Pentagon workers bought thousands of Chinese-made electronics vulnerable to hacks and spying

news
(U.S. Air Force/Master Sgt. Barry Loo)

WASHINGTON — Defense Department employees have procured thousands of printers, cameras and computers that carry known cybersecurity risks, and the practice may be continuing, according to an audit released Tuesday by the Pentagon's inspector general.

More than 9,000 commercially available information technology products bought in fiscal 2018 could be used to spy on or hack U.S. military personnel and facilities, the report said. Without fixing oversight of such purchases, more risks lie ahead, potentially including perils for top-dollar weapons that use such "commercial-off-the-shelf" or COTS devices.


The auditors also wrote that the Pentagon has a pattern of buying products from companies such as Huawei, ZTE or Kaspersky Lab long after other federal agencies have identified the companies as posing cybersecurity risks and right up until the point that Congress outlaws purchases from the companies.

What's more, the report said the department's list of approved commercial products still includes some that can pose cyberrisks, including computers made by Lenovo Group, China's largest computer manufacturer, whose products contain cyberespionage hardware and software, according to U.S. authorities.

"If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised," said the declassified and formerly secret report, which remains partially redacted.

The Pentagon did not immediately reply to a request for comment.

The report is a window into part of a larger, well-documented Defense Department problem with cybersecurity that includes a history of harmful hacks that have led to the loss of vital military information and the continued vulnerability of numerous U.S. military computer systems.

The new audit showed, for example, that Army and Air Force personnel spent at least $33 million in fiscal 2018 on suspect products.

In particular:

  • They procured over 8,000 printers from Lexmark, which has ties to China's security agencies. The printers could have launched denial of service attacks or conducted cyberespionage, the report said.
  • Army and Air Force personnel also purchased 117 GoPro cameras that could access network credentials or video streams and even "take pictures without the user's knowledge."
  • Even though multiple government agencies have reported since 2006 that computers made by China's Lenovo pose cyberespionage risks, Air Force personnel bought 1,378 Lenovo products in fiscal 2018 and the Army bought 195.

As a result of these purchases, the audit said, "the DoD increased its risk that adversaries could exploit known cybersecurity risks."

Military personnel buy commercial products either by using government credit cards or traditional acquisition methods.

The special credit cards may be used for certain items with a value at or below $10,000. Congress has streamlined the process for using the cards and has increased the dollar threshold.

The use of the cards is growing as a result, and so too are the kinds of potentially risky information technology devices that can be procured, the auditors said.

At issue are not just ordinary office products but also systems that connect to high-tech weapons. Even F-35 fighter jets use commercially available "internet of things" products to improve pilots' so-called situational awareness, the report said.

The auditors recommended that the Pentagon take a number of steps to improve the situation.

These include creating a process for identifying, testing and weeding out high-risk commercial products.

Defense Department officials' responses to the audit are included in the report but are blacked out.

Regardless, the audit indicates that the Pentagon "did not address the specifics" of the recommendation for creating a special review process for commercial purchases. As a result, that proposal remains "unresolved."

The Pentagon lacks the proper policy and training to deal with the growing problem of risky purchases of commercial IT products, the audit found. Ellen Lord, the Pentagon acquisition chief, concurred with that recommendation, the report said.

———

©2019 CQ-Roll Call, Inc., All Rights Reserved. Distributed by Tribune Content Agency, LLC.

(U.S. Navy/Mass Communication Specialist 2nd Class Stephane Belcher)

The 2020 National Defense Authorization Act would allow service members to seek compensation when military doctors make mistakes that harm them, but they would still be unable to file medical malpractice lawsuits against the federal government.

On Monday night, Congress announced that it had finalized the NDAA, which must be passed by the House and Senate before going to President Donald Trump. If the president signs the NDAA into law, it would mark the first time in nearly seven decades that U.S. military personnel have had legal recourse to seek payment from the military in cases of medical malpractice.

Read More Show Less
The aircraft carriers USS Ronald Reagan (CVN 76), USS Theodore Roosevelt (CVN 71) and USS Nimitz (CVN 68) Strike Groups and ships from the Republic of Korea Navy transit the Western Pacific Ocean Nov. 12, 2017. (U.S. Navy/ Lt. Aaron B. Hicks)

Editor's Note: This article by Matthew Cox originally appeared onMilitary.com, a leading source of news for the military and veteran community.

The new acting secretary of the Navy said recently that he is open to designing a fleet that is larger than the current 355-ship plan, one that relies significantly on unmanned systems rather than solely on traditional gray hulls.

Read More Show Less
Maj. Mathew Golsteyn and 1st Lt. Clint Lorance (U.S. Army photos)

President Donald Trump, speaking during a closed-door speech to Republican Party of Florida donors at the state party's annual Statesman's Dinner, was in "rare form" Saturday night.

The dinner, which raised $3.5 million for the state party, was met with unusual secrecy. The 1,000 attendees were required to check their cell phones into individual locked cases before they entered the unmarked ballroom at the south end of the resort. Reporters were not allowed to attend.

But the secrecy was key to Trump's performance, which attendees called "hilarious."

Riding the high of the successful event turnout — and without the pressure of press or cell phones — Trump transformed into a "total comedian," according to six people who attended the event and spoke afterward to the Miami Herald.

He also pulled an unusual move, bringing on stage Army 1st Lt. Clint Lorance and Maj. Mathew Golsteyn, who Trump pardoned last month for cases involving war crimes. Lorance was serving a 19-year sentence for ordering his soldiers shoot at unarmed men in Afghanistan, and Golsteyn was to stand trial for the 2010 extrajudicial killing of a suspected bomb maker.

Read More Show Less
Retired U.S. Air Force Col. Charles McGee (center), a decorated veteran of three wars, receives a congratulatory a send off after visiting with 436 Aerial Port Squadron personnel at Dover Air Force Base to help celebrate his 100th birthday in Dover, Delaware, Friday, Dec. 6, 2019. (Associated Press/David Tulis)

Retired Col. Charles McGee stepped out of the small commercial jet and flashed a smile.

Then a thumbs-up.

McGee had returned on a round-trip flight Friday morning from Dover Air Force Base, where he served as co-pilot on one of two flights done especially for his birthday.

By the way he disembarked from the plane, it was hard to tell that McGee, a Tuskegee Airman, was turning 100.

Read More Show Less
Maj. Jason Michael Musgrove (Lincoln County Sheriff's Office)

A major serving at U.S. Army Cyber Command has been charged with distributing child pornography, according to the Justice Department.

Maj. Jason Michael Musgrove, who is based at Fort Gordon, Georgia, has been remanded to the U.S. Marshals service, a news release from the U.S. Attorney's Office for the Southern District of Georgia says.

Read More Show Less