Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.
According to Bloomberg, documents released in the Anonymous Stratfor hack reveal QinetiQ was compromised as part of a cyber-espionage attack originating in China — and notes the breach was part of a much broader campaign targetting U.S. contractors:
“QinetiQ’s espionage expertise didn’t keep Chinese cyber- spies from outwitting the company. In a three-year operation, hackers linked to China’s military infiltrated QinetiQ’s computers and compromised most if not all of the company’s research. At one point, they logged into the company’s network by taking advantage of a security flaw identified months earlier and never fixed [...]
QinetiQ was only one target in a broader cyberpillage. Beginning at least as early as 2007, Chinese computer spies raided the databanks of almost every major U.S. defense contractor and made off with some of the country’s most closely guarded technological secrets, according to two former Pentagon officials who asked not to be named because damage assessments of the incidents remain classified.“
U.S. intelligence reports ranked cyber threats as the top danger facing the country for the first time in April, but tensions have been running high about the government’s ability to protect digital assets and intelligence for years. A 2011 Department of Justice report noted that only 64 percent of FBI agents assigned to national security-related cyber investigations had the appropriate skills and expertise to handle those types of cases.
Government cybersecurity contracting exploded during the Bush Administration, with many roles traditionally filled by government employees or resources outsourced to external companies over whom the government has less oversight. The Obama Administration has made efforts to curb that trend, but that expansion, combined with a lack of cybersecurity expertise in the military and federal agencies, resulted in many cybersecurity defense operations being outsourced or completed under the heavy supervision of outside contractors. This has sometimes led to much much less than ideal results”>less than ideal outcomes, despite a 2011 General Services Administration (GSA) rule requiring all contractors and subcontractors that provide federal agencies with IT services, systems, or supplies to submit a cybersecurity plan that matches government regulations.