The Defense Department spent at least $32.8 million in fiscal 2018 on technology that could threaten national security, according to an inspector general’s report.
The redacted report, titled “Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items,” was released July 26 and focuses on commercial off-the-shelf technology acquired by the Army and Air Force.
“As a result, adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD," the report read. "If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised.”
The tech in question had been documented as having vulnerabilities, sometimes as long as a decade ago. However, the report states the Defense Department is increasingly dependent on these types of technology for laptops, security cameras, software and networking equipment.
The technology purchased by the Army and Air Force included:
- More than 8,000 Lexmark printers totaling $30 million. Lexmark printers contain supply chain vulnerabilities from China that were identified in a Congressional report. Lexmark has connections to the Chinese military, nuclear, and cyber espionage programs, according to the report. Lexmark has 20 listed cybersecurity vulnerabilities on the National Vulnerabilities Database. These include storing and transmitting sensitive network access credentials in plain text and allowing malicious code on a printer.
- 117 GoPro cameras costing $98,000. These cameras share video through wireless networks or Bluetooth connection, which could allow hackers to access stored network credentials and live video streams. A hacker could view a video stream, start recording, or take pictures without the user knowing.
- 1,573 Lenovo products totaling over $2 million. Congress and the Department of Homeland Security issued multiple warnings against using Lenovo computers, according to the report, following bans by the State Department (2006), DHS (2015), and the Joint Chiefs of Staff Intelligence Directorate (2016). Lenovo is the largest computer company in China. The State Department ordered a risk assessment of Lenovo products on DoD networks in 2018. However, that year the Army purchased 195 Lenovo products for just under $268,000 and the Air Force purchased 1,378 products for $1.9 million.
The report finds the Defense Department continues to use these products within its networks because it does not have an organization to deal with cybersecurity risks to commercial off-the-shelf technology or controls to prevent purchase of such technology with known cybersecurity risks. The Pentagon also hasn’t adjusted acquisition policies or established an approved products list to prevent vulnerable products from being purchased.