The procurements, which could expose the department and its contractors to espionage and cyberattacks, highlight significant gaps in the Pentagon’s supply chain security policies.
The Pentagon last year purchased thousands of Chinese tech products that contained known cybersecurity vulnerabilities, and officials have yet to enact policies to stop it from happening again, an internal watchdog found.
In 2018, the department bought more than 9,500 commercial printers, computers and cameras despite warnings that adversaries could use the products to infiltrate networks and spy on personnel, according to an inspector general audit. The procurements, which totaled roughly $33 million, expose significant shortcomings in the department’s supply chain security policies that persist to this day, auditors said in a redacted report published Tuesday.
Specifically, the Army and Air Force purchased more than 8,000 printers from Lexmark and 1,500 computers from Lenovo, two Chinese companies that national security officials previously linked to the Communist Party’s espionage operations.
The Lexmark printers contained multiple vulnerabilities that could allow bad actors to infiltrate Pentagon networks and launch attacks against military contractors, auditors said, and national security officials have repeatedly flagged Lenovo products as threats. The State Department banned Lenovo computers on its classified networks in 2006, and both the Homeland Security Department and Joint Chiefs of Staff have warned the company’s tech contains spyware and other vulnerabilities, the IG said.
According to the report, the services also bought more than 100 GoPro cameras that contained known cybersecurity weaknesses.
“If the [department] continues to purchase and use [commercial IT] items without identifying, assessing and mitigating the known vulnerabilities … missions critical to national security could be compromised,” auditors said.
Commercial off-the-shelf technologies offer the government a cheap and efficient way to improve their IT infrastructure, but as agencies rely more on commercial tech, they’re also taking on more potential risks. Unless agencies take steps to lock down their supply chain and prioritize security-minded vendors, the government could find itself buying products that are vulnerable to attack.
During the audit, the IG uncovered numerous weaknesses in the Pentagon’s supply chain security and cyber risk management practices that could leave the department vulnerable to digital attacks.
Officials didn’t put any central group in charge of managing cyber risks for department’s commercial IT, and acquisition policies didn’t sufficiently address cyber vulnerabilities for specific commercial products, auditors said. Officials should also create more controls to prevent officials from purchasing insecure IT, they said, and the department should remove technologies with known vulnerabilities from its list of approved products.
The IG made three recommendations to improve cybersecurity in Defense procurements, which included creating a clear process for testing and prohibiting “high-risk” commercial products. According to the report, the defense secretary had not yet agreed to stand up the product review procedures.
Historically, the Pentagon has been slow to cut ties with vendors that raise flags in other parts of the government. The department didn’t prohibit procurements from ZTE, Huawei and Kaspersky Lab until explicitly mandated by Congress, even though intelligence officials voiced concerns about the companies’ potential cyber risks years earlier, according to the IG. The department also continued to buy video surveillance equipment from two Chinese companies—Hikvision and Dahua Technology—for more than a year after the State Department warned they pose potential cyber risks, auditors said.
“The [department] banned these items in response to cybersecurity incidents or public exposure, not based on risks identified through a process,” they said, noting elsewhere in the report that the department should adapt its acquisition policies to “proactively assess and mitigate” risks.
The Defense Department declined to comment on the report.