(Bloomberg) -- The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.
The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.
“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.
The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.
Rhode Island Breach
The Senate letter was prompted by a June story in the Washington Post that disclosed China this year hacked a small contractor that worked for the Naval Undersea Warfare Center in Newport, Rhode Island, Reed’s state.
Republican Michael Rounds of South Dakota and Bill Nelson of Florida, the top senators on the committee’s cybersecurity panel, also signed the letter.
At Mattis’s request, the Pentagon’s inspector general opened an inquiry a month before the letter was sent “to determine whether DoD contractors have security controls in place to protect” department-controlled, unclassified information “maintained on their systems and networks from internal and external cyber threats,” according to a memo announcing the review.
“We will perform the audit at contractor locations” where such information is stored, processed, and transmitted, according to the memo.
The lawmakers said in their letter that “time is of the essence to do more to defend” the information as “action is needed now to improve compliance with existing regulations and best practices, as well as increase the cybersecurity standard for defense contractors, with a single DoD official in charge.”
“I can confirm receipt of the letter,” Heather Babb, spokeswoman for Pentagon Chief Information Officer Dana Deasy, said in an email. “As with all congressional correspondence, we will respond directly to authors of the letter.”
The Pentagon modified Defense Federal Acquisition Regulation contract clauses in 2015 to include a section entitled “Protecting Controlled Unclassified Information on Non-Federal Systems and Organizations.”
“This action met with some resistance by industry and other non-federal entities” because the requirements “were viewed as more stringent than previous guidance issued by federal agencies in regard to protecting sensitive information on systems,” Mark Riddle, the senior program analyst on “controlled unclassified information” for the National Archives Information Security Oversight Office, said in an email.
‘Inconsistencies and Deficiencies’
The federal government adopted an interagency program in 2016 intended to standardize and strengthen protections for sensitive unclassified information. It was established “because of the inconsistencies and deficiencies and the related breaches and incidents in existing practices surrounding the protection of sensitive information” among all executive branch departments and agencies, Riddle said.
The program allowed for the phased implementation among agencies, due to their varying size, complexity and resources available, he said.
Captain Danny Hernandez, a Navy acquisition spokesman, said “we treat the broader issue of cyber intrusion against our contractors very seriously.”
Under federal regulations, “there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Hernandez added. “It would be inappropriate to discuss further details at this time.”