“Impact to DOD is minimal,” Lt. Col. April Cunningham, a department spokeswoman, said in an e-mail.
The breach was acknowledged Saturday by the Bethesda-based contracting giant. The company said that its systems “remain secure” and that “no customer, program or employee personal data has been compromised.”
Lockheed officials have not publicly said who they believe launched the attack, but news reports said it may have resulted from vulnerabilities in a product called SecurID, made by RSA Security, a division of EMC. In March, EMC reported “an extremely sophisticated” cyberattack that targeted its RSA business unit. The attack resulted in the loss of data that could have helped the attacker make copies of SecurID “tokens,” or keys that enable a computer user to gain remote access to a network.
The company began to contact clients, including many large defense contractors such as Lockheed, Northrop Grumman and General Dynamics, to ensure their networks would be safe. In many cases, the only way to ensure security was to replace all the tokens, which could be tens of thousands in the case of large firms.
Cunningham said the Pentagon “does not rely heavily on RSA’s product solutions.”
In 2009, Lockheed was the victim of a computer attack in which sensitive data on the Air Force’s Joint Strike Fighter jet program were stolen. Many experts believe the attack originated in China.
In early 2010, Google announced it had been the victim of a sophisticated cyberattack that it said originated in China and that resulted in the loss of significant intellectual property. The Chinese in 2008 hacked into the presidential campaigns of then-candidates Barack Obama and John McCain, The Washington Post previously reported. China has denied it is behind cyberattacks against the United States.
In August, Deputy Defense Secretary William J. Lynn III said in an article that the computer theft of intellectual property “may be the most significant cyber threat that the United States will face over the long term” — more significant perhaps than the threat to critical national infrastructure such as power grids and transportation.
The Pentagon has partnered with several dozen defense contracting firms for several years to voluntarily share information about cyber threats and attacks, but the degree of sharing on both sides has not been optimal, participants said. The firms have concerns about whether they can trust the government with sensitive data. The difficulty getting classified government data cleared for sharing has also been an obstacle.