The Military Is Hiring a Rapid Cyber Response Team -- in Case Commissaries Get Hacked

Customers walk by the commissary at Fort Campbell, Ky. on June 13, 2012.

Customers walk by the commissary at Fort Campbell, Ky. on June 13, 2012. U.S. Army Photo by Sam Shore

Military base grocery stories are vulnerable to computer hackers, according to the Pentagon.

Updated April 11 with additional information from a Defense Commissary Agency spokesman.

Military base grocery stores are vulnerable to computer hackers, according to the Pentagon, which says it needs private cyber forensics investigators on call. If a payment system breach were to occur, the team would respond within an hour.

The Defense Commissary Agency, essentially a global quick mart and supermarket chain, is in the process of hiring "computer incident response services" for its 250 shops.

The agency, also called DeCA, is worried about joining the likes of, among other hacked chains, Supervalu, 7-Eleven and Chick-fil-A -- whose $5 billion annual sales rival the agency's.

"As a large retailer, DeCA is subject to computer security incidents," state Defense Department contracting documents.

The commissary is seeking emergency support for five years and will pay personnel for expenses such as time and materials, plus up to an additional $75,000 per breach for overtime work.

Situations that could occur include computer viruses, crippling "denial of service" network attacks and unauthorized changes to software or hardware, according to the statement.

The hired professionals would triage computer issues in the event of an actual or suspected attack "affecting the DOD or DeCA mission," the statement adds.

"Priority One" issues -- demanding availability within one hour – are, among other things, incidents involving payment cards or website defacements.

Digital graffiti is an annoyance that various Defense units have endured in the past.

For instance, the Syrian Electronic Army, a pro-Assad hacktivist group, took credit for vandalizing the U.S. Marine Corps and Army websites during separate incidents in recent years.

"Hate/threat email” or an "unescorted, unbadged person acting suspiciously” would also fall under the rapid response category, the statement says.

While the supermarket security contractors will not be dealing with classified secrets, they are required to be U.S. citizens, undergo a background investigation and sign a nondisclosure agreement to handle sensitive technical and personal information.

The professionals “shall advise and provide support with the proper incident handling procedures within 24 hours of contact," the work statement says.

Should the situation demand a formal digital forensics investigation, they would be responsible for analyzing the malware. Afterward, the team must produce a report detailing the cause of the attack and all response actions taken. The company also would assist with breach notification and recovery of operations.

The contractor must be a certified payment card industry forensic investigator.

Defense commissaries partly exist to help the men and women serving in the armed forces save money. The stores offer military members, their families and other authorized customers a discount rate, equal to the actual cost of the product plus five percent.

On Tuesday, Cyber Command chief Adm. Michael Rogers told the Senate Armed Services Committee an adversary had targeted infrastructure on military bases but did not provide specifics.

A spokesman for the commissary agency told Nextgov, "At this time, DeCA's infrastructure has not been breached."

In the fall of 2015, computer hackers reportedly hit up food and beverage joints operated by the department's Washington Headquarters Services. The bad guys compromised the bank account information of military employees who had paid for concessions with a credit or debit card at the Pentagon complex’s food court that time. The commissary agency's systems were not involved in that incident, the spokesman said.