Department of Defense Continues to Buy Products it Knows Have Cybersecurity Vulnerabilities

August 5, 2019 – Emma Sullivan

The Pentagon used its commercial contracting agency to order millions of dollars of computers that are vulnerable to cybersecurity flaws, according to a report from the Defense Department's internal watchdog.

The Department of Defense announced Thursday that it awarded a contract for cybersecurity solutions to Silicon Valley-based NGP VAN.

The two-year contract cost $6.5 million, and it includes a one-year renewal option for $7.5 million. The Pentagon did not immediately respond to a request for comment on whether it was aware of any of NGP VAN's flaws before the contract.

The Risk of Going to The Cloud

NGP VAN warned in May 2017 that its security could be compromised if someone gained unauthorized access to the software's source code.

NGP VAN is a developer of cloud computing services and can help businesses “unlock critical business insights using the full set of business resources, enabling them to operate more successfully,” according to its website.

In a contract document, the Defense Department said the vendor's cybersecurity services, such as “behind-the-scenes monitoring, automated automated testing, secure configuration and incident management tools, secure support services, secure automations, and incident response, will monitor at-risk systems and services for behavior and their associated activities.”

The company sells to the Defense Department's Office of the Assistant Secretary of Defense for Intelligence, so it's not clear how or why the NGP VAN system was chosen over others.

A Shady History

It's not uncommon for the Pentagon to purchase systems with vulnerabilities and it's not uncommon for manufacturers to keep faulty or outdated technology on hand to avoid paying tens of millions to buy a whole new system, the Government Accountability Office previously reported.

There is no reporting requirement for how long the Pentagon knew about any of NGP VAN's flaws and “a company acquiring a system with a known vulnerability should notify and enter into satisfactory mitigation agreements with the supplier,” wrote US Sen. Dick Durbin, a member of the Senate Committee on Veterans' Affairs, in a June letter to Pentagon Deputy Secretary Patrick Shanahan.

“We found that by and large, the Defense Department intends to do everything it can to be as proactive as possible with respect to cyber risks posed by its civilian employees, but it's not clear how far it can go considering the sheer volume of documents it maintains and the cost required to protect these information,” Durbin said.

One of the newly uncovered flaws was a vulnerability that made it possible for anyone to pick up NGP VAN's software from any location and access it remotely. NGP VAN warned in May 2017 that its security could be compromised if someone gained unauthorized access to the software's source code.

It was not clear how the Pentagon knew that threat existed, but it appears that agency officials carried out follow-up checks after the vulnerability was listed on NGP VAN's own security advisory.

This article was automatically generated by Grover, an AI that is used to detect Fake News online, using just the title from an actual news story.

Source article via