A report released July 30 by the Department of Defense Inspector General found that more than 9,000 commercially available information technology products purchased by the DoD in FY 18 could be used to spy, sabotage or surveil US military personnel and facilities. These purchases were made via the Government Purchase Cards, which are given to DoD employees meant to streamline procurement of technology valued at less than $10,000. These devices, despite their low purchase price, pose serious risks to Department of Defense networks dependent upon robust cybersecurity protocols, as well as to missions critical to national security.
The IG report shows that the US Army and Air Force purchased thousands of products already flagged as security risks. These purchases include hardware from Chinese-owned Lexmark, GoPro and Lenovo – three company’s American consumers’ purchase at high quantities on a daily basis.
The purchase of each brand poses unique security risks, as detailed by the DoD IG Report:
- The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer.
- GoPro action cameras were purchased with “vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams.”
- Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018.
Congress must demand action in banning these products identified as “known security risks’ from government networks. Thankfully, lawmakers are paying attention to these cyber vulnerabilities, most recently Senators Mike Crapo (R-ID) and Mark Warner (D-VA), who introduced a bill that would create an agency dedicated to supply chain testing. Building on the groundwork of the White House and the Department of Commerce, Sens. Marco Rubio (R-FL), Richard Blumenthal (D-CT), and Tom Cotton (R-AK) have proposed strengthening restrictions and prohibiting retaliatory abuse by Huawei, measures which could be extended to other dangerous firms.
These bills are logical steps in ensuring American cybersecurity. Without effective Congressional action the Department of Defense and other US government cyber networks will remain vulnerable to malicious Chinese actors.