It’s not just the fact that China has been hacking U.S. military contractors’ networks, it’s that the agencies discovering the breaches and the contractors themselves haven’t been telling other agencies that need to know, a U.S. Senate report says.
The report investigated just 11 out of more than 80 contractors hired by one U.S. military agency that are supposed to report cyber security incidents. The Senate Committee on Armed Services found 50 successful intrusions, including at least 20 attributable to advanced persistent threats (APT) placed by China, according to the report by the
Yet during the period investigated by the committee, of the 80 companies that were supposed to report incidents to the U.S. Transportation Command (TRANSCOM), only two reported any incidents at all.
While the APTs themselves pose a risk of stolen data, the further threat is that these compromised networks could be disrupted to compromise military operations in emergencies and therefore national security.
In some cases, TRANSCOM relies almost entirely on the support these private companies are hired to give. “For example, private airlines provide more than 90 percent of DOD’s passenger movement capability and more than one-third of its bulk cargo capability,” the report says.
As a result, the military also relies on these contractors’ corporate networks to transmit sensitive information. “In addition the overwhelming majority of DOD deployments and distribution transactions occur over unclassified networks, many of which are owned by private companies,” the report says.
So TRANSCOM would want to know whether its contractors’ networks were compromised and potentially leaking data to China about civilian movement of troops and supplies. The report quotes the head of the Joint Chiefs of Staff Gen. Martin Dempsey as saying, “We can’t stop an attack unless we can see it.”
A lot of the problem is the various agencies don’t communicate well with each other, according to the report.
TRANSCOM was told about just one of 20 advanced persistent threats that were successfully deployed in contractor networks.
Part of the problem is that the contractors and TRANSCOM aren’t on the same page when it comes to what incidents the contractors must report. Another part is that other governmental agencies that may discover intrusions don’t understand what TRANSCOM might need to know. A third part is that the agencies involved don’t fully understand how they are allowed to share intrusion information.
Between June 1, 2012 and May 31, 2013 the FBI, Defense Security Service, Defense Cyber Crime Center or the Air Force Office of Special Investigations knew about at least 20 intrusions, but TRANSCOM knew about just two. TRANSCOM says information-sharing rules have prevented it from learning about intrusions, but the committee says it could find no such rules.
The contractors themselves are bound by contract language that TRANSCOM intends to require them to report certain incidents, but the contractors say the language is ambiguous and they did not report, the committee says.
Further, as of January 2014 TRANSCOM hadn’t provided a list to the FBI or Department of Defense of those contractors whose intrusions it would like to hear about.
In one case a contractor suffered 24 intrusions but reported none to TRANSCOM. The report says, “wile the yber incident reporting requirement was included in TRANSCOM’s contract with te company, it was included as an option that TRANSCOM did not exercise.”
In another case a contractor didn’t report intrusions to TRANSCOM because it thought the provision applied only to a particular network run by one of its subcontractors. The company in question did report the incidents to other defense agencies, but took four to six months to do so.