According to a story by ZDNet based on a report by the DoD (Department of Defense) Inspector General, the U.S. military has spent more than $32.8 million during 2018, buying electronic equipment that is plagued by numerous security vulnerabilities. According to the audit, the security flaws were known at the time of purchase, and the products could have been avoided if there was a checking procedure in place. Instead, the purchases were made by individual employees of the U.S. Army and U.S. Air Force, who used government-issued payment cards that are meant to support micro-transactions and acquisition of low-cost tools.
The report highlights the buying of 117 GoPro cameras, 1573 Lenovo computers, and over 8000 Lexmark printers. GoPro comes with security vulnerabilities that allow a remote attacker to access the live video streams, start recording remotely, and take pictures and videos without the owner/user realizing it. The Lexmark printers are believed to be impacted by over 20 security flaws, allowing the sniffing of the network access credentials, arbitrary code execution, and generally set the basis for cyberespionage or act as a supporting platform for DoS attacks on the military network. Finally, the Lenovo purchases are accompanied by worries about pre-installed spyware, as the computer manufacturer is actually a Chinese company based in Beijing.
The Inspector-General recommends that the commercial off-the-shelf (COTS) list should be fundamentally revised following a risk-based approach, resulting in the removal of many items that currently populate it. Moreover, the office suggests that there should be an acquisition policy that presupposes the detailed review and evaluation of the cybersecurity risks that underpin all COTS items. Finally, the inspector proposes the introduction of a training program that would help the Army and Air Force employees understand the impacts that various common cybersecurity risks could have on their mission.
As expected, the findings and statements of the DoD audit didn’t make the three highlighted companies happy. Lexmark has responded to the allegations, saying that they strongly disagree with the representation of their printers as a security risk. Moreover, they point out that they have been supplying the U.S. federal government with their products for more than 25 years now, and they have never been the means for or cause of Chinese-sponsored cyberespionage. Finally, they claim that all of the vulnerabilities that are presented by the Inspector General have already been addressed through firmware, driver, and software updates, so they no longer apply.
Do you think that the U.S. Army and Air Force should be more careful about what electronic equipment they deploy in their operations, or do you find DoD’s audit far fetched? Let us know where you stand in the comments down below, or share your thoughts on our socials, on Facebook and Twitter.