The Department of Defense (DoD) was audited for the very first time in in 2018, covered $2.7 trillion in assets and $2.6 trillion in liabilities for fiscal year 2018, and was likely the largest known audit of an organization in history, noted Defense Department Comptroller David L. Norquist. While the audit covered hard military assets such buildings, planes, ships, and tanks, it also covered information technology products and the process to acquire them. It is commendable that in such a massive organization that there was no evidence of fraud.
The key area of deficiency however was IT security, for example, not revoking certificates of personnel who have departed or using systems that could be hacked. The DoD Inspector General Glenn Fine has spearheaded continued audits of the department and provides updates to the public.
Indeed the issue of IT security continues to bedevil the DoD, as highlighted in July 2019 report of some $30 million of COTS consumer off the shelf products which are listed in the National Vulnerabilities Database. It would seem that the Defense Department would be the first to practice sound network security by not purchasing vulnerable products (indeed many vulnerable items have been prohibited in military networks, notably Huawei and ZTE, how the Navy blocked Lenovo), but weak processes with contractors appear to put the Department at risk. CTT highlighted this issue in a teleconference with Rep. Mike Gallagher who noted the U.S. government to take its supply chain security problems more seriously. Senator Joni Ernst also raised the issue. Almost a year later DoD still has not resolved the issue, or has not published it.
Indeed the issue takes on heightened importance as thousands of DoD employees are working from home. As Alza Sebenius notes in Bloomberg, cybersecurity initiatives at the Department of Defense are incomplete, or their status unknown. The Government Accountability Office said in a report released to Congress called, “DOD Needs to Take Decisive Actions to Improve Cyber Hygiene” that ambiguity surrounds these projects due to the lack of leadership in reporting and execution.
It is precisely this kind of vulnerable Chinese equipment which can be hacked when people work from home networks. No one expects the Pentagon to be perfect. However when important issues are raised and recommendations made on how to resolve them, the Pentagon leadership has no excuse not to do so. Indeed the remedy costs no money. Vulnerable items should not be purchased. Full stop. There are many alternatives at competitive prices that don’t put the military and our national security at risk.