Murky contractor ownership masks national security threats to IT

The Department of Defense should investigate contractor ownership during fraud risk assessments to catch national security threats to IT systems, according to a new watchdog report.

Shell companies the government mistakenly contracts with could sabotage or spy on systems containing sensitive information, according to intelligence officials the Government Accountability Office consulted for its report released Monday.

DOD accounts for two-thirds of federal contracting activity, and companies with murky ownership could be run by foreign adversaries, it says.

“These entities could infiltrate DOD’s supply chain to introduce components, such as circuit-board chips and routers modified to fail, facilitate state or company espionage, or compromise the integrity of DOD’s information-technology systems,” reads the GAO report. “According to [chief information officers], adversarial entities could also potentially gain access to sensitive information through their relationship with DOD contractors.”

Companies struggling financially are particularly vulnerable to exploitation by adversaries, who might quietly acquire a domestic contractor, Defense Intelligence Agency officials told GAO.

In 2017, an Office of the Director of National Intelligence background paper detailed how supply chain complexity allows adversaries — operating through companies, hackers and organized crime — entry at multiple points. Those adversaries target sensitive research and development programs, steal intellectual property and personally identifiable information, and insert malware into critical components.

DOD also identified the risk of adversaries gaining access to military bases to harm deployed troops in countries like Iraq or Afghanistan.

GAO reviewed 32 cases of contractors with murky ownership and found many received contracts they shouldn’t have or let foreign manufacturers obtain sensitive information and produce faulty equipment. That’s in addition to entities using the multiple companies they own to inflate prices and create the illusion of competition.

Four cases involved shell companies masking foreign manufacturers that bid on contracts meant to be awarded domestically. The manufacturers received contract payments with one supplying DOD with defective parts that grounded 47 aircraft and another supplying unusable parts.

Perhaps more troubling, three of the manufacturers exported military technical drawings and blueprints to foreign countries in violation of the Arms Export Control Act.

DOD revised the Federal Acquisition Regulation in 2014 to require contractors to self-report some ownership information and seeks it during the supply chain risk analyses conducted when acquiring critical components. The department also has a fraud risk management program but has yet to assess contractor ownership risks across all its agencies, according to GAO.

“Assessing risks arising from contractor ownership would allow DOD to take a strategic approach to identifying and managing these risks, make informed decisions on how to best use its resources, and evaluate its existing control activities to ensure they effectively respond to these risks,” reads the report.

DOD agreed with GAO’s recommendation, but its response was deemed sensitive and omitted from the public version of the report. The sensitive version was released internally in September.