DoD) Inspector General (IG) report released on July 30 found that more than 9,000 commercially available IT products (COTS) purchased in FY 2018 — costing at least $32.8 million — could be used to spy, surveille, or sabotage US military personnel and facilities. In contrast to traditional DoD processes for large acquisitions such as weapon systems, aircraft, and command and control systems, these purchases were made via Government Purchase Cards which are intended to simplify procurement of less than $10,000.
However, just because the dollar amount are small doesn’t mean that risk is reduced, as the products in question were long identified as security threats. Moreover, many of the most devastating cybersecurity attacks such as those against Target, Equifax, and the Office of Personnel Management were instigated at low levels of approval and control, frequently via contractors or COTS devices. The report warns that “if the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised.” While it is not clear whether discussed in the redacted report, the issue could be that contractors or others with purchasing cards are not up to speed on the vulnerabilities.
Read more here.
Roslyn Layton , August 12, 2019
The IG audit shows that the US Army and Air Force purchased thousands of products already flagged as security risks. They include over 8,000 printers from Lexmark, a company the report notes has “connections to Chinese military, nuclear, and cyberespionage programs. The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer. These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”
The report further highlights the purchase of 117 GoPro Action cameras with “vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams. By exploiting these vulnerabilities, a malicious actor could view the video stream, start recording, or take pictures without the user’s knowledge.” It also notes the purchase of 1,573 Lenovo laptops. Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018.