Printers, cameras and computers that "have been known to contain security vulnerabilities" are among $32.8 million worth of products bought by US Department of Defense (DoD) employees.
A report by the Pentagon's inspector general found that 'problematic' commercial off-the-shelf (COTS) information technology items - bought in the 2018 fiscal year by Air Force and Army employees - could be susceptible to exploit from adversaries.
The report stated that, "Army and Air Force Government purchase card (GPC) holders purchased over 8,000 Lexmark printers ... for use on Army and Air Force networks. According to a Congressional report on supply chain vulnerabilities from China, Lexmark is a company with connections to Chinese military, nuclear, and cyberespionage programs. The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer."
Also purchased were 117 GoPro cameras, "which have vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams."
China's largest computer company, Lenovo, was another mentioned in the report. Despite known cybersecurity risks, the DoD hasn't banned Lenovo products, and Army listed 195 Lenovo products it had bought, while Air Force purchased 1,378 products.
The State Department banned the use of Lenovo computers (on its classified networks) in 2006. In recent years, the Department of Homeland Security (2015) issued warnings related to "pre-installed spyware and other cybersecurity vulnerabilities identified in Lenovo computers", while in 2016 the Joint Chiefs of Staff Intelligence Directorate issued a warning that "Lenovo computers and handheld devices could introduce compromised hardware into the DoD supply chain."
The report found that the DoD "did not develop controls to prevent the purchase of COTS information technology items with cybersecurity risks", and recommended that the Secretary of Defense direct an organization or group to develop a:
a. Risk-based approach to prioritize commercial off-the-shelf items for further evaluation.
b. Process to test high-risk commercial off-the-shelf items.
c. Process to prohibit the purchase and use of high-risk commercial off-the-shelf items, when necessary, until mitigation strategies can limit the risk to an acceptable level.
