The Department of Defense continues to buy millions of dollars in commercial off-the-shelf technology with known cybersecurity vulnerabilities, a watchdog report published last week found.
The DOD inspector general’s report listed Lenovo computers, Lexmark printers and GoPro cameras as examples of unsecured equipment listed in the National Vulnerabilities Database that the DOD continues to purchase and use.
The equipment was purchased years — or in some cases more than a decade — after the cybersecurity vulnerabilities were known.
“If the DoD continues to purchase and use [commercial off the shelf] items without identifying, assessing, and mitigating known vulnerabilities associated with [commercial off the shelf] items, missions critical to national security could be compromised,” the report states.
Threats from China
Lexmark printers and Lenovo computers are manufactured in China and have connections to state intelligence agencies, according to the report. With growing fears of Chinese counterintelligence and great power competition, the connections to China add to the threats the vulnerabilities pose.
The Army and Air Force purchased more than 8,000 Lexmark printers for use on military networks, totaling more than $30 million.
Lenovo computers were banned by the State Department in 2006 following reports of hidden hardware or software used for cyber-espionage. Despite an ongoing review of Lenovo by the DOD, the Army purchased another 195 Lenovo products in fiscal 2018, the report stated.
No cybersecurity oversight
The equipment slips through the cracks because there is no departmentwide body that can regulate purchases, the report states.
The Office of the Under Secretary of Defense for Research and Engineering Joint Federated Assurance Center reviews software and hardware for cybersecurity concerns but has yet to receive full operational capability since its founding in 2015.
Once it is fully operational, according to the report, the center will still lack the authority to act decisively to mitigate cybersecurity risks. The center will remain isolated without authority to mandate bans on purchasing or even the ability to screen items before being requested by another DOD component, according to the report.
“Responsibility for identifying, testing, and mitigating cybersecurity risks is decentralized among many organizations with overlapping responsibilities,” the report states.
The DOD’s response to the IG recommendations were unsatisfying, the report states. The CIO and others “did not address the specifics of the recommendations” the IG gave.