After two incidents involving companies collecting troops’ data and possibility making it available to adversaries, the Defense Department still doesn’t have a definitive policy on using foreign technology.
The best the Pentagon could muster in the wake of security concerns about Chinese electronic manufacturers ZTE and Huawei and the earlier publication of troop locations by fitness tracking company Strava is a memo reminding troops to “stay vigilant.”
Defense Secretary Jim Mattis released a memo June 21 reminding troops to “Be Alert!”
“The potential consequences of compromised data could be serious, not just for you and your families, but for the readiness and resiliency of this department,” the memo stated.
The memo harkens back to other warnings to troops this year about being careful about what kinds of electronics they buy and how they use them.
DoD stopped selling ZTE and Huawei products at some exchanges, but did not outright ban the electronics.
Meanwhile, lawmakers are concerned about the lack of policy and movement coming from the Trump administration amid threats to the supply chain.
“It was shocking how disorganized, unprepared, and quite frankly, utterly clueless the branch of the military was that had been breached. Even in this day and age, we still have not figured out how to put together a cyber policy to protect our assets. In particular, with our defense contractors, who we work with, who store our data, but don’t have adequate protection. But even within the DOD, we don’t have a clear, cohesive policy,” Ranking Member of the House Armed Services Committee Adam Smith (D-Wash.) said during a June 22 hearing on military technology.
Committee Chairman Mac Thornberry (R-Texas) agreed with his colleague from across the aisle. Quoting a study from DoD, Thornberry said: “The U.S. does not have a comprehensive policy or the tools to address this massive technology transfer to China, and the U.S. government does not have a holistic view of how fast this technology transfer is occurring, the level of Chinese investment in U.S. technology, or what technologies we should be protecting.”
Concerns about China putting cyber-theft devices in products abound, but the administration has pulled back from banning sales of ZTE or Huawei.
President Donald Trump lifted a ban barring U.S. companies from doing business with ZTE. The move was used to work with China before the summit with North Korea.
But bipartisan contingents of lawmakers are pushing back.
“We strongly believe that the April sanctions order — which would have threatened ZTE’s survival — should not be used as a bargaining chip in negotiations with China on unrelated matters,” Sens. Mark Warner (D-Va.) and Marco Rubio (R-Fla.) wrote in a June 26 letter to the president. “The Senate and the U.S. Intelligence Community are in agreement that ZTE poses a significant threat to our national security.”
The Senate 2019 defense authorization bill codifies the ban into law. The bill prohibits DoD from procuring or obtaining goods from ZTE and prohibits the department from entering into, renewing or extending a contract with the company.
“The provision undermines the very purpose of the relevant export control regulations — which is to coerce non-compliant parties to stop engaging in behavior contrary to the national security interests of the United States,” it said in a statement.
The House voted June 26 to strengthen foreign investment rules to prevent the expansion of Chinese telecommunication companies in the U.S.
What DoD is doing
DoD said it is working to protect itself from Chinese cyber infiltration.
Principal Deputy Undersecretary of Defense for Intelligence Kari Bingen told the House Armed Services Committee DoD is using four lines of effort to secure cyber vulnerabilities.
“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities. We must establish security as a fourth pillar in defense acquisition and, also, create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business,” Bingen said.
She added that DoD’s Defense Security Service is implementing a more comprehensive approach to industrial and information security. The department is developing a program protection plan to cover controlled unclassified information to do that.
DoD is establishing a pilot program to enhance information sharing with defense contractors and is also bettering counterintelligence capabilities to better understand and address nontraditional collection methods used by rivals.