U.S. Transportation Command was aware of only two of at least 20 cyber intrusions on its contractors in a one-year period, according to an investigation by the Senate Armed Services Committee, sparking the committee to include corrective action in its version of the 2015 defense authorization bill.
SASC Chairman Carl Levin (D-Mich.) said the problem outlined in his investigation report–just declassified on Wednesday–is two-fold. First, transportation companies, some of them small businesses, have not been able to keep their networks secure against Chinese hackers looking to steal information. And second, when the intrusions do occur, the information is not making its way to TRANSCOM officials who could evaluate whether the attack adds any risk to operational plans involving that contractor.
The investigation focused on a set of contractors that participate in the Civil Reserve Air Fleet and the Voluntary Intermodal Sealift Agreement–programs in which commercial aviation and shipping companies who do little business with DoD during times of peace could have their assets called upon to move military personnel and equipment in a major contingency. “Peacetime intrusions at those companies may not involve immediate loss of military information, but could leave those companies vulnerable to loss of information or disruption of operations when they are activated to support military operations,” according to a SASC press release.
In one part of the investigation, law enforcement reported that from June 1, 2012 to May 31, 2013, TRANSCOM contractors faced about 50 intrusions, 20 of which were attributed to successful “advanced persistent threat” (APT) attacks. All 20 originated in China.
In a separate part of the investigation, SASC surveyed a group of 11 contractors to ask about their intrusion reporting since TRANSCOM added a reporting requirement to all contracts in late 2012. Of the 11 companies surveyed, three responded they had experienced a total of 32 intrusions, 11 of which were considered APT attacks–and none of which they reported directly to TRANSCOM. One of the intrusions was reported to the Defense Security Service, with a copy of the report sent to TRANSCOM “out of an abundance of caution” rather than the perceived obligation to do so under the contractual reporting requirement.
The Federal Bureau of Investigation or other offices in DoD were aware of nine other intrusions involving these 11 contractors in that time period, bringing the total to at least 20, but TRANSCOM was only aware of two, highlighting the extent of the confusing and stovepiped reporting procedures, Levin told reporters.
“This stovepipe of information, the failure of one government agency to share information with another agency that needs to know, hampers our ability to protect national security,” he said in a press conference.
A SASC staffer noted in the press conference that the intent of the investigation and legislative language is not to denigrate TRANSCOM–it is currently the only federal agency that includes reporting requirements in its contracts, and while there are still some bugs to work out, the committee commends TRANSCOM for being forward-thinking in addressing the topic.
The language in the 2015 defense bill has several goals. First, the defense secretary would identify “operationally critical contractors” and tighten their reporting requirements. DoD would establish procedures for helping contractors protect against and detect cyber intrusions–which could have a big impact on small businesses without the resources to protect themselves. And the secretary would also have to assess current reporting and information sharing policies with DoD and designate a single DoD component to receive all intrusion reports from all defense contractors and government agencies such as the FBI, ensuring that all stakeholders have access to information about cyber attacks.