U.S. Senator Joni Ernst (IA) became the second lawmaker in the past week to draw attention to a recent Department of Defense Inspector General report that flagged the Pentagon’s commercial-off-the-shelf (COTS) purchases of more than 9,000 items of Chinese-manufactured hardware with “known cybersecurity vulnerabilities.”
In a to letter to Deputy Secretary of Defense David Norquist, she wrote, “I am very concerned that despite repeated warnings from multiple government agencies, DoD is continuing to purchase and use computers and other electronics with known cybersecurity risks.”
Ernst then highlighted how the State Department and Joint Chief of Staff Intelligence Directorate raised red flags about Chinese PC manufacturer Lenovo, whose products were purchased by the Army and Air Force over 1,500 occasions in 2018. The report also cited Lexmark printers and GoPro cameras for their cybersecurity vulnerabilities that could allow remote attacks by hostile actors.
Ernst’s statements come on the heels of U.S. Rep. Michael Gallagher (WI-08) criticizing the Pentagon for not acting on previous warnings. He called the IG report “a flashing red warning sign that even in the most sensitive parts of our government we aren’t taking cybersecurity as seriously as we should.”
In a separate but related story, last week the Pentagon Inspector General released the 2019 Compendium of Open Inspector General Recommendations, which documented 1,500 recommendations from its inspector general that haven’t been resolved. It is imperative that the recommendations made by the IG in its report on COTS purchases – that the Department develop a risk-based approach to prioritize COTS items for further evaluation, a process to test high-risk COTS items, and a process to prohibit the purchase and use of high-risk COTS items – get implemented, not ignored.