17 décembre 2018 | International, C4ISR
The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America's ballistic missile defense system won't fall into nefarious hands, according to a Defense Department Inspector General audit released Friday.
Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.
“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.
Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.
They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military's cybersecurity vulnerabilities.
Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.
At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn't been approved.
“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive (missile defense) technical information,” the report states.
Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.
Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never pathced, according to the report.
“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”
Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.
Instead, officials were able to access the sensitive information using just a username and password, the report states.
Hackers use phishing and other tactics to exploit passwords and gain access to such systems.
New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.
At one site, a domain administrator never configured the network to allow only CAC holder access.
“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.
Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.
“The insider threat risk necessitates that organizations implement controls...to reduce the risk of malicious personnel manipulating a server's ability to function as intended and compromising sensitive and classified data,” the report states.
External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.
Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.
Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn't worked for years.
“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility,” the report states.
Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.
While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.
Friday's scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.
During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.
Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.
As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy's cyber efforts “are optimally focused, organized, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.
The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.
“Secretary Spencer's decision to direct a review reflects the serious to which the DoN prioritizes cybersecurity in this era of renewed great power competition,” Hicks said.
30 mai 2024 | International, Aérospatial
Bell completed risk reduction testing at Holloman Air Force Base in late 2023, showcasing folding rotor, integrated propulsion, and flight control technologies.
4 août 2020 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité
By Aaron Gregg August 3, 2020 at 8:00 a.m. EDT A military equipment supplier that has been accused of fraudulently misrepresenting its size in order to benefit from privileges associated with being a small business has received a Paycheck Protection Program small business loan worth at least $2 million, public records show. Atlantic Diving Supply, a Virginia Beach, Va.-based reseller of specialized military gear, is the latest organization whose receipt of taxpayer-backed loans through the Paycheck Protection Program has raised questions about a program launched in early April to help sustain employment at small companies through the economic crisis. In late April, the Treasury Department retroactively clarified its rules after well-known restaurant chains, car dealerships and hotel companies reported receiving PPP loans. Several of them returned the loan funds following public uproar; others kept the money. The SBA has said it will audit all PPP loans above $2 million to determine whether the recipients were eligible. Representatives from the Small Business Administration and Atlantic Diving Supply did not comment on the company's receipt of SBA loans. The company's legal issues are detailed extensively in a report released Monday by the nonprofit Project on Government Oversight, known as POGO. A review of business data by POGO and the nonprofit Anti-Corruption Data Collective concluded that ADS was one of at least 27 PPP recipients estimated annual sales of more than $1 billion in 2019. Another 2,068 loan recipients cleared $100 million in sales last year, according to the analysis. Nick Schwellenbach, a senior investigator at POGO, questioned whether it's appropriate for ADS to receive small business coronavirus loans. Schwellenbach's investigation also found that two other firms allegedly tied to ADS ― including one that was named in a settlement with the Department of Justice ― separately received smaller PPP loans. “It's important that taxpayer funding reserved for genuine small businesses isn't siphoned off by companies that are not eligible,” Schwellenbach said. “As a top government contractor with revenues well over a billion dollars a year, it strains credibility that Atlantic Diving Supply is a real small business, especially given several recent settlements and law enforcement outcomes related to their alleged small business contracting fraud." Although it received a favorable ruling from the SBA as recently as November 2019, ADS's small business credentials have long been called into question. ADS started as a small, family-owned shop focused on the military diving community in Virginia Beach, which includes the Navy SEALs. It was transformed under the leadership of long-time chief executive Luke Hillier, winning its first major government contract in 2000. It grew quickly to meet an insatiable demand for military gear of all sorts in the years following 9/11. That fast growth became permanent business as the U.S. military presence in Iraq, Afghanistan and elsewhere dragged on for nearly two decades. At one point, ADS filed papers to go public, something that is usually the purview of large corporations. In 2015 it purchased Theodore Wille International, a military food and equipment supplier with offices in seven countries. Its business has remained healthy despite recent troop reductions. ADS received more than $3 billion in unclassified government contract dollars in 2019, procurement records show. That's more than some well-known, objectively large government contractors, including Bechtel, KBR and CACI. ADS has already cleared $1 billion in federal contract receipts in 2020 despite the economic crisis. As it has grown ADS's continued status as a small business status has been critical to its participation in the Defense Department's Tailored Logistics Support, or TLS program, a lucrative military supply line that is largely restricted to SBA-approved small and disadvantaged businesses. In recent years, ADS's official headcount has teetered close to the SBA's 500-employee limit for small-company designation, and the company has fought off repeated challenges to its size status. If ADS were declared “no longer small,” it would not only be ineligible for SBA coronavirus assistance, but would also be forbidden from competing on small business set-aside contracts that drive its business. In 2017, ADS settled federal allegations that it used a network of allegedly-affiliated companies to rig bids and fraudulently misrepresent its size. The Justice Department called the $16 million settlement “one of the largest recoveries involving alleged fraud in connection with small business contracting eligibility.” Hillier, who has moved on from the CEO role but remained the company's chairman as of July 20, according to a company filing, separately paid $20 million to settle federal allegations that he “violated the False Claims Act by fraudulently obtaining federal set-aside contracts reserved for small businesses that his company was ineligible to receive.” The settlements resulted from a Qui Tam lawsuit brought by whistleblowers. Two of the alleged affiliate businesses — Karda Systems and SEK Solutions — were named in a related case in which Ron Villanueva, a former state lawmaker from Virginia Beach, pleaded guilty to federal charges that he conspired to defraud the United States. Villanueva admitted that he and a friend pretended both companies were run by people who qualified for particular grants and drafted a misleading letter to the SBA that mischaracterized the degree to which one firm relied on other suppliers. ADS briefly lost its small business designation as a result of those allegations when a Defense Department contracting officer, concerned by ADS's settlement, requested a formal SBA review of the company's size status and its degree of affiliation with other companies named in the whistleblower lawsuit, according to documents obtained by The Washington Post. That SBA review determined that ADS was “other than small,” which temporarily blocked the company from bidding on set-aside contracts. But ADS successfully appealed that ruling, which was reversed because it relied on old financial records. Today the company continues to receive federal contracts designated for small firms. Because the settlements arrived at by ADS and Hillier did not include a determination of liability, the company has been allowed to keep benefiting from the SBA's various small business programs. Its most recent size determination, which found it to be a small business, was finalized in November 2019. https://www.washingtonpost.com/business/2020/08/03/defense-contractor-with-billions-sales-got-millions-pandemic-loans-intended-small-businesses
27 mai 2020 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité
By: Eric Lofgren Congress' unprecedented fiscal response to COVID-19 has many in the defense community wondering whether belt tightening will hit the Pentagon. On May 19, the Congressional Progressive Caucus wrote a letter arguing for substantial defense budget cuts to support additional spending on the pandemic. Nonprofit progressive supporters have been asking to cut a much larger $350 billion each year from the Pentagon in their “Moral Budget” proposal. What the progressives perhaps do not fully appreciate is the “stickiness” of defense budgets. In economics, stickiness refers to rigidity in the movement of wages and prices despite broader economic shifts pushing for new equilibrium. The phenomenon is apparent in defense budgets as well. Most expectations are that the fiscal 2021 budget will remain over $700 billion. Consider an analogy: the 2008 financial crisis. Lehman Brothers collapsed just a couple weeks before fiscal year 2009 started, leaving that $666 billion defense budget largely beyond recall. The following years' budgets were $691 billion, $687 billion, $646 billion and then finally in FY13 a more precipitous 10 percent fall to $578 billion. It took four years for the Pentagon to really feel the squeeze of the financial downturn. The uninitiated may believe COVID-19 happened with enough of lead time to affect the FY21 budget. Congress received the president's budget in February 2020 and has until the start of October to make targeted cuts without encountering another continuing resolution. The defense budget, however, represents the culmination of a multiyear process balancing thousands of stakeholder interests. It reflects a vast amount of information processed at every level of the military enterprise. The Pentagon's work on the FY21 budget request started nearly two years ahead of time and includes a register of funding estimates out to FY25. Moreover, defense programs are devised and approved based on life-cycle cost and schedule estimates. Cuts to a thorough plan may flip the analysis of alternatives on its head, recommending pivots to new systems or architectures and upsetting contract performance. Not only are current budgets shaped by many years of planning, but they get detailed to an almost microscopic level. For example, the Army's FY21 research, development, test and evaluation request totaled $12.8 billion, less than 2 percent of the overall Pentagon request. Yet the appropriation identifies 267 program elements decomposing into a staggering 2,883 budget program activity codes averaging less than $10 million each. Congressional staff is too small to understand the implications of many cost, schedule and technical trade-offs. To gather information on impacts, the Pentagon is thrown into a frenzy of fire drills. More draconian measures, like the FY13 sequestration, leading to indiscriminate, across-the-board cuts can sidestep hard questions but comes at a significant cost to efficiency. Targeted cuts at a strategic level, such as to the nuclear recapitalization programs and other big-ticket items, can expect stiff resistance. First, there is real concern about great power competition and the damage that may be wrought by acting on short-term impulses. Second, targeted programs and their contractors will immediately report the estimated number of job losses by district. Before measures can get passed, a coalition of congressional members negatively impacted may oppose the cuts. Resistance is intensified considering the proximity to Election Day. Budget stickiness is built into the political process. The FY22 budget is perhaps the first Pentagon budget that can start inching downward. More than likely, severe cuts aren't in the offing until FY23 or FY24 at the very earliest. That gives time for policymakers to reflect on the scale of the rebalancing between defense and other priorities. In some important ways, congressional control of the Pentagon through many thousands of budget line items restricts its own flexibility. For example, continuing resolutions lock in program funding to the previous year's level until political disagreements can be resolved. The military cannot stick to its own plans, much less start new things. If budget lines were detailed at a higher level, such as by major organization or capability area, then the Pentagon could make more trade-offs while Congress debates. Similarly, if the Pentagon had more budget flexibility, then Congress could more easily cut top lines and allow Pentagon leaders to figure out how to maximize with the constraint during the year of execution. Congress could gain the option to defer the hard questions that can make cuts politically difficult. The Space Force recently released a proposal for consolidating budget line items into higher-level capability areas. It reflects the idea that portfolio-centric management is an efficient method of handling rapid changes in technologies, requirements or financial guidance resulting from economic shocks. Until such reforms are pursued, expect defense budgets to remain sticky. Eric Lofgren is a research fellow at the Center for Government Contracting at George Mason University. He manages a blog and podcast on weapon systems acquisition. He previously served as a senior analyst at Technomics Inc., supporting the U.S. Defense Department's Cost Assessment and Program Evaluation office. https://www.defensenews.com/opinion/commentary/2020/05/26/will-defense-budgets-remain-sticky-after-the-covid-19-pandemic/