A report released by the Senate Armed Services Committee following an investigation shows that hackers associated with the Chinese government successfully penetrated the computer systems of U.S. Transportation Command contractors at least 20 times in a single year. The year-long investigation found that TRANSCOM, which is responsible for global movement of U.S. troops and equipment, was only aware of two of those intrusions.
The report also found gaps in reporting requirements and a lack of information sharing among government entities that left the command largely unaware of computer compromises by China of contractors that are key to the mobilization and deployment of military forces.
The committee found that in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber events into the computer networks of TRANSCOM contractors. At least 20 of those were successful intrusions attributed to an “advanced persistent threat.” The investigation also found that the FBI or DoD were aware of at least nine other successful intrusions by China into TRANSCOM contractors. Of those 20 intrusions, TRANSCOM was only made aware of two.
“When it comes to our Military and it’s supporting national defense industrial complex, the american public’s expectation is and should be significantly higher. The SASC findings are clearly backing for additional oversight and investment that insures the security of our most critical information systems and infrastructure,” says Carl Wright, General Manager of TrapX Security, formerly CISO of the US Marine Corps.
“These breaches illustrate how traditional security tools alone don’t do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture. These evolving threats have the ability to circumvent legacy security technologies such that enterprises must continue to build up their arsenal of security capabilities to thwart today’s cyber criminals whether foreign or domestic.”
Earlier this week CivSource covered a new report from Harvard Business Review and Verizon also touching on some of the same issues including the breakdown of systems that still rely on legacy technology and technology operating well beyond end of lifecycle. Report authors further noted that organizations that fail to collaborate will ultimately run into problems.
In response to the findings of the investigation, the Committee is adding a provision in the National Defense Authorization Act for Fiscal Year 2015 in order to address the gaps and set up procedures for information sharing. While a welcome step, the reality that this has to take place also highlights just how little the US Government gets for its multi-billion contracts with private defense companies. One would imagine that companies required to provide mission critical IT and IT security might have information sharing processes in place as part of a standard service level agreement, but not surprisingly, they’ve opted to refer back to the common refrain of ‘unclear guidance.’ One is also left to question how companies that market themselves on their security prowess and multitude of federal security certifications and consultative expertise fail to consult in some kind of reporting process. Not surprisingly, as the American people also saw with the Snowden leaks, accountability on both sides is wanting.
The new provision requires the Secretary to assess existing reporting requirements and DoD policies and systems for sharing information on cyber intrusions. It also requires the Secretary to designate a single DoD component to receive intrusion reports from contractors and other government agencies and to issue guidance ensuring that intrusion-related information is shared with appropriate DoD components. Until of course, it’s lobbied out of the bill.