After hacks, Transcom to require contractors to report data breaches

After being kept largely in the dark as suspected Chinese hackers spent a year breaking into the networks of some of its contractors, the U.S . Transportation Command will now require its contractors to report any suspected breaches.

The Senate Armed Services Committee released a report Sept. 17 saying that at least 20 successful hacks were committed against airline, IT and shipping companies between June 2013 and May 2014.* The Transportation Command was told of only two of them.

As a result of that report and the investigation that preceded it, the command will now contractually require its vendors to report breaches, Air Force Gen. Paul Selva, who leads the command, told Bloomberg.

In all, there were about 50 hacks or other cyber incidents within that year-long period, according to the report. At least 20 were successful intrusions resulting from an advanced persistent threat, and all of them were traced to China. An advanced persistent threat has a somewhat nebulous definition (some security experts frown on using the term at all) but it has been applied to a sophisticated, organized attack aimed at stealing information, or, in another sense, an attacker with the expertise and resources to carry out sophisticated attacks.

The hacks could have exposed sensitive information on the movement of troops and equipment, potentially disrupting military operations. Transcom handles logistics for the military and makes liberal use of private-sector services. More than 90 percent of personnel movement is handled by private airlines and more than one-third of bulk cargo is shipped via private companies, according to the report.

The lack of information sharing was as much a focus of the Senate committee as the hacks themselves, with Sen. James Inhofe (R-Okla.) calling for the creation of a central clearinghouse for reporting cyber incidents, Reuters reported.

Currently, security breach notification laws vary by state. All but a handful require notification if a breach results in the loss of personal information, but the laws don’t require reporting for every kind of breach. Although several bills containing notification requirements have been introduced in Congress, there is no federal law as yet.

Contractors are a frequent target of hackers, particularly those working for nation-states, because their network defenses presumably aren’t as tight as those of military organizations. And in some fields, industry holds military technology secrets that other nations would find valuable. In July, the Justice Department arrested a Chinese businessman and charged him with working with two hackers between 2009 and 2013 to steal secrets on Boeing’s F-35 fighter, the military’s most expensive weapons program. China this year unveiled a new stealth jet that’s remarkably similar to the F-35. 

The businessman, Su Bin, was the sixth Chinese national charged by Justice, though the first actually taken into custody. In May, Justice filed cyber espionage charges against five officers in a unit of the Third Department of the People’s Liberation Army—the equivalent of the National Security Agency—in relation to cyber attacks on the nuclear power, metals and solar power industries. Researchers for the security company CrowdStrike a month later reported they had traced a series of other attacks involving U.S. and European defense, satellite and aerospace industries to another PLA hacking unit.

The Senate investigation, meanwhile, found that the Chinese military had hacked into a Transcom contractor‘s network between 2008 and 2010 and gained access to “emails, documents, user passwords and computer code," according to the report. A separate intrusion in 2012 compromised the systems aboard a commercial ship contracted by Transcom.

* This article has been updated to correct the dates of the attacks, which lasted until May 2014, not May 2013.