The need for departmental co-operation was one of the prime lessons from the 9/11 attack which governments — and the private sector — should have come away with if they want to increase IT and physical security. Several law enforcement agencies had clues about the aircraft hijackers that could have been followed up.
But a U.S. Senate report issued Wednesday suggests little has changed. The report by the Armed Services Committee said the FBI and several federal law enforcement and intelligence agencies know the IT systems of airlines and shipping companies contracted to U.S. Transportation Command — which handles the moving of armed forces personnel and cargo using military and civilian aircraft and ships — were breached 20 times in a 12 month period. TRANSCOM learned of only two of them.
The committee also said that the attackers were “associated with the Chinese government.”
The report again re-enforces how attackers can get valuable information through third party IT systems. In the case of Target department stores, the attackers went through the contractor and into Target’s systems.
The report said it is essential that potentially affected military divisions like TRANSCOM be aware of such intrusions so they can take steps to mitigate them. Instead it found “serious gaps” in intrusion reporting and information sharing that left TRANSCOM uninformed about the majority of intrusions on contractor networks.
Among the incidents cited were the theft of email, documents, user accounts , passwords and source code, flight details, PIN numbers and passwords for encrypted mail. “Multiple systems” were compromised on a commercial ship contracted by TRANSCOM. A spear-phishing email is suspected to have led to malware put on the network of a commercial airline.
A censored version of the committee’s full report was released. It doesn’t say if sensitive military information was taken in the breaches.
The agencies — which included the Air Force, Defense Security Service and the Defense Cyber Crime Center — weren’t entirely to blame. TRANSCOM has had a cyber intrusion reporting clause for contractors since 2013, but the committee said it had gaps that could have left it left it uninformed.
Also a requirement since 2010 that Transcom be notified of certain security incidents had ambiguous language. Complying would require companies to know they systems on which contract-related DOD information resided, but the contractors didn’t always know exactly what to report.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” Committee chair Sen. Carl Levin, D-Mich., said in a statement. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”