But there’s also a major hacking danger posed by cheaper stand-alone items, such as Lexmark printers, Lenovo laptops and GoPro cameras, that the military is routinely buying with the equivalent of office expense accounts and little or no oversight, Gallagher warned during a Wednesday call with reporters.
For example, Army and Air force officials used the equivalent of government credit cards to buy more than 8,000 Lexmark printers during the 2018 fiscal year, despite the fact the company has “connections to Chinese military, nuclear, and cyberespionage programs,” according to a recent watchdog report Gallagher cited during the call.
The Air Force also purchased 1,378 Lenovo products last year, despite a 2016 warning in a report from the Joint Chiefs of Staff Intelligence Directorate that “Lenovo computers and handheld devices could introduce compromised hardware into the DoD supply chain, posing a cyberespionage risk to classified and unclassified DoD networks.” The Army and Air Force also bought 117 GoPro action cameras despite vulnerabilities that could give a hacker access to the user’s credentials and to live video streams, the report states.
Gallagher called that report “a flashing red warning sign that even in the most sensitive parts of our government we aren't taking cybersecurity as seriously as we should.”
Lexmark and Lenovo are Chinese companies, and GoPro cameras are produced primarily in China. Chinese-built back doors in those products could give Beijing access to Pentagon communications, surveillance footage and reams of other sensitive data, Gallagher warned.
He described the Lexmark and Lenovo purchases as evidence of how deeply Chinese technology is integrated into the U.S. government and other sectors of the economy — and how difficult it will be to root out all of that technology if it poses a greater hacking risks than the nation can bear.
Lexmark defended the company's security controls in an emailed statement, saying that it complies with Defense Department and Homeland Security Department rules that shield the company from Chinese influence, including having a board of directors who are all U.S. citizens and approved by the government. "Lexmark is audited annually to ensure adherence to these controls, and we have successfully passed each audit," Lexmark CEO Allen Waugerman said.
Gallagher’s warnings come as U.S. officials are in the midst of a global pushback on Chinese tech companies, especially the telecom company Huawei, which is poised to play a dominant role in building next-generation 5G networks that will carry far more data than existing networks and create greater risk if they’re compromised by hackers.
The government's comparatively lesser attention to commercial products from China could make them more tempting hacking targets for Chinese spies, according to Roslyn Layton, a visiting scholar at the American Enterprise Institute, who also spoke on the call.
She warned that if China infiltrated the Pentagon through commercial Chinese suppliers, the result could be more damaging than the 2015 China-linked breach at the Office of Personnel Management, which compromised sensitive security clearance information about more than 20 million current and former government employees.
“If you’re the enemy and you want to infiltrate American government and military, well why don’t you take the path of least resistance and that is America’s defense industrial base,” Layton said.
Gallagher’s co-leading the Cyberspace Solarium Commission, a group of a dozen lawmakers and current and former government officials, which is tasked with charting a course for the future of U.S. cybersecurity policy. The commission is based on a similar Eisenhower-era group that examined how best to counter the Soviet Union.
During a separate call with me, he described stemming the spread of Chinese technology as one of the thorniest challenges the United States will face in coming years — and a key focus for the commission.
“One thing we’re discovering as we go down this path of a more competitive relationship with China is just how intertwined our economies are,” he said. “You can build a moat around critical technology, but you can never completely divorce us from the Chinese economy.”
To combat Chinese tech dominance, the United States should consider surging federal support for research and development efforts to make U.S. and other Western tech companies more globally competitive, he said. The country should also increase efforts to convince allies to shut out Chinese firms from 5G and other sensitive areas, he said.
So far, however, that effort hasn’t been going very well. Despite months of warnings, some key U.S. allies, including the United Kingdom and Germany, are still considering allowing Huawei to build portions of their 5G networks.
To readers: The Cybersecurity 202 will take a break the week of Aug. 26 before returning full time after Labor Day.
While most of the ongoing battle over election security legislation has been playing out in the Senate, House Speaker Nancy Pelosi (D-Calif.) jumped into the fray Wednesday to slam President Trump for prioritizing Russia’s G-7 status instead of punishing it for interfering in the 2016 election.
PINGED, PATCHED, PWNED
PINGED: Fearful after a recent wave of cyberattacks against schools, some state lawmakers are scrambling to fortify cybersecurity policies before students — and hackers — return for the new school year, the Wall Street Journal’s Adam Janofsky reports.
“States are recognizing that it’s important to coordinate efforts to respond to cybersecurity events happening within their borders,” Leroy Terrelonge, a cyber risk analyst at Moody’s Investors Service, told Janofsky.
Texas will require its school districts to “adopt cybersecurity policies, designate a cybersecurity coordinator and report certain incidents to state regulators,” as of Sept. 1, for instance.
Meanwhile, Louisiana officials are still helping three school districts recover from attacks in July that prompted the governor to declare a state of emergency. Those are just two of 24 states that have established statewide commissions involving cybersecurity professionals from across the public and private sectors, academia, and law, Janofsky noted.
PATCHED: Hackers with potential ties to North Korea have been using fake but official-looking websites in an attempt to trick diplomats and researchers into giving up their login credentials, Jeff Stone at CyberScoop reports.
U.S.-based targets include the Congressional Research Service and Stanford University. The hackers also targeted the French Ministry for Europe and Foreign Affairs, and the Ministry of Foreign and European Affairs of the Slovak Republic. It’s unclear if anyone fell for the attacks, but if successful, they would have allowed hackers to peer into the private inboxes of diplomats and researchers.
The technology used by the hackers has been linked to North Korea, but researchers couldn’t say definitively who was behind the attacks. Many of the hacking group's targets are focused on combating or studying North Korea's nuclear program.
PWNED: The Justice Department indicted five people Wednesday, accusing them of hacking the online payments of thousands of former and current U.S. military members, CyberScoop’s Sean Lyngaas reports. The scheme targeted elderly veterans, who were less likely to notice their accounts had been compromised, Sean reported.
The scheme involved compromising the log ins victims use to access an online military benefits service run by the Pentagon, Sean reported. One of the scammers stole information to help figure out those log ins, such as names and Social Security Numbers of people affiliated with the military, while working as a medical records technician at a U.S. Army base in South Korea, according to the indictment.
The Veterans Affairs Department is working with the Defense Departments to determine if any of its benefits accounts were compromised and has taken “additional protective measures” to protect veterans’ data, the department said.
The accused, three of whom are U.S. citizens, face charges of conspiracy, wire fraud and aggravated identity theft.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: