More than 20 incidents of cyber-espionage affected government contractors providing transportation services to the U.S. military, an investigation by the U.S. Senate Armed Services Committee found, according to a recently declassified report.
The incidents, which occurred between 2008 and 2013, targeted logistics companies, providers of civilian air services and commercial shipping lines that provide services to the military, according to the report.
While the investigation found that the transportation contractors suffered at least 50 different cyber-attacks, only about 20 of the incidents could be considered advanced persistent threats (APT)—long-term espionage or sabotage operations typically managed or sponsored by a national government.
The previously classified report, published in redacted form on Sept. 17, attributed all of the targeted attacks to the Chinese military.
“These peacetime intrusions into the networks of key defense contractors are more evidence of China’s aggressive actions in cyberspace,” Senator Carl Levin, D-Mich., the committee’s chairman, said in a statement announcing the release of the report. “Our findings are a warning that we must do much more to protect strategically significant systems from attack and to share information about intrusions when they do occur.”
Espionage operations targeting nation-state interests across the Internet are becoming increasingly common. Many espionage networks have apparent links to China, targeting the nation’s strategic interests and using Internet addresses linked to the country, but Russia and other nations have targeted U.S. systems as well. The United States conducts its own operations, cooperating with Israel on sabotaging Iran’s nuclear program with the Stuxnet computer worm and using a variety of software and hardware “implants” to monitor targets of interest, according to documents leaked by former National Security Agency contractor Edward Snowden.
Such attacks have resulted in little diplomatic fallout, while providing information on political and business interests and, at the same time, honing operatives’ skills.
On the defensive side, however, the report underscores that government agencies rarely share information about cyber-threats and attacks. Over a 12-month reporting period from June 2012 to May 2013, at least 20 attacks targeted transportation contractors, according to data from the FBI, the Department of Defense Cyber Crime Center (DC3), the Defense Security Service, and the Air Force Office of Special Investigations. Yet, each agency only knew about some of the attacks: the FBI had information on 15 of the attacks, the DC3 knew about 10, and the U.S. Transportation Command only a single incident.
Before 2010, the Department of Defense did not require that transportation contractors notify the Pentagon of network breaches. Now, more than 80 companies must report cyber-attacks to the U.S. Transportation Command. Yet, prior to the committee’s inquiry, the Transportation Command had only been informed of two of the advanced intrusions.
The problem has been highlighted by policymakers and business leaders. Following the investigation, the committee added language to the National Defense Authorization Act for Fiscal Year 2015 that would direct the Secretary of Defense to create requirements for critical contractors to report successful cyber-attacks to the U.S. government.