US Department of Defense (DoD) employees have bought electronics worth over $32.8 million in fiscal year 2018 that have been known to contain security vulnerabilities, a report by the Pentagon’s inspector general said last week.
These acquisitions were made by Army and Air Force employees using payment cards issued by the government for micro-purchases of under $10,000.
As a result of these purchases, the DOD’s Inspector General believes the Army and Air Force are introducing vulnerable equipment into their networks that may be exploited by US adversaries.
The report specifically listed Lexmark printers, GoPro cameras, and Lenovo computers as problematic products, as examples.
The Lexmark purchases
“Army and Air Force GPC [government purchase card] holders purchased over 8,000 Lexmark printers, totaling more than $30 million, for use on Army and Air Force networks,” the DOD Inspector General (DODIG) report said.
Purchasing printers from Lexmark was a big mistake, auditors said, citing a 2018 Congressional report on supply chain vulnerabilities that warned against using Lexmark devices, claiming the China-based company had connections to the Chinese military, and the country’s nuclear, and cyberespionage programs.
In addition, the DODIG also pointed out that Lexmark printers have been impacted by more than 20 vulnerabilities in the past, “including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer.”
“These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network,” the DODIG said.
The GoPro purchases
Furthermore, the Army and Air Force also bought 117 GoPro action cameras worth nearly $98,000.
“However, the cameras have vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams,” auditors said.
“By exploiting these vulnerabilities, a malicious actor could view the video stream, start recording, or take pictures without the user’s knowledge.”
The Lenovo purchases
But the biggest issue was with Lenovo computers. Albeit not the most costly purchases, the DODIG highlighted several problems with buying Lenovo gear, such as the numerous security warnings issued by the US government against using these devices.
For example, in 2006, the State Department banned the use of Lenovo computers on their classified networks after reports that Lenovo computers were manufactured with hidden hardware or software used for cyberespionage.
The DHS issued a similar warning in 2015 about Lenovo computers containing pre-installed spyware, along with various critical vulnerabilities.
In 2016, the Joint Chiefs of Staff Intelligence Directorate also issued its own alert about Lenovo, warning that handheld Lenovo devices could introduce compromised hardware into the DoD supply chain, creating a cyberespionage risk to classified and unclassified DoD networks.
However, despite all these past warnings, the Army bought 195 Lenovo products in 2018, totaling just under $268,000, and the Air Force purchased another 1,378 Lenovo products for $1.9 million.
DOD agencies are ignoring previous warnings
The report highlighted that DOD agencies have often ignored previous cyber-security alerts when making these small micro-purchases.
For example, the report stated that Lexmark printers were still available for purchase through the Navy Marine Corps Intranet COTS [commercial off-the-shelf] Catalog and have been certified for use on the Navy network as recently as February 2019 — this despite the US government warning against using devices from this vendor.
The DODIG report blamed these issues on DOD management errors. Auditors said the DOD failed to establish a department to develop a strategy for managing cybersecurity risks and which could put together a list of approved products that DOD staffers could consult before making purchases.
Auditors said the DOD tried to do this in the past — namely with the Office of the Under Secretary of Defense for Research and Engineering Joint Federated Assurance Center — but the DOD failed to grant it operational capability, meaning the agency only existed on paper.
The DODIG report, titled “Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items,” is a window in the US’ biggest national security problem right now — which is supply chain attacks.
The National Counterintelligence and Security Center (NCSC), part of the Office of the Director of National Intelligence, proclaimed April 2019 as National Supply Chain Integrity Month, in an attempt to get state agencies and the private sector to review their supply chains, and take note of equipment and software they were buying from known US adversaries, such as China.
Earlier this week, two US senators have also introduced a bipartisan bill named the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS) Act, in an attempt to get the US government to pass a law for the creation of a state agency for testing hardware and software that goes into the supply chain of the US military and other federal agencies.
With political tensions with China at an all-time high, US government officials fear that a potential incident between the two countries could have catastrophic effects on US IT infrastructure, which is now riddled with Chinese-made equipment.