REPORT SENATE CONGRESS 2nd Session INQUIRY INTO CYBER INTRUSIONS AFFECTING U S TRANSPORTATION COMMAND CONTRACTORS REPORT OF THE COMMITTEE ON ARMED SERVICES UNITED STATES SENATE U S GOVERNMENT PRINTING OFFICE WASHINGTON 20M For sale by the Superintendent of Documents U S Government Printing O ice Internet bookstoregpogov Phone to free 886 512-1800 DC area 262 512 1800 Fax 202 512 2104 Mail Stop IDCC Washington DC 20402 0001 GPO USE THIS LINE FOR BACK STRIP INQUIRY INTO CYBER INTRUSIONS AFFECTING U S TRANSPORTATION COMMAND CONTRACTORS COMMITTEE ON ARMED SERVICES CARL LEVIN Michigan Chairman JACK REED Rhoda Island JAMES M INHOFE Oklahoma BILL NELSON Florida JOHN MCCAIN Arizona CLAIRE Missouri JEFF SESSIONS Alabama MARK UDALL Colorado SAXBY CHAMP-LIBS Georgia KAY R HAGAN North Carolina ROGER F WICKER Mississippi JOE MANCHIN West Virginia KELLY New Hampshire JEANNE SHAHEEN New Hampshire DEB FISCHER Nebraska KIRSTEN E GILLIBRAND New York LINDSEY GRAHAM South Carolina RICHARD Connecticut DAVID Louisiana JOE DONNELLY Indiana ROY BLUNT Missouri r' MAZIE HIRONO Hawaii MIKE LEE Utah ANGUS S KING JR Maine PETER K LEVINE Sta ' Director TIM KAINE Virginia TED CRUZ Texas JOHN A BONSELL Minority Staff Director INVESTIGATION TEAM Josam M BRYAN Professional Sto Member OZGE GUZEISU quorily Counsel i WILLIAM S CASTLE Minority General Counsel i SAMANTHA L CLARK Minority Counsel 1 ALEXANDRA M HATHAWAY Staff Assistant I Table of Contents List of Acronyms ii Executive Summary i Conclusions of the Senate Armed Services Committee introduction l The Cyber Threat to Defense Operations 3 A Defense Intellectual Property Theft 3 B Operational Implications of Cyber Intrusions 4 C Network-Dependent Military Logistics 5 1 Civil Reserve Air Fleet CRAF 5 2 Voluntary Intermodal Sealift Agreement VISA program 6 D Cyber Threats to TRANSCOM 7 E Information Sharing as Key to Protecting Military Operations 8 F Cyber Information Sharing 10 ll SASC inquiry 13 A Cyber Incident Reporting from TRANSCOM Contractors 13 1 Cyber Intrusions Known to TRANSCOM Contractors l5 2 Contractor Identi ed Intrusions Attributed to Advanced Persistent Threat APT Actors i5 3 Cyber Incident Reporting Clause 17 B Intra-Govemmental information Sharing 21 1 Federal Bureau of Investigation 22 2 Defense Security Service 26 3 Air Force O 'tce of Special Investigations 28 4 Defense Cyber Crime Center 30 Committee Action 34 List or Acronyms AFOSI APT CRAF CYBERCOM DC3 DCHC DCISE DIA DIB DOD DSB DSS FBI ISL JPT LHM MDCO MOU MSP MVP NCIJTF NCIS NDAA PLA SCR TRANSCOM VISA Air Force Office of Special Investigations Advanced Persistent Threat Civil Reserve Air Fleet U S Cyber Command Defense Cyber Crime Center Defense Counterintelligence and Human Intelligence Center Defense Industrial Base Collaborative Information Sharing Environment Defense Intelligence Agency Defense Industrial Base Cyber Security and Information Assurance Department of Defense Defense Science Board Defense Security Service Federal Bureau of Investigation Industrial Security Letter Joint Planning Team Letterhead Memorandum Military Department Counterintelligenee Investigative Organization Memorandum of Understanding Maritime Security Program Mobility Value Points National Cyber Investigative Joint Task Force Naval Criminal Investigative Service National Defense Authorization Act Chinese People s Liberation Army Suspicious Contact Report US Transportation Command Voluntary lntermodal Seali Agreement Executive Summary We can stop an attack unless we can see it General Martin E Dempsey Chairman Joint Chiefs ofSta ' June 27 2013 U In April 2013 the Senate Armed Services Committee initiated an inquiry into how much information was known to the US Transportation Command T RANSCOM about successful cyber intrusions affecting command contractors The committee focused on TRANSCOM because of the central role that the command plays in mobilization deployment and sustainment operations and the critical capabilities that private companies contribute to ability to meet military requirements in contingencies U Over the course of the inquiry the committee reviewed information provided by TRANSCOM 11 command contractors the Federal Bureau of investigation FBI the Defense Schrity Service DSS the Defense Cyber Crime Center DOB and the US Air Force Of ce of Special investigations AFOSI The committee also reviewed cyber incident reporting requirement cyber intrusion reporting provisions included in the Fiscal Year 2013 National Defense Authorization Act NDAA and a number of executive branch guidelines directives and agreements to assess their effectiveness in promoting information sharing U The committee s inquiry identi ed approximately 50 successful intrusions or other cyber events' targeting TRANSCOM contractors between June 1 2012 and May 30 2013 or those 50 at least 20 were successful intrusions into contractor networks attributed to an advanced persistent threat APT a term used to distinguish sophisticated cyber threats that are frequently associated with foreign governments Of those APT-linked intrusions TRANSCOM was made aware of only two a troubling nding given the potential impact ofcyber intrusions on defense information and Operations U WF the at least 20 successful cyber intrusions attributed to an APT all were attributed to China Cyber events include incidents that may not be continued successful intrusions but which the FBI determined that a victim noti cation was warranted i WERN- U As to the reasons for lack of knowledge regarding these intrusions the committee found gaps in requirements that result in many cyber intrusions not being reported to the command and a lack of common understanding between TRANSCOM and its contractors as to the scope of cyber intrusions that must be reported The committee also found that FBI and Department of Defense DOD components were frequently unaware that companies they had identified as victims of cyber intrusions were TRANSCOM contractors In addition the inquiry revealed misperceptions about the rules governing how cyber intrusion related information identifying a particular victim may be shared and a lack of communication between TRANSCOM and other DOD components regarding need to know about cyber Intrusions In the end1 these shortcomings left TRANSCOM uninformed about the overwhelming majority of cyber intrusions affecting contractor networks by APT actors I The Cyber Threat to Defense Operations U Foreign governments regularly probe DOD and private contractor computer networks to identify vulnerabilities that could allow them to compromise systems in order to steal intellectual property collect intelligence or establish a foothold for future exploitation The theft through cyberspace of U S companies intellectual property risks long-term damage to U S economic security The damage in icted by compromises of the defense industry goes well beyond economic impacts As the Director of National Intelligence has said cyber theft is almost certainly allowing our adversaries to close the technological gap between our respective militaries slowly neutralizing one of our key advantages in the international arena U Cyber intrusions into private sector networks also have the potential to impact military operations The private sector plays a crucial role in force mobilization deployment and sustainment operations For example private airlines provide more than 90 percent of passenger movement capability and more than one-third of its bulk cargo capability In addition the overwhelming majority of DOD deployment and distribution transactions occur over unclassified networks many of which are owned by private companies In fact TRANSCOM's Commander has estimated that over 90 percent of DOD deployment and distributlon transactions are handled on unclassified systems U Chinese military for example have identified logistics and mobilization as potentlal U S vulnerabilities given the requirements for precision in coordinating transportation communications and logistics networks In fact Chinese military doctrine advoc'ate s targeting adversary command and control and logistics networks to impact their ability to operate during the early stages of con ict U S experts on Chinese military planning have raised the prospect of China using cyber capabilities to impede U S force deployment In the event of a contingency U In discussing China s cyber capabilities DOD has pointed out the accesses and skills required for stealing information are similar to those necessary to conduct computer network attacks As the Defense Science Board DSB said in its 2013 report ii WORN- Should the United States lind itself in a con ict with a poet adversary attacks would be expected to include denial of service data corruption supply chain corruption traitorous insiders kinetic and related non-kinetic attacks at_all altitudes from underwater to space U S guns missiles and bombs may not tire or may be directed against our own troops Resapply including food water ammunition and fuel may not arrive when or where needed U l eaeetime compromises ot operationally critical contractors could prove valuable to Foreign countries such as China as a source ot intelligence about network operations or to establish a foothold in the computer networks ot contpanics that supply crucial support to DOD operations either of which could be exploited in a contingency I Wiietween 2008 and 20 0 a contractor was compromised by the Chinese military who stole emails user ace 3 t' swords and even source code U Win 2009 the Chinese military compromised a contractor a Win the Chinese military compromised the computer network ol a Civil Reserve Air Fleet CRAF contractor stealing docarnents ight details credentials and pins and passwords for email That same year the Chinese military compromised another cent- ti 8 W121 2012 the Chinese military compromised multiple systems onboard a commercial ship contracted by for logistics routes U a ln 2013 on China s military spearuphishing campaigns targeting commercial logistics companies that support command operations Also in 20l3 a airline was the victim ofa phishing entail attributed to the Chinese government which is suspected to have led to a matware download on the airline s network II Cyher Threat Information-Sharing U Information sharing is one key to combating cyber threats As Chairman of the Joint Chiefs of Staff Martin Dempsey has said every day adversaries are injecting malware into our networks the worst of this malware is equivalent to cyber bullets and bombs We must share what it looks like so that we can stop it before it detonates U While TRANSCOM can monitor its own network for possible cyber intrusions the command s knowledge of intrusions into contractor computer networks depends on reporting from the contractors themselves other DOD components the and other government agencies The committee s inquiry found however that TRANSCOM is only aware of a small fraction of APT intrusions into its contractors in fact TRANSCOM was aware of only one of i APT intrusions detected by a subset of TRANSCOM contractors from whom the committee requested information In addition TRANSCOM was only aware of one of at least nine successful APT intrusions and none of six other cyber events targeting TRANSCOM contractor networks that were known to the US government A TRANSCOM Contractor Intrusion Reporting Beginning in 2010 in what may be the first effort by a DOD component to use contract language to improve cyber intrusion information-sharing TRANSCOM began including a clause in its contracts requiring that certain cyber security incidents be reported to the command While more than 80 companies are subject to the clause up until August 2013 TRANSCOM had received only two cyber intrusion reports from those contractors in order to assess how companies were complying with reporting requirements the committee requested information from i i TRANSCOM contractors about cyber intrusions they experienced between January 1 2013 and June 30 2013 and how they determined whether or not the intrusions were reportable The group included six Civil Reserve Air Fleet CRAP airlines three shippers who are participants in the Voluntary Intermodal Seali Agreement VISA and two companies that provide the command with logistics systems support services U Of the i i contractors eight said that they were not aware of any cyber intrusions having occurred during the period in question That does not necessariiy mean the eight contractors were not victims of a successful intrusion during that period only that they were not more of such an intrusion The remaining three companies identi ed a total of 32 intrusions 2 As re ected in the chart below of the 32 intrusions i were associated with an advanced persistent threat APT actor in describing APTs the F31 has said the sophistication resources and types of information sought by APT actors suggest governmental support U Ga-All were attributed to China i One of those intrusions occuned in August 20 I 3 which is outside the period initialiy covered by the committee s nquuy iv WM- 0 Known to Known to Known to Known to Contractor Contractor 2 Contractor 3 TRAN SCOM U Of those 11 APT intrusions TRANSCOM was aware of only one One reason for that was a lack of common understanding between the command and its contractors as to the scope of cyber intrusions that must be reported In fact none of the contractors with whom the committee discussed the issue interpreted their reporting obligation in a manner consistent with intent In addition contract clause limits the scope of what must be reported only requiring companies to report intrusions into networks that are storing or communicating DOD data at the time of the compromise That limitation could be highly problematic when in the event of a major contingency a contractor s ability to support defense requirements depended on the ef cient functioning of computer networks normally reserved for commercial business A prior or preexisting compromise of such networks could be exploited to affect the contractor and potentially TRANSCOM operations B Intro governmental Information Sharing U Ensuring that defense contractors inform DOD about cyber intrusions into their networks is critical to mitigating cyber threats However that alone will not solve the problem Timely infra-governoremu information sharing about private sector network compromises is also essential particularly when network compromises involve an APT U The committee s inquiry identi ed at least 20 successful intrusions or other events targeting TRANSCOM contractors that occurred between June I 2012 and May 3 2013 and 3 were known to the FBI DSS DC3 or AFOSI Fifteen of those 20 were associated with an advanced persistent threat actor APT and at least nine ofthose 15 were successful intrusions into a contractor network TRANSCOM was aware of only one of those intrusions and none of the other events APT-Attributed Intrusions Cyber Events Known to US Government June 1 2012 - May 31 2013 16 14 12 10 Suspected APT APT Known to FBI Known to Known to Known to DSS Known to TRANSCOM DC 3 categorizes intrusions as promote or suspecled AMT U The reasons TRANSCOM was unaware of those intrusions include misperceptions about the rules governing how cyber intrusion-related information may be shared and a lack of common understanding between the command and other DOD components about what cyber information TRANSCOM needs to know U A 2011 Memorandum of Understanding MOU requires the Bureau to share information on cyber intrusions with DOD when an intrusion is attributed to an APT and the Bureau knows that the victim is a defense contractor While the FBI is in the process of integrating the full list of more than 10 000 cleared DOD contractors into their information sharing database no DOD component had provided the Bureau a list of speci c operationally critical contractors about whom they would like to be informed when they have been the victim ofa cyber intrusion On January 30 2014 TRANSCOM provided the FBI a list of 80 companies That list however included all command contractors who are subject to cyber incident reporting clause and did not identify which of the 80 are operationally critical contractors vi WW U Depending on the identity of the victimized company and whether the FBI knows which military service has a contract with the victim the DOD recipient of information may include D88 and AFOSI the military department counterintelligence of ce reaponsible for TRANSCOM In fact of the 15 APT intrusions and other cyber events identi ed by the FBI AFOSI said that it was aware of I As to DSS while the agency said that it was aware of eight intrusions affecting victims on the FBl s list its records were not suf cient to determine whether the actual intrusions matched those identi ed by the FBI or whether DSS had been made aware of additional intrusions U The information sharing MOU requires DOD recipients of FBI information to seek the Bureau s permission in order to share FBI information outside of their organizations The FBI did not receive a single request for a DOD agency to share information relating to the 15 APT intrusions and other events targeting TRANSCOM contractors Neither DSS nor AFOSI identified a connection between TRANSCOM and victimized connectors on their own Not until January 30 2014 did TRANSCOM provide FBI and AFOSI a list of contractors about whom the command would like to be alerted when they were compromised by an APT TRANSCOM was made aware of only one of the APT-attributed intrusions identi ed by the FBI U While it may receive cyber intrusion reports from the FBI the Defense Cyber Crime Center D03 also receives reports of intrusions directly from companies who are members of the agency's Defense Industrial Base Cyber Security and lnfonnation Assurance CSIIA Program in fact DC3 was informed of 10 successful intrusions affecting six TRANSCOM contractors who were DIB members during the period covered by the committee s inquiry TRANSCOM however was aware of only one of those l0 intrusions While DCJ does not normally share the identity of 013 members who have been victimized by the cyber intrusion DOD has said that identity information may be shared when a national security interest is at stake As of February I 2013 however TRANSCOM had not requested that DC3 notify the command about cyber intrusions into speci c operationally critical contractors TRANSCOM did provide the FBI and AFOSI with a list of about 80 contractors on January 30 2014 though that list did not specify which of the contractors were operationally critical U Cyber intrusions into operationally critical contractors pose a threat to defense operations It is essential that potentially-affected commands such as TRANSCOM be aware of such intrusions so that they can take steps to mitigate the threat The committee s inquiry identified serious gaps in intrusion reporting and information sharing that left TRANSCOM uninformed about the overwhelming majority of intrusions by APT actors into computer networks of its contractors That is a problem that must be fixed As General Dempsey put it can't stop an attack unless we can see it Vii Conclusions of the Senate Armed Services Committee It 1 bar intrusions by foreign countries into the computer networks of $ C193a01 233tatlogyCommand T RANSCOM contractors posea threat to U S military operations The private sector plays a crucial role in force mobilization deployment and sustainment Operations and the overwhelming majority of Department of Defense deployment and distribution transactions occur over unclassn ed networks many of which are owned by private companies That reliance on the private sector IS not lost on potential U S adversaries For example according to DOD Chinese military have and mobilization as potential U S vulnerabilities given the requirements for coordinating transportation communications and logistics networks U S experts meanwhile have raised the prospect of China using cyber capabilities to impede U S force deployment in the event of a contingency Peacetime cyber compromises of the networks of operationally critical contractors could prove valuable to foreign governments as a source of intelligence about network operations or to establish a foothold in contractor networks either of which could be exploited in a contingency MB-Conclusion 2 Advanced persistent threat APT actors associated with the Chinese government successfully penetrated TRANSCOM contractor computer networks on more than 20 occasions during a single year The committee s inquiry identi ed approximately 50 successful intrusions or other cyber events targeting TRANSCOM contractor computer networks that occurred between June 1 2012 and May 30 2013 Of those at least 20 were successful intrusions attributed to an advanced persistent threat APT a term used to distinguish sophisticated cyber threats that are frequently associated with foreign governments All of those APT intrusions were attributed to China Among those companies victimized by the intrusions were operationally critical contractors including airlines and shipping companies U Conclusion 3 TRANSCOM was unaware of the overwhelming majority of successful cyber intrusions by advanced persistent threat APT actors into the computer networks of their contractors While nearly all of the at least 20 successful APT intrusions identified in the committee s inquiry were known to the Federal Bureau of Investigation FBI the Air Force Of ce of Special investigations AFOSI the Defense Security Service 088 or the Defense Cyber Crime Center DCJ TRANSCOM was aware of only two of those APT intrusions U mum-Conclusion 4 Rules governing information sharing do not preclude defense agencies from informing TRANSCOM about APT cyber intrusions such as those identi ed in the committee s inquiry TRANSCOM has said that information sharing rules have at times prevented the command from learning whether one of their contractors has been the victim of a cyber intrusion Of the at least 20 successful APT intrusions discussed in the committee s report about half were identi ed by the FBI Most of those were known to DSS or both The committee's review did not identify any rules that should have prevented those defense agencies from informing TRANSCOM of the identity of the victimized contractors While they may have had to seek approval to do so the committee identi ed no WM- restrictions that would have otherwise prevented D88 or from providing FBI-related victim information to TRANSCOM Nor is the committee aware of any internal DOD policies or guidelines that would have prevented those agencies from sharing information about the cyber Intrusions with TRANSCOM DC3 learned of eight probable APT intrusions from TRANSCOM contractors during the period covered by the committee s inquiry While agreements between 1303 and companies that participate in its cyber intrusion information sharing program restrict the dissemination of victim identities those agreements do not preclude such sharing when national security is at stake U Conclusion 5 Prior to January 30 2014 when the committee s inquiry was nearing completion TRANSCOM had not identi ed for FBI or DOD agencies a list of contractors about whom the command would like to be alerted when an APT compromise occurred it is important that government agencies that receive information about private sector cyber intrusions be aware when a victim of an APT-attributed intrusion is an operationally critical contractor However when the FBI or a DOD component acquires information identifying a U S company as a victim it may not always be apparent that the company is a defense contractor Even in cases where a victimized company is known to be a defense contractor it may not always be easy to identify the DOD component with which the company has a contract or to determine whether the contractor provides a critical operational capability That awareness would be facilitated if commands such as TRANSCOM identi ed contractors about whom they would like to be alerted when an APT compromise occurs Prior to January 30 20l4 when it supplied FBI and AFOSI with a list of 80 contractors TRANSCOM had not provided FBI or any of the defense agencies a list of contractors about whom the command would like to be alerted when an APT compromise occurred That list however included all command contractors subject to TRANSCOM's cyber incident reporting requirement and did not specify which are operationally critical U Conclusion 6 cyher intrusion reporting clause and reporting requirements contained in the Fiscal Year 2013 National Defense Authorization Act NDAA contain gaps that leave TRANSCOM uninformed about cyher intrusions affecting operationally critical contractors The intent of both cyber reporting clause and the cyber incident reporting provision contained in the 2013 NDAA was to require defense contractors to report cyber intrusions impacting systems that contain or process DOD information at the time of the compromise in the event of a major contingency however a contractor s ability to support defense requirements might depend on the efficient functioning of computer networks normally reserved for commercial business A prior or preexisting compromise of a commercial network could be exploited to affect TRANSCOM Operations when the contractor was called upon to support defense operations U Conclusion 7 TRANSCOM and its contractors lack a common understanding about contractual cyber incident reporting requirements Beginning in 2010 TRANSCOM began including a clause in its contracts requiring that certain cyber security incidents be reported to the command However the contract language is ambiguous and none of the contractors with whom the committee discussed the clause interpreted their reporting obligation in a manner consistent with intent Even if contractors shared interpretation ix complying with the clause would depend on companies knowing the systems on which contract- related DOD information resides or transits The committee found that contractors do not always know where contract-related documents and information are held or which of their networks are used to exchange them Introduction U Numerous government and private sector reports have identi ed Department of Defense DOD contractors as high priority targets for foreign government cyber Operations While much of the discussion about the national defense implications of that targeting has focused on the theft of DOD information cyber intrusions pose operational risks as well In discussing China s cyber capabilities for example DOD has said that the accesses and skills required for intrusions targeted at stealing information are similar to those necessary to conduct computer network attacks Given that it is critical that DOD be aware of cyber intrusions into contractor networks particularly when those intrusions affect contractors on whom the department relies to meet critical military requirements in contingency situations U In April 2013 the committee initiated an inquiry into how much is known about cyber intrusions into private DOD contractors that support U S Transportation Command TRANSCOM The committee focused on TRANSCOM because of the central role that the command plays in contingency mobilization deployment and sustainrnent operations and the critical capabilities that TRANSCOM contractors provide to meet military requirements in contingency operations U In the course of the inquiry the committee reviewed information provided by TRANSCOM 1 command contractors the Federal Bureau of Investigation FBI the Defense Security Service DSS the Defense Cyber Crime Center D03 and the U S Air Force Office of Special Investigations AFOSI The committee also reviewed cyber incident reporting requirement cyber intrusion reporting provisions included in the Fiscal Year 20I3 National Defense Authorization ACT NDAA and a number of executive branch guidelines directives and agreements to assess their impact on cyber threat information sharing This report describes the committee s findings U The committee s inquiry identi ed about 50 successful intrusions and other cyber events targeting TRANSCOM contractors between June I 2012 and May 30 2013 0fthose at least 20 were successful intrusions into TRANSCOM contractor networks attributed to an advanced persistent threat APT a term used to distinguish sophisticated cyber threats that are frequently associated with foreign governments Of those APT-linked intrusions TRANSCOM was aware of only one U Part of the report is focused on the threat that cyber intrusions pose to defense operations The report discusses reliance on unclassi ed computer networks and private contractors to conduct operations and describes intelligence assessments of the cyber threat to operations Part I also discusses the importance of information sharing about intrusions to mitigate the cyber threat U Part II of the report discusses the committee s nding that TRANSCOM was not aware of the overwhelming majority of cyber intrusions known to have affected the sample of command contractors between June I 2012 and May 30 2013 Those intrusions were known I WEBM- however to the contractors themselves to the FBI or a DOD component Part 11 details several factors that contributed to lack of awareness of the intrusions including gaps in cyber intrusion reporting requirements differences in understanding between RANSCOM and its contractors as to the scope of cyber intrusions that must be reported a lack of common understanding between TRANSCOM and other DOD components about what cyber infon'nation TRANSCOM needs to know and misperceptions about the rules governing how cyber intrusion- related information that identi es a particular victim may be shared l The Cyber Threat to Defense Operations U Foreign governments regularly probe U S Department of Defense DOD and private contractor computer networks to identify vulnerabilities that could allow them to compromise systems and steal intellectual property including weapons designs and other sensnive bitsmess information collect intelligence on U S military capabilities and intentions and establish a presence that could be exploited to degrade the U S response in the event of a contingency U The theft through cyberspace of U S company intellectual property risks long tenn damage to U S economic security The theft of defense-related information and technologies much of which also resides with private companies threatens to erode U S military technical superiority placing national security and the safety of our troops at risk The national security implications of cyber intrusions into private U S companies go beyond those related to the theft of intellectual property Such intrusions also have the potential to adversely impact military operations U The private sector plays a crucial role in force mobilization deployment and sustainment operations For example private airlines provide more than 90 percent of DOD's passenger movement capability and more than one-third of its bulk cargo capability in addition the overwhelming majority of DOD deployment and distribution transactions occur over unclassified networks many of which are owned by private companies Private companies also play an integral role in the development of software and systems to support military logistics These arrangements while necessary create vulnerabilities that could be exploited to degrade or disrupt the U S military s rcSponsc to contingencies U Information sharing about intrusions into private sector computer networks is one key to combating such threats As Chairman of the Joint Chiefs of Staff Martin Dempsey has said every day adversaries are injecting malwarc into our networks the worst of this malware is equivalent to bullets and bombs We must share what it looks like so that we can stop it before it detonates As General Dempsey put it We can t stop an attack unless we can see it A Defense Intellectual Property Theft U Every day U S companies face an onslaught of cyber attacks targeting their intellectual property Though it is difficult to estimate the economic losses suffered by companies who have their intellectual property stolen General Keith B Alexander head of the National Security Agency and U S Command has called the theft of intellectual property through cyberspace the greatest transfer of wealth in history 3 U in March 20l3 Mandiant a company that investigates private sector cyber security breaches published a report describing how a unit of the Chinese People s Liberation Army PLA had raided the computers ofat least l4l different organizations stealing technology blueprints proprietary manufacturing processes test results business plans pricing 3 Statement of General Keith Alexander American Enterprise Institute July 9 20l2 and artnershi a meats 1 industries identi ed in the Mandiant report as being byltige PLA infringe many critical to US natiorstal defense such as information technology aerospace and satellites and telecommunications in fact companies that develop manufacture and sustain critical weapons and information systems for DOD are a frequent target of cyberthet t and the Mandiant report was only one among many accounts of defense industrial base companies being raided by the B Operational implications of Cyber Intrusions U The damage in icted by compromises of the defense industry goes well beyond economic impacts as the theft has operational implications as well As the Defense Scrence Board stated in a January 2013 report The DOD and its contractor base are high priority targets that have sustained staggering losses of system design information incorporating years of combat knowledge and experience Employing reverse engineering techniques adversaries can exploit weapon system technical plans for their bene t Perhaps even more significant they gained insight to operational concepts and system use deveIOped from decades of US operational and developmental Such information provides tremendous bene t to an adversary shortening time for development of countermeasures by years U Likewise the Director of National intelligence has said that eyberthei t is almost certainly allowing our adversaries to close the technological gap between our reapective militaries slowly neutralizing one of our key advantages in the international arena 3 U Network intrusions that enable the theft of defense information and erode our operational advantage in the long term may pose more immediate threats to defense operations in discussing China s cyber capabilities DOD has stated that the accesses and skills required for intrusions targeted at stealing information are similar to those necessary to conduct computer network attacks As the Defense Science Board DSB said in its 2013 report Mandiant Erporlng One ofChina 1 Cyber Espionage Units February 20i3 at 3 Id at 24 See erg On May 2 20 i3 Bloomberg news reported on the theft by the Chinese PLA of information from a company called QinetiQ a defense connector The report said the theft Jeopardized the victim company s sensitive technology involving drones satellites the US Army s combat helicopter eet and military robotics both already-deployed systems and those still in development According to Bloomberg hackers had burrowed into almost every corner of QinetiQ's U S operations including production facilities and engineering labs in St Louis Pittsburgh Long Beach Mississippi Huntsville Alabama and Albuquerque New Mexico where QinetiQ engineers work on satellite-based espionage ameng other projects Michael Riley and Ben Eigin China 's Cybersplas 0 er Madelfor Bond's Q Bloomberg May 2 2013 Department of Defense Defense Science Board Task Force Report Resilient Military system andrhe Advanced Gabe - Y reat January 20l3 James C Clapper US Senate Select Committee on intelligence hearing on Current and Projected National Security Threats to the United States March t2 2013 Militant and Security Developments Involving the People '3 Republic ofChr na 20 I3 Annual Report to Congress at 36 emphasis added 4 Should the United States find itself in a full-scale con ict with a peer adversary attacks would be expected to include denial of service data corruption supply chain corruption traitorous insiders kinetic and related non-kinetic attacks at all altitudes from underwater to space U S guns missiles and bombs may not re or may be directed against our own tr00ps Resupply including food water ammunition and fuel may not arrive when or where needed Military Commanders may rapidly lose trust in the information and ability to control U S systems and forces Once lost that trust is very dif cult to regain U As the D83 suggests the ability to establish a foothold in DOD or contractor computer networks could provide a valuable position from which to target operations and affect the U S military s ability to respond quickly or effectively in the event of a contingency C Network-Dependent Military Logistics U The Department of Defense relies heavily on the private sector for logistics support In fact the head of U S Cyber Command has estimated that more than 80 percent of our logistics are transported by private companies The overwhelming majority of that business activity takes place on unclassi ed networks The Commander of U S Transportation Command TRANSCOM which provides transportation services and logistical support to DOD and the military services has estimated that over 90 percent of DOD deplo ant and distribution information transactions are handled on unclassi ed systems l Civil Reserve Air Fleet CRAF and Voluntary lntennodal Sealift Agreement VISA programs are two examples of how DOD relies on private sector capabilities to meet military mobilization deployment and sustainment requirements 1 Civil Reserve Air Fleet CRAF U The Civil Reserve Air Fleet CRAP is a voluntary cooperative program between private airlines the Department of Transportation and TRANSCOM to augment Department of Defense airlift assets with commercial aircraft during emergencies such as war or natural disasters In exchange for making their aircraft available for deployments of military forces or supplies during contingencies CRAP companies are eligible to receive preference for DOD peacetime business Approximately 30 airlines participate in the program although that Department of Defense Science Board Task Force report Resilient Military Systems and the Advanced cyser Wear January 2013 General Keith Alexander Center for Strategic and international Studies June 3 20 I0 at 8 '3 Hearing to receive testimony on U S Africa Command and U S Transportation Command in review ofthe Defense Authorization Request for Fiscal Year 2014 and the Future Years Defense Program Prepared statement of General William M Fraser liI Senate Armed Services Committee March 7 2013 at I9 '3 U S Air Force Fact Sheet Civil Reserve Air Fleet air-'1 14 rue aful inn mart-ta 9 13 Issues RegardingrheCurrenrandFumre Useofthe Civil Reserve Arr Fleet Congressional Budget Office October 2007 at I 5 4mm- number can change from year to year The CRAF program provides more than 90 percent of passenger movement capability and more than one-third of the bulk cargo capability U Commander can activate the CRAF program with the concurrence of the Secretary of Defense Stage 1 activation is for regional contingencies that only require a small augmentation of the military s fleet Stage I was activated during Operation Desert Shield and Operation Iraqi Freedom 3 Stage 2 is intended for activation in the event of a major theater war and was activated in support of Operation Desert Shield Desert Storm 19 Stage 3 activation is reserved for contingencies requiring the mobilization of all DOD resources A Stage 3 CRAF activation has yet to occur 2 Voluntary lntermodal Sealli t Agreement VISA program U Similar to the CRAF program the Voluntary Intermodal Seali Agreement VISA program is a partnership between the government and private shipping companies to meet military sealift requirements In exchange for their commitment to make ships and intermodal facilities available during contingencies VISA participants receive preference for DOD peacetime business DOD is extremely dependent on commercial shippers to deploy and sustain forces ccording to TRANSCOM in 2012 commercial vessels moved 95 percent of DOD dry cargoes U Like the CRAF program VISA is activated in three stages based on military requirements and may be activated by the TRANSCOM Commander with approval of the Secretary of Defense 23 The majority of VISA capacity is provided by ships that are emailed in the Maritime Security Program MSP which is intended to ensure that the U S military has access to commercial ships to meet national defense and other security requirements The provides funding to vessel operators to offset costs associated with operating under U S ag 24 U S Transportation Command Based Upon CWO Black Hours undated U S Transportation Command calendar year 20l CRAF block hours June 24 2013 U S Transportation Command 20 2 Annual Report at 4 '6 Issues Regarding the Current and Future Use of the Civil Reserve Air Fleet Congressional Budget Of ce October 20072-3 Id at 3 2 Performance Work Statement for Airii Services in Support ofthc Department of Defense and the Civil Reserve Air Fleet October 20 i 2 at l Issues Regarding the Current and Future Use oftite Civil Reserve Air Fleet Congressional Budget Of ce October 2007 at 3 Issues Regarding the Current and Future Use ofthe Civil Reserve Air Fleet Co ngressionai Budget Of ce October 2007 at 3 1 U S Transportation Command 20i2 Annuai Report undated at l5 3 U S Department of Transportation Maritime Administration Voluntary Intermodai Seaiift Agreement pamphlet December 20 U S Department of Transportation Maritime Administration Maritime Security Program pamphlet March 20l Econometrics Inc Maritime Security Program Impact Evaluation July 2009 at 7 6 WORN- D Cyber Threats to TRANSCOM U The critical role of defense logistics in military operations and the Department s reliance on private contractors and unclassified computer networks to conduct those operations makes logistics-related networks attractive targets for cyher attacks U According to DOD Chinese military analysis For example have identi ed logistics and mobilization as potential U S vulnerabilities given the requirements for precision in coordinating transportation communications and logistics networks 25 The Department has said that Chinese military doctrine aclvocate os targeting adversary command and control and logistics networks to impact their ability to operate during the early stages of conflict 26 US exports on Chinese military planning raise the prospect ofChina using cyber capabilities to impede U S force deployment in the event of a contingency TRANSCOM and private sector networks that enable command operations are logical targets 1 Of ce of the Secretary of Defense Annual Repon to Congress Militant Power o he People s Republic 2008 55 Military and Security Developments Involving ihc People's Republic ofChinn 201 i Annual Report to Congress at 3' iamcs Malvenon in Nens'ork Operation Scenarios Doctrine Organizations and Capabiliot September 2008 Martin Libicki Chinese Use ofcybonvor or on Ami-riocess Strategy Two Scenarios Statement before the US China Economic and Security Review Commission 27 20 mentioned above U S experts on Chinese military planning suggest that China could seek to use cyber capabilities to impede U S force deployment in a contingency U As discussed below while TRANSCOM mission execution depends on the ability of private sector contractors to provide critical capabilities the command has only limited information about successful intrusions into computer networks of its contractors E Information Sharing as Key to Protecting Military Operations U Chairman of the Joint Chiefs of Staff General Martin Dempsey has said can't stop an attack unless we can see it 36 While it is critical that the Department and the military commands monitor their own networks it is also important that they have information about cyber intrusions into private sector networks that could impact defense Operations For example ability to mobilize deploy and sustain forces depends on the efficient functioning of computer networks at both the command and the private sector service providers on whom it relies U China for one has exhibited both the capability and intent to compromise private sector computer networks used to support TRANSCOM operat o reports that Chinese military cyber Operations collect agains exploiting the systems networks personnel and partners USTRANSCOM relies upon to accomplish assigned missions 3 7 Chinese cyber efforts target a variety of civilian institutions largely because DOD logistics continues to integrate commercial government military and international partners 38 3 U A failure to share information about cyber intrusions into private contractor networks can reduce DOD's ability to mitigate such intrusions and permit foreign governments to establish a presence that could be exploited to impact operations 3 James Mulvcnon PM Computer Network Operation Scenarios Doctrine Organizations and Capab iry September 2008 Martin Libicki Chinese Use onybenrar a an Ami-Access Strategy Two Scenarios Statement efcrc the 8 Ch' - 3 Dempsey at tone 2 2013 U Winteliigence reporting on China's specific efforts evidence the threat posed by cyber compromises Between 2008 and 2010 _a USTRANSCOM contractor was compromtsed by the Chinese Hill who stole ematls documents user accounts asswords and even source code the Chinese military compromtsed the com uter network -- - documents ight details credentlals and personal IdentI catIon numbers and passwords for emsil 13 The Chinese targeted agsm later that ear exuloitin U S Transportation Command answers to committee questions August 13 20l3 S Transportation Command answers to committee questions August 13 20I3 S Transportation Command answers to committee questions August 13 20 3 Id Id the Chlnese military compromised multiple systems onboard a contract-oi ship contracted by TRANSCOM for logistics routes targeting commercial partners that support USTRANSCOM operations in USCENTCOM AOR parttcularly commercial seali companies co m' leting - trucking company name U a CRAP airline was the victim sot a phishing email which is suspected to have led to malware being downloaded The intrusion was attributed to the Chinese government U These are just those intrusions of which TRANSCOM is aware As described in Section ll between May 30 2012 and August 15 20l3 there were at least 20 successful intrusions into TRANSCOM contractors that were attributed to advanced persistent threat actors The term advanced persistent threat APT is used to distinguish sophisticated cyber threats from hackers or cyber criminals While not limited to threats associated with foreign governments the FBI has said the sophistication resources and types of information sought by APT actors suggest governmental support 52 F Cyber Information Sharing U While TRANSCOM can monitor its own network for possible cyber intrusions the command s knowledge of' intrusions into the computer networks of private sector service providers depends on reporting from the contractors themselves other DOD components the FBI and other government agencies That information sharing 8 critical to remediating compromises that could Impact TRANSCOM operations and strengthening network defenses to keep potential adversaries at bay IO U There are concerns about the amount of cyber threat information that the private sector shares with the government According to General Dempsey Right new threat information runs primarily in one direction from the government into the Operators of critical infrastructure Very little information ows back to the government U There have been efforts to remedy that situation a U The Defense Cyber Crime Center DC3 a center within the Air Force's Of ce of Special Investigations stood up the Defense Industrial Base Cyber Security and Information Assurance DIE Programs4 Through the DIB program DOD contractors voluntarily report cyber intrusions they experience to DC3 a U In 20l0 TRANSCOM began including a clause in its contracts requiring contractors to report certain cyber intrusions These requirements are described in more detail in Section II U In July 2013 the Defense Security Service DSS a DOD component that acts as an interface between the government and cleared defense contractors issued guidance requiring cleared defense contractors some of which have contracts with TRANSCOM to report certain cyber intrusions 0 U The Senate Armed Services Committee included a provision in the 2013 National Defense Authorization Act NDAA requiring cleared defense contractors to report certain cyber intrusions into their networks U These initiatives have increased the amount of information that private companies share with the government about cyber intrusions that affect private networks However as discussed in Section ll critical gaps remain U it is also crucial that the government agency that receives such reports shares them with the potentially affected military commands That is particularly important when a compromise involves an advanced persistent threat such as a foreign govemment Unfortunately as discussed in Section II intra govenunental inforrnatlon sharing about cyber intrusions affecting DOD contractors is lacking U Finally it is important that the potential Operational impacts ofcyber intrusions into defense contractors be considered and that operational plans be adjusted if appropriate to 5 General Martin E Dempsey The Brookings Institution June 27 2013 76854735730 627id tl 76854735730 62 in TRANSCOM began including the clause in its information technology contracts and in October 20l2 began inserting the clause in its transportation connects U S TRANSCOM response to committee request for information March 20l3 ii more mitigate the risk of a compromise affecting Operations TRANSCOM has said that the command would stand up ajoint planning team JPT to consider the operational risk of an intrusion into a command contractor network that impacted TRANSCOM data6 but would not likely stand up a JPT if TRANSCOM data were not affected by a compromise 6As discussed' tn Section ll however even in those cases where command data was unaffected intrusions into the computer networks of operationally critical contractors could prove valuable to foreign governments as a source of intelligence about network operations or to establish a foothold in contractor networks either of which could be exploited in a contingency U S Transportation Command emails to committee start January 31 2014 February 3 2014 12 seman- II SASC Inquiry U In April 2013 the Senate Armed Services Committee initiated an inquiry into how much information was known to the U S Transportation Command T RANSCOM about successful cyber intrusions affecting the command s contractors In the course of the inquiry the committee reviewed information provided by TRANSCOM itself I TRANSCOM contractors the FBI the Defense Security Service DSS the Defense Cyber Crime Center DC3 and the US Air Force Of ce of Special Investigations U The committee also reviewed cyber incident reporting requirement cyber intrusion reporting provisions included in the Fiscal Year 2013 National Defense Authorization ACT NDAA and a number of executive branch guidelines directives and agreements to assess their impact on cyber threat information sharing U With respect to contractor cyber incident reporting the committee found a lack of common understanding between TRANSCOM and its contractors as to the scope of cyber intrusions that must be reported The committee also identi ed gaps both in contractual reporting requirements and in the law that leave TRANSCOM uninformed about successful compromises of contractor networks by advanced persistent threat APT actors including foreign governments U As to intra-government information sharing the committee found that TRANSCOM is frequently unaware of reports of cyber intrusions that have been identi ed by the government in the course of investigations or have been provided by contractors to the FBI or other DOD components The reasons for TRANSCOM being unaware of intrusions affecting its contractors include a lack of common understanding betwacn TRANSCOM and other DOD components about what cyber information needs to know and misperceptions about the rules governing how cyber intrusion-related information identifying a particular victim may be shared A Cyber Incident Reporting from TRANSCOM Contractors U In 2010 TRANSCOM began including a clause in its information teclmology contracts requiring contractors to report certain cyber security incidents to TRANSCOM In October 2012 the command expanded that requirement to its transportation contracts 7 As of late 2012 more than 80 companies were subject to the cyber incident reporting clause as prime or subcontractors a U The cyber reporting clause requires companies to report any intrusion event that affects DOD information resident on or transiting the contractor s unclassi ed information systems and lists reportable cyber intrusions as those appearing to be an advanced'persistent threat intrusions involving the ex ltration manipulation or loss of DOD data or those allowing 57 Id U S Transportation Command list of contracts containing cyber incident reporting clause April 30 2013 IS unauthorized access to an unclassi ed information system on which DOD information' rs resident or transiting U Between October 2010 when TRANSCOM rst began inserting the clause tn its contracts and August 2013 the command received only two reports of cyber Intrusions directly from contractors subject to the clause 5 U mihe rst of those was report from a commercial transpOrtetion company relating to an intrusion that impacted computers located' in Africa and China -- - - - - - a contractor that supplies maritime shipping services reported that multiple computer sYstems had been compromised the intrusion was - -- - - The company that submitted the report told the committee that it advrsed TRANSCOM of the incident even though the intrusion did not meet the reporting threshold tn the company 3 contract with U The second of the two incidents reported to TRANSCOM affected a commercial airline that is a TRANSCOM Civil Reserve Air Fleet CRAP contractor The CRAF program is described in Section 1 The affected company advised the committee that the incident was not deter-mined to be reportable under the company s contract with TRANSCOM but that they reported it anyway out of an abundance ofcaution 3 U Ema-That intrusion was attributed to China U That only two incidents were reported by TRANSCOM contractors contrasts with reports suggesting widespread targeting of private sector computer networks including those of defense industrial base companies U in order to assess how companies were complying with TRANSCOM's clause the committee requested information from ll TRANSCOM contractors who are subject to the clause about cyber intrusions they experienced tn the rst ve months of 2013 and how they determined whether or not the intrusions were reportable The 1 companies included six Civil Reserve Air Fleet CRAP contractors and three contractors who are participants in the Voluntary lntermodel Seali Agreement VISA program As discussed above CRAP and VISA members provide essential capabilities for deploying and sustaining U S forces The committee also sought information from two contractors that provide services to support TRANSCOM logistics systems 9 S Transportation Command Cyber Security incident Reporting Requirements muitiple dates S Transportation Command responses to committee requests for information March I5 20l3 August i3 2013 Email from RANSCOM centractor to commineesta 'mecember 20 3 Email contractortocommittee slamSeptembeM 20 3 l4 1 Cyber Intrusions Known to TRANSCOM Contractors U Of the 1 contractors from whom the committee sought information eight said that they were not aware of any oyber intrusions affecting their networks between January 1 2013 and June 10 2013 The three remaining contractors two of which provide information technology support and one of which was a CRAF contractor identified a total of 3 intrusions during that period The CRAP contractor also identi ed an additional intrusion that occurred later in August 2013 bringing the total to 32 intrusions experienced by the three companies U One of the two information technology support contractors experienced 24 of the 32 intrusions l-lowever while the cyber incident reporting requirement was included in contract with the company it was included as an option that TRANSCOM did not exercise 65 As a result the company did not report any of the 24 incidents to TRANSCOM Nor did the company evaluate the incidents to determine whether they would have been reportable had they been subject to the requirement The company did report those intrusions deemed significant to the Defense Cyber Crime Center's 0C3 Defense industrial Base Collaborative Information Sharing Environment DCISE is discussed in more detail below U The second of the two information technology support contractors identified four intrusions into their computer networks during the period in question The company did not report any of the four intrusions to TRANSCOM he company advised the committee that it interpreted the cyber incident reporting clause to only apply to intrusions affecting a single computer network operated by a subcontractor an interpretation that appears inconsistent with the reportin clause s requirements and that TRANSCOM has subsequently said was not reasonable The company did report the intrusions to DCISE though the company failed to do so for anywhere from four to nearly seven months after they were discovered 68 U The CRAF contractor advised the committee that it was also the victim of four intrusions none of which it determined were reportable under reporting clause The company however reported one of the four intrusions to the Defense Security Service 083 and provided the same report to TRANSCOM out of an abundance of caution 2 Contractor Identi ed Intrusions Attributed to Advanced Persistent Threat APT Actors U As discussed above foreign governments see military logistics networks and the deployment phase in contingency operations as potential U S vulnerabilities As a result it is 5 Committee staffmeeting with us 'i aanscom staffmovcmber 25 2013 Letter from contractor to Senator Cari Levin iuiy 2 2013 The company reported that that the incidents were mitigated and did not tend to the ex ltration toss ofdata and were hoisted to a single device 7 Email from TRANSCOM contractor to committee staff August 2 2013 Committee staffmecting with US Transportation Command November 25 20t3 3 Contractor response to letter from Senator Cart Levin November 7 2013 9 Contractor responses to committee questions July 9 20l3 September 4 20i3 September 30 208 particularly important that at are ol'Al l' intrusions into the networks ol' companies who enable logistics and support contingency operations U As re ected in Chart 1 ol'tlte 32 intrusions reported to the committee by the three contractors were determined by either DOD or l- Bl to be associated with an APT threat The remaining 2 were determined not to be associated with an As discussed above only one ol'the ll intrusions associated with an was reported to 'I'hat intrusion however was not determined by the victimized company to be reportable under the cyber incident reporting clause and was only reported an abundance of caution Chart 1 APT intrusions Detected by Subset of TRANSCOM Contractors Known to Known to Known to Known to I Contractor i Contractor 2 Contractor 3 U ll intrusions attributed to a known or suspected APT all It were 73 attributed to Inna ii Email from contractor to committee I3 2013 limaii from contractor to committee stal ftSeptemher tt 3t3l3 i2 Ii 3 Cyber incident Reporting Clause U in addition to asking the TRANSCOM contractors to identify cyber intrusions the committee also asked them how they determined whether or not the intrusions were reportable under the requirements of the cyber incident reporting clause contained in their contracts with TRANSCOM The committee's analysis of contractor responses and the contract clause itself revealed that a lack of common understanding of contractor reporting obligations the clause s limited scope and some contractors inability to distinguish APT from other cyber threats limit the clause s effectiveness The discussion below focuses on the intrusions re ected in Chart 1 as having been attributed to an APT as those intrusions pose a particular threat to defense operations a Common understanding of reporting obligations is lacking U in 2010 TRANSCOM began including a clause in its contracts requiring contractors to report certain cyber security incidents The clause states The contractor shall suspected cyber intrusion events that affect DOD inforrnatlon resident or transiting the contractor s unclassi ed information Reportable cyber intrusion events include the following i A cyber intrusion event appearing to be an advanced persistent threat 2 A cyber intrusion event involving data exfiltration or manipulation or other loss of any DOD information resident on or transiting the contractor s or its subcontractors unclassi ed information systems 3 Intrusion activities that allow unauthorized access to an unclassi ed information system on which DOD information is resident or transiting - U While the rst sentence in the clause refers to intrusions that affect DOD information TRANSCOM has said that it intended the clause to require contractors to report any intrusion that allow access to a system on which DOD information resides or is transiting However none of the contractors with whom the committee discussed the clause interpreted their reporting obligation in a manner consistent with intent U One CRAP participant advised the committee that it interpreted the clause to require reporting of intrusions into their systems only if those intrusions affected DOD information for example through data exiiltration or corruption Another CRAP contractor told the committee that the clause required reporting of cyber intrusions that affect nonpublic DOD information U S Transportation Command response to committee request for information March l5 2m 3 0 8 Transportation Command Cyber Security incident Reporting Requirements multiple dates digs Transportation Command responses to committee request for information September 23 mm emphasis a Contractor response to committee request for information August 28 2013 Contractor response to committee request for information September 6 mm 17 U In any case complying with the reporting clause depends on a contractor knowing the systems on which DOD information resides or transits Given the extent to which information is exchanged electronically contractors may not always know where all contract- related documents and information are held and what networks are used to exchange them For example one TRANSCOM prime contractor advised the committee that it subcontracted most contract tasks to another company The prime contractor only considered intrusions into a computer network operated by that subcontractor as reportable m in response to a committee request however the prime contractor found that contract deliverables were produced circulated and maintained outside of that subcontractor network In fact the prime contractor found that contract-related documents were not only maintained on multiple subcontractor networks but were also maintained on the prime contractor s own systems U Setting aside the lack of common understanding between the command and its contractors about the cyber incident reporting clause own view that reportable intrusions are limited to those that affect systems on which DOD information resides or transits leaves a critical gap b Clause language limits scope of reporting U With reSpect to intrusions attributed to an APT TRANSCOM has said that it intended the eyhcr incident reporting clause to require contractors to report cyber intrusions that appear to be an APT and that affect systems on which DOD information is residing or transits I Requiring companies to report only those APT attributed intrusions that affect systems on which DOD information is resident or transits at the time of the compromise risks the command being uninformed about intrusions that could affect future operations For example some commercial airlines that participate in the CRAP program may fly either no or only a small number of CRAF flights in peacetime Such airlines are likely to retain only a relatively small amount of DOD information in the normal course and the number of systems that information transits are likely similarly limited 82 Under reporting clause an intrusion into an airline computer network that is not storing or communicating DOD data at the time of the compromise is not reportable even if the intrusion is extensive and linked to an advanced persistent threat such as a foreign government Meanwhile unbeknownst to TRANSCOM the foreign government that perpetrated the intrusion could be performing reconnaissance or establishing a foothold in the compromised contractor s network either of which could potentially be exploited to impact defense operations 7 Contractor response to committee request for infonnation August 2 20l3 1 Contractor reSponse to committee request for information August 30 20 3 3 According to TRANSCOM the ctause is limited to DOD in formation residing or transiting systems as a result of accomplishing the tasks in a company's contract U S Transportation Command response to committee request for information September 23 2013 emphasis added 3' U S Transportation Command calendar year 20t I CRAP block hours tune 24 20t3 8 While all airlines that participate in the CRAF program have some DOD information on their systems those airlines that y few or no CRAP ights have significantly less Transportation Command meeting with commiltec staff November 25 20t3 U in the event of a major contingency requiring the activation of CRAF Stage ll or an airline s ability to support defense requirements might depend on the ef cient functioning of computer networks that are normally reserved for commercial business A prior compromise of such networks could be exploited to affect the airline and potentially TRANSCOM Operations U To illustrate the limited scope reporting clause the committee reviewed the clause s applicability to certain CRAF airlines e Analysis of cyber reporting clause gap U As discussed above the CRAF program was established to ensure DOD access to critical airli capabilities in contingency Operations TRANSCOM calculates Mobility Value Points MVP to determine the value of aircraft that individual airlines commit to the CRAP program 83 For example total airline commitments to the International long-range passenger component of CRAF were valued at 9 000 MVP in calendar year 201 i The value of commitments made by individual airlines to that program ranged 'orn zero to nearly 1 800 MVP per airline U The committee s analysis indicates that more than 57 percent of the nearly 9 000 MVP for the 2011 international long-range passenger component of CRAF were assigned to airlines whose 20 CRAP related business measured by block hours own composed less than 0 01 percent of their total business for that year Because they ew few or no CRAF flights it is likely that those companies received or retained only limited CRAP-related DOD information during that period As discussed above cyber incident reporting clause extends only to intrusions that affect systems on which DOD information resides or transits as a result of the company accomplishing CRAF-related tasks As such the number of systems implicated by the reporting clause for companies who flew few or no CRAF related ights in 201 i was likely very small U This gap in the scope of intrusions that defense contractors are required to report is not limited to reporting clause The information sharing provision that the committee included in the 2013 National Defense Authorization Act is similarly limited The NDAA provision requires DOD to establish procedures requiring cleared defense contractors85 to report when a network or information system is successfully penetrated However the reporting requirement applies only to networks or information systems that contain or process information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection U S Transportation Command paper Calculation of Mobility Value Points May 7 2013 U S Transportation Command Planned CRAF Fleet Data MV Point Summary July 20 20l3 The law de nes cleared defense contractor as a private entity granted clearance by DOD to access receive or store classified information for the purpose of bidding for a contract or conducting activities in support of any DOD program There are more than 10 000 cleared defense contractors National Defense Authorization Act for Fiscal Year 20i3 Sec 94 l9 U While the NDAA provision can be extracted to advance information sharing about cyber intrusions that result in the theft or manipulation of certain DOD information residing on contractor systems it is not clear that it will increase contractor reporting about intrusions into commercial networks like those of companies in the CRAP program that may not typically contain or process DOD information Further the NDAA provision limits reportable intrusions to those that affect DOD Information to which a contractor is required to apply enhanced protection It seems unlikely that intrusions affecting information maintained by a contractor in the course of conducting their commercial business would fall within the scope of the law s reporting requirement As described above however even networks that typically conduct commercial business and process little or no DOD information may be critical to military operations in the event of a contingency U The NDAA provision is further limiting in that even when a contractor does report a cyber intrusion it explicitly prohibits the report s dissemination outside the DOD unless that dissemination is approved by the contractor that submitted the report That prohibition could impede the efficient ow of time-sensitive information relating to cyber intrusions to other government agencies such as the FBI or other components of the intelligence Community d Ability to identify Advanced Persistent Threat U Among reportable events listed in cyber incident reporting clause are intrusions appearing to be an advanced persistent threat APT The contract clause defines an APT as an extremely pro cient patient determined and capable adversary including two or more adversaries working together The committee s review found that contractors are not always able to determine whether an intrusion is APT-related or meets definition 39 U According to one TRANSCOM contractor after reporting an intrusion to government the company was advised verbally by the FBI that the intrusion was APT-related However the contractor told the committee that they were not able to con rm that the incident met the definition of APT speci ed in the company s contract with Another contractor told the committee that with respect to four intrusions they experienced indicators of compromise did not provide suf cient evidence to enable the company to conclude whether the attack was or was not APT related The Department of Defense subsequently advised the committee that the intrusions at issue were APT-related 3 Id at Sec 94 mm 3' U S Transportation Command Cyber Security Incident Reporting Requirements multiple dates '9 The same company may have an obligation to report cyber intrusions to multiple DOD components and it is worth noting that there is no DOD-wide de nition of APT For example definition of APT differs from that used 3y the 303 and TRANSCOM Contractor response to committee staff questions September 30 20B 9' Email from contractor to committee stet September 13 2013 1 Email from Office of Secretary of Defense Legislative Affairs November 8 2013 20 B Information Sharing U As discussed in Section 1 some private sector network compromises have the potential to impact defense operations increasing the amount of cyber threat information that the private sector shares with the government is critical to mitigating such threats However improving the flow of cyber threat information for the private sector will not on its own solve the problem Timely intro governmental information sharing about private sector network compromises is also critical particularly when network compromises involve an APT threat such as a foreign government U To assess the state of tuna-government information sharing the committee sought information from US Transportation Command the FBI the Defense Security Service DSS the Defense Cyber Crime Center DCS and the Air Force Office of Special Investigations about cyber intrusions experienced by 79 TRANSCOM contractors how information about those intrusions was shared within the government and how current law agency practices and preexisting agreements with defense contractors impact information sharing U As re ected in Chart 2 the committee found that TRANSCOM is frequently unaware of reports ofcyber intrusions that have been identi ed by other DOD components and government agencies The reasons for that include a lack of common understanding between TRANSCOM and other DOD components about what cyber information TRANSCOM needs to know and misperceptions about the rules governing how cyber intrusion-related information that identi es a particular victim may be shared U Chart 2 reflects agency responses and depicts cyber intrusions between June I 2012 and May 30 2013 that affected contractors subject to cyber incident reporting clause 2 Chart 2 Intrusions Cyber Events Known to US Government June 1 2012 - May 31 2013 20 13 16 14 12 10 Other Suspected APT APT Known to Known to Known to Known to Known to FBI DSS as probable or suspected APT U Chart 2 reflects at least 2093 successful intrusions or other cyber events94 targeting RANSCOM contractors over the one year period Of those 20 at least 15 were associated with an APT and at least nine of those 15 were successful intrusions of a contractor network TRANSCOM was aware of only one of those nine 5 1 Federal Bureau of Investigation U During the course of its investigations the FBI may learn that a US company has been the victim of a cyber-intrusion In such cases the FBI typically noti es the victimized company If the company is a defense contractor that notification may be coordinated with Defense Security Service DSS a DOD component that acts as an interface between the government and cleared defense contractors 3 The total number of intrusions known across the government cannot be determined Though each AFOSI identi ed intrusion corresponded with an FBI identified intrusion neither 088 nor the DC3 was able to determine whether intrusions known to the FBI corresponded to intrusions of which either D58 or DC3 was aware 9'4 Cyber events include incidents that may not be con rmed successful intrusions but which the FBI determined that a victim notification was warranted 95 A second intrusion was reported to TRANSCOM by a transportation company in February 20l3 The company that made the report however told the committee that the incident affected an affitiated company that was not among the 79 identi ed by the committee 22 a Cyber intrusions Contractors Known to the FBI U The committee provided the FBI 3 list of 79 TRANSCOM contractors and subcontractors subject to the cyber incident reporting requirement and asked the Bureau to identify how many were noti ed between June 1 2012 and May 30 2013 that they were the victim of a cyber-intrusion U in response the FBI told the committee that it noti ed i6 contractors on the list that they were victims of a cyber-intrusion or other cyber events during the period in question % The FBI noti ed four of those 16 companies of two discrete events each bringing the total number of cyber intrusions or other events known to F31 and affecting companies of the list of TRANSCOM contractors to 20 97 U the 16 targeted companies identi ed by the FBI six were airlines two were shipping companies and eight were providers of technical services and other support to enable TRANSCOM operations 98 As discussed in Section 1 DOD relies on commercial airlines and shipping companies to meet military requirements in contingencies U 0f the 20 total events FBI advised the committee that 15 appeared to be associated with an Advanced Persistent Threat APT actor Nine of those 15 were successful intrusions ofa TRANSCOM contractor TRANSCOM was only aware of one of those U 89-FBI attributed all those 15 APT -linked events including all nine successful intrusions to China b FBI information Sharing U Winformation sharing between the FBI and DOD including information relating to counterintelligence counterterrorism and foreign intelligence is governed by a Memorandum of Understanding MOU signed by the Attorney General and the Secretary of Defense in 201 An annex to that MOU that includes procedures for sharing counterintelligence information and speci cally addresses cyber threat information sharing states in a small number of cases the FBi's discussions with the targeted company were initiated by the company or Letter om Federal Bureau of investigation Assistant Director Cyber Division to Senator Carl Levin August 29 20 i3 9' U S Transoortation Command response to committee questions December 20 2013 9 Federai Bureau of investigation Cyber Division email to committee staff September 16 20i3 A July 2013 Fat advisory describes APT threats Advanced persistent threat actors differ from common hackers or cybar criminals by conducting targeted rather than opportunistic attacks that seek precise information rather than monetary gain more closely resembling espionage While the activity cannot often be definitively linked to any particular nation state the sophistication resources and types of information sought suggests governmental support Federal Bureau of investigation Cyber Division Private Sector Advisory July 10 2013 2 us Transportation Command response to committee request December 20 20i3 Memorandum of Understanding between the Federal Bureau of investigation and the Department of Defense Governing information Sharing Operational Coordination and investigative Responsibilities signed by the Attorney General and the Secretary of Defense on June 24 20 i and August 2 201 1 respectively 23 When investigations including assessments collect any information which indicates that a DOD organization or a contractor providing services to a DOD organization has been targeted by a foreign power using the cyber domain the FBI will report this to DOD in accordance with the procedures identi ed in paragraph 5 below The FBI shall provide information needed by DOD to effectively assess the impact of the intrusion on DOD operations and to defend against the intrusion activity Thereafter DOD will coordinate all investigative and operational activity with the U mag-In cases where the FBI knows that an identi ed victim of a cyber intrusion is a DOD contractor - information sharing procedures contained in the annex state that FBI will report DOD-related counterintelligence information to the Defense Counterintelligence and Human intelligence Center DCHC and the Military Department Counterintelligence investigative Organization MDCO if speci c military service af liation is known and to DCHC alone if it is not I04 The Air Force is the Executive Agent for TRANSCOM and the Air Force Office of Special investigations AFOSI is the Air Force MDCO U The information sharing procedures also state that FBI will report counterintelligence information to DCHC and the Defense Security Service DSS if the information pertains to a cleared DOD contractor I06 U According to DSS there are approximately 10 000 cleared contractors The FBI Cyber Division has said that they are in the process of integrating the full list of cleared contractors into their information-sharing database so they will be better able to determine when an identi ed victim is a DOD contractor However even in cases where the FBI knows that a company compromised by a cyber intrusion is a defense contractor the Bureau may not be aware which DOD component does business with the victimized contractor No DOD component has provided the FBI with a list identifying speci c operationally critical contractors about whom they would like to be informed when they were the victim of a cyber intrusion m On January Annex B Counterintelligence investigative information Sharing to the Memorandum of Understanding between the Federal Bureau oflnvestigatton and the Department ofDefense Governing Information Sharing Operationai Coordination and investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau of investigation and Under Secretary of Defense for intelligence on December 9 20l I and December 7 20I respectively at 4 Id at 5 Executive Agent is the Head of a DOD component to whom the Secretary of defense or the deputy Secretary of defense has assigned speci c responsibilities functions and authorities to provide de ned levels of support for operational missions or administrative or other designative activities that involve two or more of the DOD components Department of Defense Directive 5 mt 1 September 3 2002 at 2 Annex B Counterintelligencc investigative Information Sharing to the Memorandum of Understanding between the Federal Bureau oftnvestlgation and the Department of Defense Governing Information Sharing Operational Coordination and investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau of investigation and Under Secretary of Defense for intelligence on December 9 20i and December 7 201 I respectively at 5 $5th from Defense Security Service Of ce of Public and Legislative Affairs to c0mmittee sta 'Uanuary s Committee staff meeting with Federal Bureau of Investigation Cyber Division December 19 mm 24 arse-twosom- 30 2014 TRANSCOM provided the FBI with a list of 80 companies That list however included all command contractors who are subject to cyber incident reporting clause and did not identify which of the 80 are operationally critical contractors U W111i MOU annex states that FBI will report DOD-related cyber counterintelligence investigation information to MDCOs and D35 by notifying personnel a detailed from those agencies to the National Cyber investigative Joint Task Force NCIJTF NCIJT is the focal point for government agencies toshare information about cyber threat investigations and the FBI is the lead agency ' In addition to D83 and arosr several other DOD components are members of the NCIJTF including the Naval Criminal investigative Service the Defense Cyber Crime Center D03 U S Cyber Command and the Defense Intelligence Agency DIA U The FBI could not determine whether each of the IS intrusions and other events targeting TRANSCOM contractors and attributed to an APT was shared with AFOSI or DSS through NCIJTF or other channels However as discussed below while DSS was unable to determine how many of the 15 FBI-identified APT intrusions and other events they were aware of AFOSI has said they were aware of I i 2 The FBI is transitioning to a new computer system called Cyber Guardian that will allow it to better record and track information about cyber intrusions NCIJTF members have direct access to FBI cyber incident reporting through the Cyber Guardian system 3 U the MDCOs and DCHC may share FBI counterintelligence information within their own organizations However the FBI-DOD MOU annex stipulates that the Bureau must approve those agencies providing that information to other DOD components I '4 As stated above TRANSCOM was aware of one FBI-identi ed intrusion which was reported directly to the command by the contractor 1 '5 Email from US Transportation Command to committee staff February 4 Annex B Counterlntelligence Investigative Information Sharing to the Memorandum ofUnderstanding between the Federal Bureau of investigation and the Department of Defense Governing information Sharing Operational Coordination and Investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau oflnvestigation and Under Secretary of Defense for Intelligence on December 9 2m and December 7 201 t respectively at s FBI web site National Cyber Investigative Joint Task arcs 2 Emaii from U S Air Force to committee staff January 9 information later provided to the committee raised the possibility that AFOSI may have been aware of one additional event The committee was unable to con rm that Letter om Federal Bureau of Investigation Assistant Director Cyber Division to Senator Carl Levin August 29 20l 3 The FBI operates the NCIJTF which is responsible for coordinating U S government information related to domestic cyber threat investigations Annex B Counterintelligence invesrigative information Sharing to the Memorandum ot Understanding between the Federai Bureau oflnvestigation and the Department of Defense Governing information Sharing Operational Coordination and Investigative Responsibilities signed by the Executive Assistant Director Nationai Scotti-try Branch Federal Bureau of Investigation and Under Secretary of Defense for intelligence on December 9 20 i and December 7 201 1 respectively at S 0 8 Transportation Command response to committee request December 20 mm Contractor email to committee staff December 2 20 I 3 25 WOW- U According to the FBI Cyber Division neither DSS nor requested approval to share victim identity information with TRANSCOM relating to any of the cyber intrusions affecting a TRANSCOM contractor and attributed to an 2 Defense Security Service U The Defense Security Service DSS oversees cleared defense contractor facilities to ensure that classi ed information is protected in a 2013 report to Congress DSS stated that in 2012 it began personal outreach to the cleared contractors to emphasize the requirement to report suspicious contacts inciuding cyber incidents '7 In July 2013 DSS issued an industrial Security Letter describing cyber incident reporting requirements for cleared defense contractors The states Although this requirement is not directed to unclassi ed information or systems contractors must report to activities that otherwise meet the threshold for reporting 8 inciudin activities that may have occurred on its unclassified information systems U In addition to reports ofcyber intrusions that the agency receives directly from cleared defense contractors DSS also receives reports of cyber intrusions from the FBI As discussed above the FBiand DSS frequently coordinate efforts to notify victims of cyber attacks that they have been compromised and D88 is designated by an FBI-DOD inforrnation sharing MOU to receive FBI information including information relating to cyber intrusions if the information pertains to a cleared DOD contractor-J2 a Cyber incidents known to DSS U As discussed above the FBI identi ed 20 intrusions or other cyber events targeting 16 of79 TRANSCOM contractors The conunittee asited DSS to review those 20 events and identify how many of which the agency was aware Committee staff meeting with Federai Bureau of Investigation Cyber Division December i9 2013 U S Department of Defense Biennial Report to Congress on improving industrial Security February 20 it at 29 emphasis added The states that a cyber intrusion may fall under the reporting requirements of the National industrial Security Program Operating Manual paragraph I-30 I regardless of the classification level of information or information system involved in the intrusion provided that the contractor has determined that the facts and circumstances of the intrusion are suf cient to qualify as 'actuai probable or possible espionage sabotage terrorism or subversive activities' and ii these activities constitute a threat to the protection ofciassi ed information information systems or programs that are otherwise covered by the Defense Security Service industrial Security Letter 20 I 3-05 July 2 mm emphasis added 9101 emphasis added 1 Annex B investigative information Sharing to the Memorandum of Understanding between the Federal Bureau of investigation and the Department of Defense Governing information Sharing Operational Coordination and Investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau of investigation and Under Secretary of Defense for intelligence on December 9 20I i and December 7 20 l respectively at 5 26 monetar- U While DSS frequently coordinates with the FBI to notify victims of cyber intrusions the agency was only able to con rm awareness of eight intrusions into FBI-identi ed victims during the period in question However DSS's records are not complete and the agency may have been made aware of additional intrusions about which it was unable to identify recorded Further while the eight intrusions affected companies that were among those identi ed by the FBI as victims of a cyber-intrusion DSS was unable to determine how many of the eight intrusions actually correspond to intrusions identi ed by the U 0 the eight con rmed intrusions DSS identi ed seven were attributed to an TRANSCOM was not aware of any of those seven U seven of the intrusions known to DSS and associated with an APT were attributed to China' b DSS information sharing U charter states that the agency may disseminate reports of suSpicious contacts or activities in accordance with Department of Defense Procedures Governing the Activities of DOD intelligence Components That Affect U S Persons 5 Those procedures permit the sharing of lawfully obtained foreign intelligence information including for example that a US company was the victim of an APT-related cyber intrusion outside the DOD component that collected and retained the information provided that the recipient is reasonably believed to have a need to receive such information for the performance of a lawful governmental function and falls into one of several categories including DOD employees that have a need to know the informationm U As discussed above under the FBI-DOD Memorandum of Understanding DSS must seek approval to share Bureau-supplied counterintelligence information including information indicating cyber compromise of a DOD contractor with DOD components that are not members of the meme '23 in Committee staff call with Defense Security Service November 7 20l3 3 Dict cnsc Security Service response to committee staff questioas October 22 20B I 0 8 Transportation Command response to committee request January 9 20H Committee staff call with Defense Security Service November 6 2013 DSS's charter also states that the agency will Collaborate with the DOD components other Government departments and agencies and cleared contractors to share threat information as part ofthc Defense industrial Base Cyber Security and information Assurance Program The CSIIA program is operated by DCS Department of Defense Directive 5 i05 42 August 3 20l0 at 4 Department of Defense Procedures Governing the Activities of DOD intelligence Components That Affect U S Persons December 1982 at 22 Annex B investigative information Sharing to the Memorandum of Understanding between the Federal Bureau of investigation and the Department of Defense Governing information Sharing Operational Coordination and investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau of Investigation and Under Secretary of Defense for intelligence on December 9 20 and December 7 20 1 respectively at 5 27 U When DSS receives a report that a cleared defense contractor s computer network has been compromised it memorializes the incident in a suspicious contact report SCR it is DSS practice to share sons at the recurs with all DOD and FBI components As discussed above several DOD components are members of the including the Naval Criminal Investigative Service NCIS the Defense Cyber Crime Center DC3 U S Cyber Command CYBERCOM and the Defense intelligence Agency U DSS may aiso circulate SCRs through letterhead memoranda LHM LHM may be sent to the FBI and military service investigative units e g AFOSI LHM are typically prepared in DSS eld of ces and shared with local FBI and service investigative counterparts in the eld They are sometimes shared with counterpart headquarter of ces ' DSS determines what agencies should be copied on LHM based on a number of factors including an assessment of who has jurisdiction over the issue and which DOD component has a nexus to the victimized company through a contractual relationship or otherwise '32 U DSS told the committee that available records indicated that the agency was aware of eight intrusions affecting TRANSCOM contractors That number could be higher however as DSS records are incomplete DSS was unable to determine how many suspicious contact reports associated with the eight intrusions were shared at the NCIJTF However DSS records indicate that the agency produced letterhead memoranda for four of those eight intrusions Three of those four LHM were sent to the AFOSI DSS records do not indicate whether the three LHMs were shared through headquarters of ces or were only shared between eld 3 Air Force Of ce of Special Investigations U The Air Force Of ce of Special investigations AFOSI is the Air Force s investigative service and is responsible for criminal and counterinteiligence investigations including those related to cyber intrusions The Air Force is also the Executive Agent for TRANSCOM may learn of cyber intrusions through its own investigations According to AFOSI the agency always noti es the of such intrusions so that the Bureau can conduct victim noti cations 4 a Cyber Intrusions of TRANSCOM Contractors known to AFOSI U The committee asked to review the 20 intrusions and other cyber events targeting TRANSCOM contractors that the FBI identi ed and indicate how many were known to 9 Committee sta ' call with Defense Security Service November 7 20m Federai Bureau of investigation email to committee staii movember 19 2013 Committee staffeail with Defense Security Service November 7 2013 3 Committee staticall with Defense Security Service November 7 2013 Committee staff meeting with Defense Security Service September 26 2013 Committee staffcail with Defense Security Service November 7 2013 Committee staff meeting with Air Force Of ce of Special Investigations December 3 2013 23 neosr advised the committee that it was aware of13 of the 20 Of those 13 it were attributed to an APT TRANSCOM was aware of only one of those ii m U Ba-According to of the ii intrusions and other cyber events targeting TRANSCOM contractors that were known to and associated with an APT nimwere__ attributed to ChinaAFOSI information Sharing U Because the Air Force is the Executive Agent for TRANSCOM is the relevant military department counterinteiligence organization designated by the FBI-DOD information-sharing MOU to receive information identi ed by the Bureau indicating that a TRANSCOM contractor was the victim of an APT-related cyber intrusion 39 U While available FBI records do not indicate how many of the is intrusions and other cyber events targeting TRANSCOM contractors and attributed to an APT were shared with AFOSI itself reports that it was made aware of it of those U When AFOSI receives a report of a cyber intrusion involving a private company such reports can come from one of several sources including the FBI DSS the victimized company or own investigations the agency determines whether or not the information needs to be shared with other Air Force components based on its judgment as to the potential impact of the compromise ' U MUnder the FBI-DOD MOU may only share FBI information outside their organization with the Bi s approval 2 AFOSI must also comply with Department of Defense Procedures Governing the Activities of DOD intelligence Components That Affect U S Persons M3 Those procedures permit the sharing of lawfully obtained foreign Email item US Air Force to committee staff December 23 20l3 Email from U S Air Force to committee staii'uanuary 9 20 i4 0 8 Transportation Command response to committee questions August i3 2013 Committee staff call with US Air Force Annex B Counterinteliigerice investigative information Sharing to the Memorandum of Understanding between the Federal Bureau ofinvestlgation and the Department of Defense Governing information Sharing Operational Coordination and investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau ofinvestlgailon and Under Secretary of Defense for Intelligence on December 9 20i i and December 7 mt l respectively at 5 Email from U S Air Force to committee stafmanuaty 9 20 ill Committee staff meeting with us Air Force ornce otstmioi investigations December 3 IN 3 Annex B investigative information Sharing to the Memorandum ofUnderstanding between the Federal Bureau of investigation and the Department of Defense Governing information Sharing Operational Coordination and investigative Responsibilities signed by the Executive Assistant Director National Security Branch Federal Bureau of investigation and Under Secretary of Deibnse for intelligence on December 9 20 and December 7 20l i respectively at 5 DSS's charter also states that the agency will Collaborate with the DOD components other US Government departments and agencies and cleared contractors to share threat information as part of the Defense industrial Base 29 intelligence information outside the DOD component that collected and retained the information provided that the recipient is reasonably believed to have a need to receive such information for the performance of a law il governmental function and falls into one of several categories including DOD employees that have a need to know the information '44 U As discussed in Section I computer networks that support defense logistics and mobilization are seen as potential U S vulnerabilities in cyberspace However AFOSI did not request approval to share information with TRANSCOM relating to any of cyber intrusions the FBI identi ed as having affected a TRANSCOM contractor and attributed to an Nor had TRANSCOM provided with a list of operationally critical contractors or requested that they be informed about cyber intrusions of speci c contractors I45 On January 30 2014 TRANSCOM provided a list of 80 companies That list however included all command contractors who are subject to TRANSCOM's cyber incident reporting clause and did not identify which of the 80 are operationally critical contractorsdid not seek to share information with TRANSCOM relating to the intrusions of which it was aware told the committee that i nvestigative actions on each incident were dependent on the level of DOD nexus in the majority of these situations the reporting only described spearphishing activity and did not indicate why the victim was being Without the clear Force nexus prioritized our investigative and operational reaponse based on priority threats and available resources 49 U in the end TRANSCOM was only aware of one of the i APT-related intrusions and other cyber events of which was aware '5 4 Defense Cyber Crime Center U The Defense Cyber Crime Center DC3 is a national center within the Air Force s Of ce of Special investigations AFOSI that provides training cyber forensics analytics and computer network defense to DOD and other government agencies DC3 also operates the cyber security and information assurance program The DIB program is operated by Department of Defense Directive 5 105 42 August 3 20l0 at 4 Department of Defense Procedures Governing the Activities Intelligence Components 'i'hat Affect U S Persons December 1982 at 22 Committee staff meeting with Federal Bureau of Investigation Cyber Division December 19 20 i3 6 Email from TRANSCOM to committee starruanuary 2014 7 U S Transportation Command email to committee stai i Uanuary 3 I 20M Spearphishing involves the use of official looking emails tailored for sending to a targeted individual or group of individuals emails o en use official tool-ting attachments that when opened by a recipient allow the sender to compromise the targeted victim's computer Spearphishing emails are a common tactic of APT azcaorzsj See a3 Trend Micro incorporated research paper Spear-Phirhing Email Most Favored APT mack Bolt 5 Email from US Air Farce to committee staff December 23 20l3 U S Transportation Command response to committee request August i3 20 33 30 Defense industrial Base Cyber Security and Information Assurance DIB Program' DOD contractors who are members of the D13 CSIIA program sign a Framework Agreement with DOD where they agree to voluntarily report certain cyber intrusions they experience to the Defense industrial Base Collaborative Information Sharing Environment DCISE 2 in turn analyzes those reports helps develop responses and disseminates threat information derived from the reports within the government and to other participating DIB CSIIA companies As of December 2013 there were 98 companies in the D13 program a Cyber Intrusions of TRANSCOM Contractors Known to DC3 U The committee requested information from DC3 about 79 TRANSCOM contractors subject to the cyber incident reporting clause Of those 79 TRANSCOM contractors nine were members of the 018 program for at least some portion of the period between June I 2012 and May 30 2013 m During that period seven of those nine companies reported a total of 146 incidents to Among those 146 incidents were ten successful intrusions involving a network on which DOD information was stored Those ten successful intrusions impacted six companies s U Each of the six companies who were the victims of intrusions was also represented on the list of 16 companies that the FBI identi ed as having been the victim of an intrusion or other cyber event during that same period However DC3 was unable to determine whether FBI-identified incidents corresponded with incidents reported to DCS by those same companies U Eight of the 10 intrusions known to DC3 and involving a network on which DOD information was stored were determined to be probable APT intrusions The remaining two were deemed suspected TRANSCOM was aware of only one or those 10 intrusions U eight of the intrusions D03 determined to be probable APT were attributed to China 9 1 Defense industrial Base Cyber Securityiini onnation Assurance Framework Agreement undated A tenth companyjoined the program in September 20l3 Defense Cyber Crime Center response to committee staff questions October 9 mm or included as incident are successful intrusions attempts denial ofservice attacks or anomalies that a D18 member may choose to report Email from Of ce of the Secretary of Defense Legislative Affairs to committee staff October 22 2m 3 Defense Cyber Crime Center response to committee staff questions October 9 20l3 Email from Of ce of the Secretary of Defense Legislative Affairs to committee staff November i2 2013 The latter two intrusions were suspected of being associated with an APT but did not meet DCJ's analytical tzlarfggoid for a probable APT Defense Cyber Crime Center response to committee staff questions October 22 Email from contractor to committee staff December 2 20 I3 9 Committee staffcall with Of ce of the Secretary of Defense Legislative Affairs August 22 20 3 3 WOW U The timely sharing of information about cyber intrusions is critical for the DOD to keep pace with the evolving cyber threat environment and to ensure DOD is aware of any compromise that could impact military operations To that end the Framework Agreement states that members of the 013 CSIIA program will provide initial re arts to within 72 hours of discovery or as soon as reasonably practicable 1 The committee found however that companies do not always report intrusions consistent with the Framework Agreement In fact one TRANSCOM contractor who was member of the D13 program reported intrusions to DC3 anywhere from four to nearly seven months after the company discovered them b Framework Agreement U Under terms of the Framework Agreement contractors are required to report cyber incidents involving the compromise or potential compromise of certain unclassi ed defense information on an information system that processes stores or transmits such information If an intrusion does not involve the compromise or potential compromise of DOD information or such systems the DIB company is not obligated to report the event' In that respect the agreement contains a similar limitation to TRANSCOM's cyber incident reporting clause i e companies that may not currently store or process DOD information but on whom TRANSCOM operations depend do not have to report certain intrusions - even when those intrusions are associated with an APT threat c 0C3 Information Sharing U The Framework Agreement outlines the terms under which information reported by contractors may be shared outside DC3IDCISE U Under the Agreement DC3 may share information other than the identity of the victimized company with other companies who are members of the DIB and with other government agencies It states that identifying information will be maintained at DC3 to the maximum extent practicable and that such information will be made available on a need-to- know basis and upon the submission by a government agency of a written request and justi cation U According to TRANSCOM because intelligence products such as those produced from contractor reports to DCISE do not normally include the identity of the company that has been compromised it is dif cult for the command to determine whether a compromise is relevant to the TRANSCOM mission The inability to make such a determination makes it difficult for the conrmand to know when it should request the identity of a victimized company and also to justify such requests TRANSCOM advised the committee that it has not requested Defense industrial Base Cyber Securityiinfonnation Assurance Framework Agreement undated Contractor response to letter from Senator Carl Levin November 7 mm Defense Industrial Base Cyber Security lnfonnation Assurance Framework Agreement undated at 2 Defense Cyber Crime Center response to committee questions October 22 20 3 Defense Industrial Base Cyber Security Information Assurance Framework Agreement undated 32 mercenari- information from D03 that would have identi ed the identity of a company who was the victim of a cyber intrusion on U The Framework Agreement also states however that none of the restrictions on the Government s use or sharing of information in this Framework Agreement shall limit the Government s ability to conduct law enforcement or counterintelligence activities or other activities in the interest of national security DOD advised the committee that the exception articulated in that section of the Framework Agreement provides authority for DC3 to share the identity of a victimized company when a national security interest was at stake As of February 1 2014 TRANSCOM had not submitted a list of operationally critical contractors to DOS or requested that the command be noti ed about cyber intrusions into such companies On January 30 2014 TRANSCOM provided the sat and a list or 30 companies That list however included all command contractors who are subject to cyber incident reporting clause and did not identify which of the 80 are operationally critical contractors 3 Committee staff meeting with US Transportation Command November 25 20 3 Defense industrial Base Cyber Security information Assurance Framework Agreement undated at t2 Committee staff meeting with Defense Cyber Crime Center Of ce of the Deputy Assistant Secretary of Defense far Cyber Policy and Of ce of the Department of Defense Chief information Of cer December l6 20l3 Email from U S Transportation Command to committee staffuanuaty 3 20 I4 33 Committee Action U On Wednesday March 26 2014 by voice vote the committee adopted the report and conclusions of the inquiry into cyber intrusions affecting U S Transportation Command contractors Twenty senators were present No senator voted in the negative 34                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu