U.S. Military Spends Millions On Dangerous Chinese Tech With Known Cyber Risks
By Zak Doffman
Despite cybersecurity concerns that U.S. Department of Defense strategists have admitted “keep them awake at night,” a review by the U.S. military’s Inspector General has found that significant purchases of “COTS information technology items with known cybersecurity risks” were made last year. It is estimated that “70 to 80% percent of the components that comprise DOD systems are COTS items.”
The heavily redacted IG report highlights “at least” $33 million of Government Procurement Card purchases of equipment from the likes of Lenovo, Lexmark and GoPro. As a result, it warns, “adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items, and missions critical to national security could be compromised.”
The risks identified refer to “micro-purchases” of less than $10,000 an item. This does not include the traditional defense acquisition process but instead “fixed-price commercial supplies that do not require a cardholder to agree to any terms and conditions other than price and delivery.” From a cybersecurity perspective, of course, the risk is that these endpoints present a vulnerability that is known and has not been scrutinized as would a more significant purchase.
Of more concern than printers and ruggedized cameras will be the finding that banned Chinese surveillance equipment was purchased by DOD last year. “Despite the Department of State issuing a warning in May 2017 against using Hikvision and Dahua video surveillance equipment, citing cyberespionage concerns from China,” the IG report finds, “DOD continued to purchase and use these COTS items to monitor installation security until Congress banned the Government from using them in August 2018.”
The example of Lexmark printers is also highlighted in the report. At least 8,000 were purchased last year for Army and Air Force networks, despite a Congressional report on supply chain vulnerabilities from China warning that “Lexmark is a company with connections to the Chinese military, nuclear, and cyber espionage programs.” Known vulnerabilities include the execution of malicious code on the printer itself as well as using a connected Lexmark printer as a conduit through which to “conduct cyberespionage or launch a denial of service attack on a DOD network.”
The report questions why the DOD “has not banned the purchase and use of Lenovo products despite known cybersecurity risks.” Lenovo is a Chinese “champion” in its field, in the same was as Huawei is for networks and smartphones. The report highlights the “multiple warnings” issued by Congress, DHS and other Government agencies “about the cybersecurity risks of using Lenovo products,” citing that “in 2006, the State Department banned the use of Lenovo computers on their classified networks after reports that Lenovo computers were manufactured with hidden hardware or software used for cyberespionage.”
Despite U.S. government warnings dating back to 2006, it was only last year that the DOD instigated its own operational risk assessment of Lenovo products. “In the meantime, the Army purchased another 195 Lenovo products, totaling just under $268,000, and the Air Force purchased 1,378 Lenovo products for $1.9 million in FY 2018.”
The theme is the same with other COTS products—vulnerabilities within the device itself being immaterial when compared with the risk it can be used as an access point. Last week I reported that the world’s most widely used operating system across IoT devices—printers, routers, machinery, medical equipment—had similar vulnerabilities. It’s the same theme, albeit hitting the most high-risk of targets. For Chinese endpoints to be connected to military networks is clearly high-risk.
Chinese cyberattacks on the DOD have been acknowledged since “Titan Rain” came to light in 2005. This attack on U.S. and U.K. classified networks was ongoing from as early as 2003 until 2007 or later. “Titan Rain,” reported the Council on Foreign Relations, “was the first instance of state-sponsored espionage from China that was made public, triggering a decades-long effort by the U.S. government to reduce the breadth and scope of Chinese cyber operations against U.S. targets.”
And such attacks have not stopped since. “When people ask me what keeps you up at night,” Lt. Gen. Robert Ashley, the director of the Defense Intelligence Agency, told a cyber conference in Aspen last month, “that is kind of the thing that keeps me up at night.”
This year marks a turning point for cyber warfare. The catalyst is the Gulf, but Iran is a sideshow compared to the threat from China and Russia. And while sophisticated attacks on weapons systems and secure networks remain a real and present danger, the soft cyber underbelly is the mainstream COTS equipment made and bought in bulk. The risk to the U.S., and the West more widely, is that so much of this equipment is either made in China or contains Chinese componenty that it becomes hard to avoid. This IG report puts that risk front and center—if it’s this hard for the military to stay safe, the implications for broader industry are bleak.
The report recommends that the Secretary of Defense implements an immediate “risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items, and a process to prohibit the purchase and use of high-risk COTS items—until mitigation strategies can limit the risk to an acceptable level.”