WASHINGTON — Pentagon Comptroller David Norquist warned government contractors Monday that the first agencywide financial audit might reveal “a laundry list” of cybersecurity problems.
Auditors will examine the massive agency’s business systems and cybersecurity procedures to determine whether a hacker can breach them, Norquist told an industry audience at the Vision Federal Market Forecast Conference.
“If you fielded one of those systems that is vulnerable to cyber intrusions, that is filled with errors in the way it is set up, we need to talk,” Norquist said, "because you’re one of the reasons we’re not passing the audit, and we need you to fix it.”
The audit will bring tough conversations and business opportunities for innovators, Norquist said.
“You can be part of the group that helps us come up with solutions, you can help your clients and your government organizations fix those problems so they’re not hanging around, getting beaten up,” he said.
Pentagon officials have acknowledged for years that the department, the military services and defense contractors are under persistent cyber probes and attacks, including from state actors seeking to steal data to gain an economic or technological advantage.
U.S. officials have repeatedly accused Russia and China of using cyberattacks to breach government and commercial networks and systems.
“If they’re into your logistics system, if they’re into payroll system, if they’re [into] your property systems, there are other things they can do that affect operations — that affect your business that are vastly more destructive — potentially privacy data,” Norquist said. “We want to close those doors. We want to know those weaknesses so we can fix it.”
Norquist suggested he was looking for that corrective action to happen quickly. If a problem is found, the auditors will return the following March to check again, he said.
“If you’re fielding a system and it’s not compliant, we will know it all along the way, not simply as it gets to the end,” Norquist said.
The comments came just weeks after the Government Accountability Office found that U.S. weapons programs are vulnerable to cyberattacks and that the Pentagon has been slow to protect the systems that are increasingly reliant on computer networks and software.
In that audit, testers — using simple tools and techniques — were able to take control of computer terminals and see what the operators were seeing in real time. Another team was able to send a pop-up message to the computer terminals "instructing them to insert two quarters to continue operating." The teams were also able to copy, change and delete data.
Asked whether the public airing of problems could create the perception of Pentagon mismanagement and hurt support for defense spending overall, Norquist acknowledged that as “a legitimate concern.” The agencywide financial audit launched last December will bring unpleasant surprises, he said, adding: “I would rather them find them.”
“We’re going to find them and now were going to fix them,” Norquist said. “Our commitment is to be good stewards of the taxpayers' money.”
Separately, Norquist was asked about the Pentagon’s new plans to build two fiscal 2020 budgets — one based on $733 billion for national defense, as planned, and another at $700 billion, based on recent remarks from President Donald Trump. He demurred, however, suggesting he would internally present his position.
Joe Gould is senior Pentagon reporter for Defense News, covering the intersection of national security policy, politics and the defense industry.