Last week, Bloomberg published a disturbing article about QinetiQ North America, a large federal contractor that was badly hacked by Chinese cyber-spies for three years. QinetiQ is a security technology company that works on military programs including satellites, drones, robotics, and combat helicopters. Between 2007 and 2010, a group of computer spies linked to China’s military infiltrated QinetiQ’s computers and compromised most of the company’s research.
According to the article, by 2009, the Chinese hackers had almost complete control over the computers in QinetiQ’s drone and robotics division and stole about 20 gigabytes—about 1.3 million pages—of highly sensitive military data and trade secrets. The proof in the pudding came in April 2012 when the Chinese Army unveiled a bomb disposal robot similar to QinetiQ’s model. (Reports surfaced this week that China may have also developed its first unmanned combat drone, although details about the vehicle, including whether the design might have been stolen from QinetiQ, are still sketchy.)
The article notes that the hackers were able to inflict so much damage for such a long time because the company failed to move quickly and take the necessary defensive measures. When U.S. Navy criminal investigators notified QinetiQ in December 2007 that hackers had stolen confidential data from two employees’ laptop computers, the company reacted as if the problem was limited to just the two employees. Even when the attacks continued over the next several months on other computers, QinetiQ treated them as isolated incidents and ignored warnings of vulnerabilities in its computer network security.
QinetiQ, like other large contractors, has a well-oiled revolving door. Former CIA Director George Tenet served as a director on QinetiQ’s board from 2006 to 2008. Stephen Cambone, the first undersecretary of defense for intelligence, was a senior vice president at the company from 2007 until 2012. Cambone’s hiring particularly raised eyebrows when a Pentagon office Cambone had created awarded QinetiQ a $30 million contract shortly after he joined the company.
The Bloomberg article points out that hackers have hit most of the large U.S. defense contractors in recent years and stolen some of our most sensitive national security secrets. Ironically, it was the hacking of another contractor that brought the QinetiQ hacking to light. One of the outside companies QinetiQ hired to deal with the Chinese hackers was HBGary, which readers of this blog may remember was hacked in 2011 and had thousands of pages of its internal documents posted on the Web, including company emails and reports that discussed the unfolding QinetiQ fiasco.
Another troubling aspect of this story is that QinetiQ has not yet been held accountable for the colossal failure of its computer security. The article notes that the State Department still permits QinetiQ to handle sensitive defense technology, and the government still considers the company a responsible enough vendor to continue awarding it contracts. Such leniency is uncharacteristic in cases involving the mishandling of classified information. If the government can impose a $2.8 million fine on the University of California when a Los Alamos National Lab employee walks out with a thumb drive containing sensitive data, surely the QinetiQ debacle deserves some sort of sanction.
QinetiQ did not respond to the Project On Government Oversight’s request for comment.