Defense Department employees have procured thousands of printers, cameras and computers that carry known cybersecurity risks, and the practice may be continuing, according to an audit released Tuesday by the Pentagon’s inspector general.

More than 9,000 commercially available information technology products bought in fiscal 2018 could be used to spy on or hack U.S. military personnel and facilities, the report said. Without fixing oversight of such purchases, more risks lie ahead, potentially including perils for top-dollar weapons that use such “commercial-off-the-shelf” or COTS devices.

[House orders Pentagon to say if it weaponized ticks and released them]

The auditors also wrote that the Pentagon has a pattern of buying products from companies such as Huawei, ZTE or Kaspersky Lab long after other federal agencies have identified the companies as posing cybersecurity risks and right up until the point that Congress outlaws purchases from the companies.

What’s more, the report said the department’s list of approved commercial products still includes some that can pose cyber-risks, including computers made by Lenovo Group, China’s largest computer manufacturer, whose products contain cyberespionage hardware and software, according to U.S. authorities.

[Tech vanguard is dodging Pentagon]

“If the DoD continues to purchase and use COTS information technology items without identifying, assessing, and mitigating the known vulnerabilities associated with COTS information technology items, missions critical to national security could be compromised,” said the declassified and formerly secret report, which remains partially redacted.

The Pentagon did not immediately reply to a request for comment.

Known risks

The report is a window into part of a larger, well-documented Defense Department problem with cybersecurity that includes a history of harmful hacks that have led to the loss of vital military information and the continued vulnerability of numerous U.S. military computer systems.

The new audit showed, for example, that Army and Air Force personnel spent at least $33 million in fiscal 2018 on suspect products.

In particular:

• They procured over 8,000 printers from Lexmark, which has ties to China’s security agencies. The printers could have launched denial of service attacks or conducted cyberespionage, the report said.
• Army and Air Force personnel also purchased 117 GoPro cameras that could access network credentials or video streams and even “take pictures without the user’s knowledge.”
• Even though multiple government agencies have reported since 2006 that computers made by China’s Lenovo pose cyberespionage risks, Air Force personnel bought 1,378 Lenovo products in fiscal 2018 and the Army bought 195.

As a result of these purchases, the audit said, “the DoD increased its risk that adversaries could exploit known cybersecurity risks.”

Growing problem

Military personnel buy commercial products either by using government credit cards or traditional acquisition methods.

The special credit cards may be used for certain items with a value at or below $10,000. Congress has streamlined the process for using the cards and has increased the dollar threshold.

The use of the cards is growing as a result, and so too are the kinds of potentially risky information technology devices that can be procured, the auditors said.

At issue are not just ordinary office products but also systems that connect to high-tech weapons. Even F-35 fighter jets use commercially available “internet of things” products to improve pilots’ so-called situational awareness, the report said.

Key recommendation ‘unresolved’

The auditors recommended that the Pentagon take a number of steps to improve the situation.

These include creating a process for identifying, testing and weeding out high-risk commercial products.

Defense Department officials’ responses to the audit are included in the report but are blacked out.

Regardless, the audit indicates that the Pentagon “did not address the specifics” of the recommendation for creating a special review process for commercial purchases. As a result, that proposal remains “unresolved.”

The Pentagon lacks the proper policy and training to deal with the growing problem of risky purchases of commercial IT products, the audit found. Ellen Lord, the Pentagon acquisition chief, concurred with that recommendation, the report said.