China Hacks Expose Communications FlawMilitary, Contractors Construe Breach Reporting Rules Differently
What's as disturbing as the news of the Chinese hacking U.S. defense contractors' systems, revealed in a new Senate report, is that the contractors failed to notify the military of most of those intrusions. Why so? The military and contractors don't interpret contract provisions dealing with breaches the same way.
Most of the publicity arising from the release of the Senate Armed Services Committee report focused on the Chinese hacking critical systems - so, what else is new? But a big takeaway from the study, Inquiry Into Cyber Intrusions Affecting U.S. Transportation Command Contractors, is the failure of military contractors to share cyberthreat information with the Transportation Command, known as Transcom, a unified combatant command that provides transportation and logistics services to the U.S. military.
Information sharing is a hot topic these days, but what good is information sharing if parties can't agree on what information is to be shared?
Information sharing is a hot topic these days, but what good is information sharing if parties can't agree on what information is to be shared? Sometimes, it seems that the contractors and government don't speak the same language, interpreting specific provisions in contracts differently.
"The contract language is ambiguous and none of the contractors with whom the committee discussed the clause interpreted their reporting obligation in a manner consistent with Transcom's intent," the report says.
Source of Confusion
Here's how Senate investigators determined the confusion occurred:
Transcom required its contractors to report intrusions that "affect DoD information." To Transcom, that means contractors must report any intrusion that allows access to a system on which DoD information resides or is in transit. But none of the contractors the committee investigators interviewed interpreted the clause that way.
One contractor, a civilian airline that ferries troops and equipment during a crisis, told investigators that it interpreted the clause to require reporting of intrusions of their systems only if those attacks affected DoD data, for example, through data exfiltration or corruption. Another civilian airline said it interpreted the clause to mean intrusions that only affected nonpublic DoD information.
"Setting aside the lack of common understanding between the command and its contractors about the cyber-incident reporting clause, Transcom's own view that reportable intrusions are limited to those that affect systems on which DoD information resides or transit leaves a critical gap," the report says.
More Protection Needed
Senate Armed Service Committee Chairman Carl Levin, D-Mich., says military divisions must improve the way they communicate cyber-vulnerabilities with other government agencies, including the FBI, as well as with their contractors. "Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur," he says.
The panel blamed the lack of contractor cyber-incident reporting on common misunderstandings between contractors and Transcom about the scope of cyber-intrusions that must be reported. Transcom's obliviousness to some intrusions was due to confusion about the rules governing how cyber-related information may be shared and a lack of common understanding between the command and other DoD components about what cyber-information Transcom needs to know.
"It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particular those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations," says Sen. Inhofe, R-Okla., the committee's ranking member.
Committee investigators spent a year, ending in March, investigating the breaches and discovered that in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber-events into the computer networks of Transcom contractors. Investigators attributed at least 20 of those successful intrusions to an advanced persistent threat.
Assaults Originated in China
Investigators attributed the 20 APT intrusions to China. Among the investigation's findings was evidence of:
- A Chinese military intrusion into a Transcom contractor between 2008 and 2010 that compromised e-mails, documents, user passwords and computer code.
- A 2010 intrusion by the Chinese military into the network of a air-carrier contractor in which documents, flight details, credentials and passwords for encrypted e-mail were stolen.
- A 2012 Chinese military intrusion into multiple systems onboard a commercial ship contracted by Transcom.
Investigators found significant gaps in sharing cyber-intrusion information, according to the committee report. For example, while the the FBI or DoD were aware of at least nine successful intrusions by China into Transcom contractors, Transcom was made aware of only two of them.
The senators inserted a provision in the bill that funds Defense Department operations, the National Defense Authorization Act for Fiscal Year 2015, that directs the DoD to improve the way the department disseminates information about cyber-intrusions into the computer network of operationally critical contractors. Committee leaders hope that the proviso in the measure now before the full Senate will help resolve the communications gap that exists between agencies such as Transcom and military contractors.
As Inhofe says, "We must ensure that cyber-intrusions cannot disrupt our mission readiness." Indeed.