The Defense Department has been failing to take into account the potential security risks of buying commercial off-the-shelf (COTS) technology items such as laptops, security cameras, software and networking equipment, according to the office of the Pentagon Inspector General.
"We determined that the DoD purchased and used COTS information technology items with known cybersecurity risks," the IG said in a 50-page report that had numerous redactions, particularly in the section for DoD responses.
As described by the IG, the Pentagon essentially has two ways purchasing information technology.
One is the traditional acquisition process for big-ticket items such as weapons systems; the other is through Government Purchase Cards for items usually costing less than $10,000 that are offered in the marketplace in the same form to government and non-government buyers.
In the use of purchase cards, the IG's report found that "specifically, Army and Air Force [government purchase card] holders purchased at least $32.8 million of COTS information technology items, such as Lenovo computers, Lexmark printers, and GoPro cameras, with known cybersecurity vulnerabilities in FY 2018."
The risks were being taken for several reasons, including DoD's failure to set up an "approved products list to prevent unsecure items from being purchased," and failure "to develop a strategy to manage the cybersecurity risks of COTS information technology items."
The IG's report warned that "adversaries could exploit known cybersecurity vulnerabilities that exist in COTS items purchased by the DoD," and added that "missions critical to national security could be compromised."
As an example, the report cited the State Department's warning in May 2017 against using Hangzhou Hikvision Digital Technology Company and Dahua Technology Company video surveillance equipment, citing the threat of cyberespionage by China.
Despite the risks, DoD continued to buy the questionable video surveillance equipment until Congress banned the government from using them in August 2018, the IG report said.
To counter the threat, the report had several recommendations, including that the Defense Secretary develop a process to test potentially high-risk COTS items before purchase, and also consider prohibiting the purchase and use of selected high-risk items.
DoD's response to the report did not address the specifics of the recommendations, and "therefore, the recommendations are unresolved," the IG's office said.
However, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, agreed to update DoD policy and training requirements regarding acquisition and purchase cards, the report said.
The IG report comes amid increasing concerns over the risk of cyberespionage by foreign entities through the sale of high-tech items or investments in U.S. firms.
In May, President Donald Trump issued an executive order barring U.S. firms from using telecommunications gear made by firms that the administration views as national security threats.
Trump's actions raised tensions with China over trade and whether Huawei, the world's largest provider of telecommunications equipment, poses a cyberespionage threat.
-- Richard Sisk can be reached at Richard.Sisk@Military.com