On July 26th, the Department of Defense Inspector General issued “Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items,” a report documenting over 9,000 purchases by Army and Air Force personnel in 2018 on Chinese-manufactured hardware and electronics from Lexmark, GoPro and Lenovo, despite their documented security vulnerabilities and bans by other government agencies. One month after the required response deadline, the Pentagon has refused to publicly provide answers to the IG’s report.
After its release, the report was flagged by Sen. Joni Ernst and Rep. Mike Gallagher, who both warned that purchasing items like these “threatens to undermine our national security” and “[w]e need a mentality change when it comes to both [commercial] and traditional acquisition programs to ensure that security is not just an afterthought, but a foundational component of acquisition policy.”
Continued use of Lexmark, Lenovo and GoPro products can allow hacks and spying of military personnel and government facilities, expose network credentials and live video streams, and enable denial of service attacks on DoD networks.
The IG report asked the Secretary of Defense to formally respond to the report by August 26th. Nearly 60 days after its release, there is no indication that the Department has addressed the report’s three open recommendations:
- Develop a risk-based approach to prioritize commercial off-the-shelf items for further evaluation.
- Develop a process to test high-risk commercial off-the-shelf items.
- Develop a process to prohibit the purchase and use of high-risk commercial off-the-shelf items, when necessary, until mitigation strategies can limit the risk to an acceptable level.
To date, there has been no public response from the Office of the Secretary of Defense to the IG and no substantive answer to the concerns raised by Sen. Ernst’s letter to Deputy Defense Secretary David Norquist.
Given the increasing concerns on Capitol Hill about Chinese threats to America’s national security, supply chains, intellectual property and economy, it is unfortunate that the DoD has not been proactive in publicly responding to the shortfalls identified in the IG report. It is imperative that the report’s recommendations do not get added to the Pentagon’s 1,500+ open recommendations documented by the IG over the last five years.