally appeared on Military.com, a leading source of news for the military and veteran community.

Calling aviation geeks in New York City: The British are coming.

In their first visit to the United States since 2008, the Royal Air Force "Red Arrows" will perform an aerial demonstration next week over the Hudson River, according to an Air Force news release. F-35 Joint Strike Fighters, the Air Force Thunderbirds and Navy Blue Angels demonstration teams will also be part of the show.

Read More Show Less
U.S. Air National Guard/Staff Sgt. Michelle Y. Alvarez-Rea

Frances and Efrain Santiago, natives of Puerto Rico, wanted to show their support last month for protesters back home seeking to oust the island's governor.

The couple flew the flag of Puerto Rico on the garage of their Kissimmee home. It ticked off the homeowners association.

Someone from the Rolling Hills Estates Homeowners Association left a letter at their home, citing a "flag violation" and warning: "Please rectify the listed violation or you may incur a fine."

Frances Santiago, 38, an Army veteran, demanded to know why.

Read More Show Less
Todd Rosenberg/AP

A West Point graduate received a waiver from the U.S. Army to sign with the Philadelphia Eagles on Friday, and play in the NFL while serving as an active-duty soldier.

The waiver for 2nd Lt. Brett Toth was first reported by ESPN's Adam Schefter, who said that Toth signed a three-year deal with the Eagles. Toth graduated from the U.S. Military Academy in 2018.

Read More Show Less