The Pentagon last year purchased thousands of Chinese tech products that contained known cybersecurity vulnerabilities, and officials have yet to enact policies to stop it from happening again, an internal watchdog found.
In 2018, the department bought more than 9,500 commercial printers, computers and cameras despite warnings that adversaries could use the products to infiltrate networks and spy on personnel, according to an inspector general audit. The procurements, which totaled roughly $33 million, expose significant shortcomings in the department’s supply chain security policies that persist to this day, auditors said in a redacted report published Tuesday.
Specifically, the Army and Air Force purchased more than 8,000 printers from Lexmark and 1,500 computers from Lenovo, two Chinese companies that national security officials previously linked to the Communist Party’s espionage operations.
The Lexmark printers contained multiple vulnerabilities that could allow bad actors to infiltrate Pentagon networks and launch attacks against military contractors, auditors said, and national security officials have repeatedly flagged Lenovo products as threats. The State Department banned Lenovo computers on its classified networks in 2006, and both the Homeland Security Department and Joint Chiefs of Staff have warned the company’s tech contains spyware and other vulnerabilities, the IG said.
According to the report, the services also bought more than 100 GoPro cameras that contained known cybersecurity weaknesses.
“If the [department] continues to purchase and use [commercial IT] items without identifying, assessing and mitigating the known vulnerabilities … missions critical to national security could be compromised,” auditors said.
Commercial off-the-shelf technologies offer the government a cheap and efficient way to improve their IT infrastructure, but as agencies rely more on commercial tech, they’re also taking on more potential risks. ..
Support the originator by clicking the read the rest link below.
