Despite cybersecurity concerns that U.S. Department of Defense strategists have admitted “keep them awake at night,” a review by the U.S. military’s Inspector General has found that significant purchases of “COTS information technology items with known cybersecurity risks” were made last year. It is estimated that “70 to 80% percent of the components that comprise DOD systems are COTS items.”
The heavily redacted IG report highlights “at least” $33 million of Government Procurement Card purchases of equipment from the likes of Lenovo, Lexmark and GoPro. As a result, it warns, “adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items, and missions critical to national security could be compromised.”
Read more here.
Zak Doffman , August 2, 2019
The risks identified refer to “micro-purchases” of less than $10,000 an item. This does not include the traditional defense acquisition process but instead “fixed-price commercial supplies that do not require a cardholder to agree to any terms and conditions other than price and delivery.” From a cybersecurity perspective, of course, the risk is that these endpoints present a vulnerability that is known and has not been scrutinized as would a more significant purchase.
Of more concern than printers and ruggedized cameras will be the finding that banned Chinese surveillance equipment was purchased by DOD last year. “Despite the Department of State issuing a warning in May 2017 against using Hikvision and Dahua video surveillance equipment, citing cyberespionage concerns from China,” the IG report finds, “DOD continued to purchase and use these COTS items to monitor installation security until Congress banned the Government from using them in August 2018.”