Procurement conundrum | What's inside the box?
DOD must ensure IT is secure, no matter where it comes from
- By Dawn S. Onley
- Aug 17, 2006
When the State Department purchased 16,000 ThinkCentre desktop computers earlier this year from a company partially owned by the Chinese government, critics warned of the potential risks to national security.
After State announced the deal with Lenovo Corp., fear ran rampant in some circles, most notably on Capitol Hill, that the Chinese government could bug computer systems with spyware and begin collecting critical intelligence. Suspicions were eased somewhat, though not altogether, when State agreed to not use any of the computers on its classified network, which connects U.S. embassies and consulates.
'This decision would have had dire consequences for our national security, potentially jeopardizing our investment in a secure IT infrastructure,' said Rep. Frank Wolf (R-Va.), chairman of the Appropriations Subcommittee on Science, State, Justice and Commerce, and Related Agencies. 'It is no secret, and becoming more obvious, hopefully, to the U.S. Congress ... that the United States is a principal target of Chinese intelligence services.'
That's not news to many in the Defense Department.
As DOD outsources much of its network operations and security work to Defense contractors, and as attempted cyber-attacks and intrusions from nation-states are expected to rise, the potential grows that adversaries could not only develop some of the equipment the military buys, but write code that runs that equipment.Looking offshore
'I think there's concern over anything that's built offshore,' said Navy Rear Adm. Elizabeth Hight, deputy director of DOD's Joint Task Force for Global Network Operations. 'I wouldn't direct it towards China, or India or any other area of the world. Capabilities that are built offshore that you don't have control over pose a particular concern, and you have to take that into account when you develop your risk equation.'
Northrop Grumman Corp. provides network security worldwide for the Army and Marine Corps. Additionally, the company secures most of the Air Force networks in Europe and the United States.
How would DOD know, for example, if Northrop decided to subcontract some of its network security work to a company headquartered in a country that is unfriendly to the United States?
It wouldn't, necessarily.
John Stack, enterprise architecture and security solutions manager for Northrop Grumman Information Technology's Defense Group of McLean, Va., acknowledged the potential risks inherent in some of DOD's procurement processes.
'If we buy security tools and security devices, or any kind of hardware that was built in a foreign country, we have to be careful that there could be bugs in it,' Stack said.
That's why equipment testing and certification'offered by the Joint Interoperability Test Command and the DOD Information Assurance Certification and Accreditation Process'remain vital components in the procurement chain, Stack added.
Much of it boils down to common sense, said David Minton, a former Navy program engineer for command, control, communications and computers who now works as chief scientist at Planning Systems Inc. of Reston, Va.
'We know, for example, that there are rules regarding outsourcing, and rules regarding trade and rules regarding who we can get what from,' Minton said. 'As far as outsourcing goes, I think the DOD business is just like any other business: Some things can be outsourced and some things can't.'
But Minton concedes the rules can get tricky. For example, in previous 'Buy America' requirements, Congress has mandated that half of all work on DOD contracts be performed in the United States, although there is an annual DOD Appropriation Act exemption from the provisions for IT.
'There's a lot of misunderstanding of what you're talking about when you talk about software,' said Minton, who also works as chief engineer at the Worldwide Consortium for the Grid, an initiative sponsored by the Office of the Secretary of Defense. 'Oracle [Corp.] and Microsoft [Corp.], they are American companies, but are their products American?' Minton asked.
Increasingly, foreign companies are manufacturing integrated-circuit components, said Donavan Lewis, who heads the Defense Intelligence Agency's counterintelligence division, at a Defense conference in Salt Lake City in May.
'The shift from United States to foreign IC [integrated circuit] manufacture ... opens the possibility that Trojan horses and other unauthorized design inclusions may appear in unclassified integrated circuits ... in military applications,' Lewis said, quoting from a February 2005 report by the Defense Science Board Task Force on High Performance Microchip Supply.
DOD's Hight said standardized procurement practices are giving Defense procurement officials better visibility into its products and who the department does business with.Doubts expressed
James Gilmore III, a former Virginia governor, is not convinced that the Defense Department or Congress has even proven that buying from foreign countries poses an increased threat to network security.
'I would like to see a report that says there is an actual threat there,' said Gilmore, who currently chairs Kelley Drye Collier Shannon's Homeland Security Practice Group, a Washington law firm. 'Before that law passes and restricts us [from buying] overseas, I'd like to understand the nature of the threat.'
The U.S.-China Economic and Security Review Commission first raised concerns with Rep. Wolf over State's planned computer purchases. The commission also raised a red flag when IBM sold its PC business to Lenovo in 2005, but ultimately the Treasury Department's Committee on Foreign Investment in the United States approved the sale.
Wolf has since announced that State now is making changes in how it procures and tracks ownership changes in IT equipment manufacturers.
Likewise, Minton says DOD has always monitored whom it was doing business with and would likely increase that tracking as companies globalize.
'That would be kind of our first defense-in-depth mechanism,' Minton said. 'We've just got to be careful and pay attention to who's doing what. In certain cases, when we need to develop American, that's what we do.'