Defense contractors recently suffered a barrage of cyberattacks from the Chinese government, according to a Senate investigation released Wednesday that revealed startling vulnerabilities in how the Pentagon transports troops and equipment.
Contractors working for the U.S. Transportation Command were successfully hacked about 50 times over a 12-month span that ended in May 2013. Of those, at least 20 were sophisticated intrusions attributed to China, the investigation found.
Despite the seriousness of the breaches, the Transportation Command was made aware of only two, even though other government agencies such as the FBI knew about the intrusions.
In announcing the findings of the year-long investigation, Sen. Carl Levin, (D-Mich.), the chairman of the Armed Services Committee, said that the “security of our military operations is what is at stake here. . . . What we found here is very disturbing.”
The committee focused on the Transportation Command because it is in charge of deploying military personnel and equipment around the world. To do that, the command relies heavily on contractors. Private airlines, for example, transport more than 90 percent of the Pentagon’s passengers and more than one-third of its bulk cargo, the report said.
The concern is that hackers could infiltrate contractors’ systems during peacetime, then “establish a foothold” and cause disruptions once the companies are activated in a crisis.
“That reliance on the private sector is not lost on potential U.S. adversaries,” the report said, noting that enemies often see military logistics as vulnerable.
Investigators found that the Chinese military stole e-mail messages, documents, passwords and source code from one contractor. In another incident, the report said hackers took flight details from a contractor that is part of the Civil Reserve Air Fleet, a program in which commercial transportation companies are called on to “rapidly deploy U.S. forces in times of crisis.”
The report did not name the victimized companies.
The Chinese Embassy did not respond to requests for comment.
A Defense Department spokeswoman said in a statement that the agency takes the implications of the report seriously. “We are addressing the gaps identified in the report. This is a very high priority for the Department. The cyber intrusions highlighted in the report did not impact U.S. Transportation Command’s ability to conduct its global mission,” said Army Lt. Col. Valerie Henderson.
Levin said he was particularly troubled that the command was “in the dark about the vast majority of the intrusions.” And he said that “the failure of one government agency to share information with another agency that needs to know hampers our . . . national security.”
The command and the contractors that work for it “lack a common understanding” about what sorts of intrusions must be reported and to whom, the investigation found. The contract language used by the command is “ambiguous,” and there were “misperceptions” about how cyberattacks need to be reported.
In response, the committee inserted a provision into next year’s Pentagon spending bill that would designate “operationally critical contractors,” issue new reporting requirements for when they have been attacked and foster better interagency communication.
The legislation also would require the Defense Department to help contractors detect intrusions and guard networks.
In a statement, Sen. James M. Inhofe (Okla.), the committee’s ranking Republican, said that “it is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particularly those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations.”