Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.
According to Bloomberg, documents released in the Anonymous Stratfor hack reveal QinetiQ was compromised as part of a cyber-espionage attack originating in China — and notes the breach was part of a much broader campaign targetting U.S. contractors:
“QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed [...]
QinetiQ was only one target in a broader cyberpillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.“
U.S. intelligence reports ranked cyber threats as the top danger facing the country for the first time in April, but tensions have been running high about the government’s ability to protect digital assets and intelligence for years. A 2011 Department of Justice report noted that only 64 percent of FBI agents assigned to national security-related cyber investigations had the appropriate skills and expertise to handle those types of cases.
Government cybersecurity contracting exploded during the Bush Administration, with many roles traditionally filled by government employees or resources outsourced to external companies over whom the government has less oversight. The Obama Administration has made efforts to curb that trend, but that expansion, combined with a lack of cybersecurity expertise in the military and federal agencies, resulted in many cybersecurity defense operations being outsourced or completed under the heavy supervision of outside contractors. This has sometimes led to much much less than ideal outcomes, despite a 2011 General Services Administration (GSA) rule requiring all contractors and subcontractors that provide federal agencies with IT services, systems, or supplies to submit a cybersecurity plan that matches government regulations.
The history of breaches in contractors related to defense is particularly concerning: In 2011 RSA, a cybersecurity company with contracts with Lockheed Martin and the Department of Defense was breached — possibly contributing to a later cyberattack on Lockheed Martin. That same year, FBI cybersecurity contractor ManTech was hacked by Anonymous. Just earlier this year, Bit9, a contractor that provides network security services to the U.S. government and many Fortune 100 firms, was actually used to spread malware.
In 2012, presumably in response to evidence of breaches, the Pentagon expanded and made permanent a trial program that teamed the government with internet service providers to scan network traffic to and from defense contractors for data theft from adversaries, somewhat similar to the cybersecurity executive order President Obama signed earlier this year encouraging voluntary threat intelligence sharing for critical infrastructure.
This January the Pentagon announced it would increase its ability to conduct defensive and offensive cyber operations five-fold, several months after the President signed a secret directive reclassifying some cybersecurity actions previously classified as offensive as defensive.