Pentagon workers bought thousands of Chinese-made electronics vulnerable to hacks and spying

(U.S. Air Force/Master Sgt. Barry Loo)

WASHINGTON — Defense Department employees have procured thousands of printers, cameras and computers that carry known cybersecurity risks, and the practice may be continuing, according to an audit released Tuesday by the Pentagon's inspector general.

More than 9,000 commercially available information technology products bought in fiscal 2018 could be used to spy on or hack U.S. military personnel and facilities, the report said. Without fixing oversight of such purchases, more risks lie ahead, potentially including perils for top-dollar weapons that use such "commercial-off-the-shelf" or COTS devices.

The auditors also wrote that the Pentagon has a pattern of buying products from companies such as Huawei, ZTE or Kaspersky Lab long after other federal agencies have identified the companies as posing cybersecurity risks and right up until the point that Congress outlaws purchases from the companies.

What's more, the report said the department's list of approved commercial products still includes some that can pose cyberrisks, including computers made by Lenovo Group, China's largest computer manufacturer, whose products contain cyberespionage hardware and software, according to U.S. authorities.

"If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised," said the declassified and formerly secret report, which remains partially redacted.

The Pentagon did not immediately reply to a request for comment.

The report is a window into part of a larger, well-documented Defense Department problem with cybersecurity that includes a history of harmful hacks that have led to the loss of vital military information and the continued vulnerability of numerous U.S. military computer systems.

The new audit showed, for example, that Army and Air Force personnel spent at least $33 million in fiscal 2018 on suspect products.

In particular:

  • They procured over 8,000 printers from Lexmark, which has ties to China's security agencies. The printers could have launched denial of service attacks or conducted cyberespionage, the report said.
  • Army and Air Force personnel also purchased 117 GoPro cameras that could access network credentials or video streams and even "take pictures without the user's knowledge."
  • Even though multiple government agencies have reported since 2006 that computers made by China's Lenovo pose cyberespionage risks, Air Force personnel bought 1,378 Lenovo products in fiscal 2018 and the Army bought 195.

As a result of these purchases, the audit said, "the DoD increased its risk that adversaries could exploit known cybersecurity risks."

Military personnel buy commercial products either by using government credit cards or traditional acquisition methods.

The special credit cards may be used for certain items with a value at or below $10,000. Congress has streamlined the process for using the cards and has increased the dollar threshold.

The use of the cards is growing as a result, and so too are the kinds of potentially risky information technology devices that can be procured, the auditors said.

At issue are not just ordinary office products but also systems that connect to high-tech weapons. Even F-35 fighter jets use commercially available "internet of things" products to improve pilots' so-called situational awareness, the report said.

The auditors recommended that the Pentagon take a number of steps to improve the situation.

These include creating a process for identifying, testing and weeding out high-risk commercial products.

Defense Department officials' responses to the audit are included in the report but are blacked out.

Regardless, the audit indicates that the Pentagon "did not address the specifics" of the recommendation for creating a special review process for commercial purchases. As a result, that proposal remains "unresolved."

The Pentagon lacks the proper policy and training to deal with the growing problem of risky purchases of commercial IT products, the audit found. Ellen Lord, the Pentagon acquisition chief, concurred with that recommendation, the report said.


©2019 CQ-Roll Call, Inc., All Rights Reserved. Distributed by Tribune Content Agency, LLC.

WASHINGTON (Reuters) - U.S. Defense Secretary Mark Esper said on Friday that no U.S. troops will take part in enforcing the so-called safe zone in northern Syria and the United States "is continuing our deliberate withdrawal from northeastern Syria."

Turkish President Tayyip Erdogan earlier on Friday said Turkey will set up a dozen observation posts across northeast Syria, insisting that a planned "safe zone" will extend much further than U.S. officials said was covered under a fragile ceasefire deal.

Read More Show Less

On Tuesday at the Association of the U.S. Army's annual conference, Army families had the opportunity to tell senior leaders exactly what was going on in their worlds — an opportunity that is, unfortunately, all too rare.

Read More Show Less

The fog of war, just kills, and war crimes are the focus of a new documentary series coming to STARZ. Titled Leavenworth, the six-part series profiles 1st Lt. Clint Lorance, the Army infantry officer who was convicted on murder charges for ordering his soldiers to fire on three unarmed Afghan men on a motorcycle, killing two and wounding the third, while deployed to the Zhari district in Kandahar province, on July 2, 2012.

Read More Show Less

A big stereotype surrounding U.S. service members and veterans is that they are defined only by their military service, from buying "Dysfunctional Veteran" t-shirts to playing hard-boiled, high-octane first-person shooters like Battlefield and Call of Duty (we honestly have no idea where anyone could get that impression).

But the folks at OSD (formerly called Operation Supply Drop), a non-profit veteran service organization that aims to help troops and vets connect with each other through free video games, service programs and other activities, recently found that most of the gamers they've served actually prefer less military-centric fare like sports games and fantasy RPGs.

Read More Show Less

CEYLANPINAR, Turkey (Reuters) - Shelling could be heard at the Syrian-Turkish border on Friday morning despite a five-day ceasefire agreed between Turkey and the United States, and Washington said the deal covered only a small part of the territory Ankara aims to seize.

Reuters journalists at the border heard machine-gun fire and shelling and saw smoke rising from the Syrian border battlefield city of Ras al Ain, although the sounds of fighting had subsided by mid-morning.

The truce, announced on Thursday by U.S. Vice President Mike Pence after talks in Ankara with Turkish President Tayyip Erdogan, sets out a five-day pause to let the Kurdish-led SDF militia withdraw from an area controlled by Turkish forces.

The SDF said air and artillery attacks continued to target its positions and civilian targets in Ral al Ain.

"Turkey is violating the ceasefire agreement by continuing to attack the town since last night," SDF spokesman Mustafa Bali tweeted.

The Kurdish-led administration in the area said Turkish truce violations in Ras al Ain had caused casualties, without giving details.

Read More Show Less