One year ago today the Department of Defense Inspector General (DoDIG) published a report to censure the military for the purchase of vulnerable Chinese computer equipment to the tune of $33 million. The report called out DoD management’s lack of accountability for cybersecurity and failure to communicate blacklisted products from Lexmark and Lenovo. It highlighted how such products from state-owned Chinese entities can potentially put Americans and America’s assets at risk when integrated into information networks. So what happened in 365 days? Nothing that’s public. What needs to happen? A cultural change.
The Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items describes $32.8 million in purchases of vulnerable and insecure computer equipment by the US Army and Air Force in 2018. The report was described on ZDNet’s The scariest hacks and vulnerabilities of 2019 as a “window in the US’ biggest national security problem right now — which is supply chain attacks.” Indeed, the presence of Chinese-made equipment in US military networks takes on even greater concern amidst the pandemic, as fears that China could attack, surveille, or sabotage network infrastructure via equipment manufactured by its state-owned entities like Huawei. In May this year, DoD warned employees of cyber risks of working from home, including the dangers of accessing sensitive applications and data over remote networks with vulnerable devices. The IG launched a subsequent audit to determine whether DoD maintains network protections during the pandemic. Many of DoD’s more than 1 million employees could be using vulnerable laptops when working from home on insecure Wi-Fi networks.
The 2019 report reflects the IG’s audit of DoD cybersecurity processes and policy as required Congress. The report highlighted the purchase of 8000 Lexmark printers, 195 Lenovo laptops by the Army and 1,378 Lenovo laptops by the Air Force. Products from these firms are restricted for military use because of their corporate ownership by the Chinese government. The United States China Commission (USCC), a bipartisan Congressional outfit, has described Lenovo in 2009 as one of China’s national champions on the order of Huawei and part of China’s techno-nationalist strategy to promote the country abroad while earning hard currency to fund the country’s military projects. A related USCC report highlighted the firms for supply chain risk.
In 2006, the State Department banned Lenovo products because of espionage concerns, and the Department of Homeland Security banned them thereafter because of pre-installed spyware on the devices. In 2016 the Joint Chiefs of Staff Intelligence Directorate warned that handheld Lenovo devices could introduce compromised hardware into the DoD supply chain. More recently, the Air Force was approved to pass along the tab of $378 million to taxpayers for ripping and replacing the server that runs America’s Global Positioning System (GPS), lest it come under contract to Lenovo and potentially be accessible to the Chinese government.
The IG observed how DoD agencies have repeatedly ignored previous cybersecurity alerts. For example, the restricted Lexmark and Lenovo products were still shown on internal intranet product catalogs. The IG says that DoD management failed both to assign responsibility for cybersecurity measures and to compile a list of approved products, which should deter the purchase of vulnerable items.
Responding to an email about the status of implementing the IG’s recommendations from the report, Dwrena K. Allen, Spokesperson for DoD Office of Inspector, noted, “The Under Secretary of Defense for Acquisition and Sustainment and the DoD Chief Information Officer continue to work on revising guidance to meet the intent of our recommendations to ensure that the risks associated with the purchase of information technology commercial-off-the-shelf items are adequately identified, assessed, and mitigated. We will continue to coordinate with the DoD to ensure that the guidance is revised so we can close the recommendations.”
Wisconsin Congressman Mike Gallagher and I discussed the DoDIG report and issued a press release titled, “The Pentagon’s Risky Business.” Rep. Gallagher, Co-Chair of the bipartisan Cyberspace Solarium Commission, which observed, “This report is just the latest warning that our government is not taking cybersecurity as seriously as it should. Equipment sold by state-directed Chinese technology companies pose a serious threat to our security, and it’s critical we act to both mitigate the vulnerabilities in our defense supply chain and prohibit the purchase of these high-risk technologies.”
I applaud the efforts of the Office of the Inspector General, which has sought to bring oversight, transparency, and accountability to DoD, a multi-trillion dollar behemoth. The DoDIG’s 2020 Compendium notes 1,602 open recommendations from the recent period, which if implemented promise to improve performance, productivity, and savings. Indeed, the Office completed the first financial audit of DoD in 2018. While the IG found no incidence of financial fraud, the processes for information technology were lacking. The challenge to implement cybersecurity at DoD is not one of money or technology, but one of culture. This is the assessment of Congress’ General Accountability Office (GAO), which notes in Cybersecurity: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene that DoD, despite having the time and budget, has failed to implement its own cyber initiatives because of lack of discipline and awareness.