Tony Capaccio (Bloomberg) -- An 11-year-old Pentagon case against International Business Machines Corp. ended quietly in October when it agreed to pay the government $900,000 to settle claims involving hacking attacks on the National Defense University that began in 2006.
“It was alleged that IBM submitted false claims for the information technology services that it provided NDU,” the Defense Department’s inspector general said, disclosing the settlement in its latest semiannual report. “IBM allegedly did not fulfill its contractual obligations to provide substantial network security services” under an Army contract that began in 2003.
The Defense Department had initially sought to recover $9 million. IBM filed a motion to dismiss the case that was denied in March 2018 by a judge for the Armed Services Board of Contract Appeals.
The allegations against IBM resulted from a probe by the Defense Criminal Investigative Service’s Cyber Crimes Division of a 2008 hacker attack that accessed about eight computers and stole about 367 files. Agents later found six “malicious network intrusions” since 2006 on the military university, according to a document from the appeals board.
IBM spokesman Saswato Das declined to comment on the settlement. But the Armonk, New York-based company has argued that it wasn’t “contractually liable for security breaches” and that the university failed to implement many of the company’s recommendations for improving network security, according to the appeals board’s decision.
The National Defense University, which describes itself as educating “warfighters in critical thinking and the creative application of military power,” was among a number of U.S. colleges hit in a spate of cyber attacks at the time, according to the inspector general.
Although the dollar amount of the settlement is small, the inspector general said the case demonstrates the emphasis placed by its criminal investigative service on instances that “involve the compromise and theft of sensitive defense information contained in government and DoD contractor information systems.”
The investigative service “is particularly focused on cases in which contract fraud by DoD IT contractors has factored in the penetration of DoD networks or the loss of DoD information,” according to the summary.
Of 1,716 ongoing investigations by the Defense Criminal Investigative Service, 67 are related to cyber crimes and computer network intrusions, according to the watchdog office’s report.
