Pentagon Buys Equipment With Known Vulnerabilities: AuditReport Also Highlights Cybersecurity Concerns About Use of Equipment Made in China
Despite national security concerns, the U.S. Department of Defense has purchased thousands of computers, printers and security cameras, as well as networking equipment, that contained known cybersecurity vulnerabilities, according to an audit conducted by the Office of the Inspector General.
The audit, which was released with redactions this week, also shows that the Army and Air Force bought off-the-shelf IT equipment made by companies in China that have strong ties to that country's government and the military. The questionable equipment includes Lenovo computers, Lexmark printers and GoPro security cameras.
The Pentagon also bought gear from Hangzhou Hikvision Digital Technology Company and Dahua Technology Company despite a 2017 State Department warning about cybersecurity and cyberespionage connected to those two Chinese firms, the audit report notes.
When Congress approved the Defense Department's 2019 fiscal budget, lawmakers included a provision that banned the Pentagon from buying video surveillance and internet of things devices from Hangzhou, Dahua and other companies based in China (see: Review Shows Glaring Flaws In Xiongmai IoT Devices).
The Army and Air Force spent over $38 million in fiscal 2018 on IT equipment that had known cybersecurity vulnerabilities, according to the audit, which was conducted between May 2018 and May 2019.
"As a result, adversaries could exploit known cybersecurity vulnerabilities that exist in COTS [commercial off-the-shelf] items purchased by the DoD," according to the audit. "If the DoD continues to purchase and use COTS information technology items without identifying, assessing and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised."
The Pentagon offered a mixed reaction to the audit, and some comments by high ranking Defense Department officials are blacked out in the report.
Supply Chain Concerns
Since the 1990s, the Defense Department has relied on off-the-shelf commercial components as it built its IT infrastructure, according to the audit. In addition, lawmakers have steadily made it easier, and faster, for the Pentagon to buy commercial gear and equipment.
The Pentagon has bought commercial sensors to help improve energy efficiency in various buildings it manages, the report notes. Another example is the F-35 Joint Strike Fighter, a newly deployed fighter plane that uses commercially available connected devices to collect data to improve the pilot's performance.
This reliance on less expensive and easier-to-deploy commercial components has also made the Defense Department more vulnerable to attacks as well as espionage by foreign countries, according to the report. The audit notes that the global IT supply chain is notorious for weak security that can give attackers a way to exploit cybersecurity vulnerabilities.
"According to the Committee on National Security Systems, adversaries and malicious actors use the supply chain to introduce cybersecurity vulnerabilities into DoD weapon systems and information technology networks that use COTS information technology products," the report notes.
Despite these warnings, the Defense Department continued to buy equipment from various suppliers. For example, in 2018, the Army and Air Force bought 8,000 Lexmark printers for over $30 million. These purchases happened despite a Congressional report that found Lexmark has "connections to Chinese military, nuclear and cyberespionage programs," according to the audit.
In addition, the inspector general's report found that the National Vulnerabilities Database lists 20 vulnerabilities in Lexmark printers, including storing and transmitting access credentials in plain text. This makes the printers susceptible to malware as well as remote code execution, which can lead to distributed denial of service attack on a network or give hackers access to other systems, the audit finds.
There are other concerns over vulnerabilities and weaknesses in GoPro cameras and Lenovo PCs, the audit notes.
While no commercial equipment is totally secure, especially as the global supply chain continues to grow in complexity, organizations such as the Defense Department can reduce some of these concerns by better understanding the risk involved, says Steve Durbin, the managing director of the Information Security Forum.
"What is important is to assess the level of risk that is acceptable and understand how to secure your critical assets against those risks to a level that is in line with your agreed security risk posture," Durbin tells Information Security Media Group. "This will be something that becomes increasingly important to do as we operate with extended supply chains and products are manufactured in a number of different locations globally before being assembled."
The inspector general found several reasons why the Defense Department continued to buy equipment with either known vulnerabilities or from companies with ties to the Chinese government and military. These include the lack of a dedicated organization to manage the security risks of buying commercial IT products and the lack of a list of what gear passed muster when it comes to cybersecurity and thus could be purchased.
The report offers recommendations for how the Defense Department could develop better polices regarding the purchasing of commercial IT equipment.
For example, it suggests the Secretary of Defense create an organization within the Pentagon to evaluate risks within commercial gear as well as third-party supply chain relationships. This organization would need to "develop a risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items, and a process to prohibit the purchase and use of high-risk COTS items, when necessary, until mitigation strategies can limit the risk to an acceptable level," according to the audit.
The audit also recommends that the Pentagon's CIO update policies regarding supply chains. And it states that additional actions from Congress might be needed to expand the list of devices that the Defense Department is banned from purchasing.
It's difficult to ascertain what some of the more higher ranking Defense Department officials thought of the report and its recommendations, because their comments are blacked out in the audit. The report, however, notes that some officials, including the under secretary of defense for acquisition and sustainment, agreed there was a need to update risk policies.