IBM settles with Pentagon over long-disputed hacking allegation

-A +A

WASHINGTON (July 9): An 11-year-old Pentagon case against International Business Machines Corp (IBM) ended quietly in October when it agreed to pay the government US$900,000 (RM3.83 million) to settle claims involving hacking attacks on the National Defense University (NDU) that began in 2006.

“It was alleged that IBM submitted false claims for the information technology services that it provided NDU,” the Defense Department’s inspector-general said, disclosing the settlement in its latest semi-annual report. “IBM allegedly did not fulfil its contractual obligations to provide substantial network security services” under an Army contract that began in 2003.

The Defense Department had initially sought to recover US$9 million. IBM filed a motion to dismiss the case that was denied in March 2018 by a judge for the Armed Services Board of Contract Appeals.

The allegations against IBM resulted from a probe by the Defense Criminal Investigative Service’s Cyber Crimes Division of a 2008 hacker attack that accessed about eight computers and stole about 367 files. Agents later found six “malicious network intrusions” since 2006 on the military university, according to a document from the appeals board.

IBM spokesman Saswato Das declined to comment on the settlement. But the Armonk, New York-based company has argued that it wasn’t “contractually liable for security breaches” and that the university failed to implement many of the company’s recommendations for improving network security, according to the appeals board’s decision.

The National Defense University, which describes itself as educating “warfighters in critical thinking and the creative application of military power”, was among a number of US colleges hit in a spate of cyberattacks at the time, according to the inspector-general.

Although the dollar amount of the settlement is small, the inspector-general said the case demonstrates the emphasis placed by its criminal investigative service on instances that “involve the compromise and theft of sensitive defense information contained in government and DoD (Defense Department) contractor information systems”.

The investigative service “is particularly focused on cases in which contract fraud by DoD IT (information technology) contractors has factored in the penetration of DoD networks or the loss of DoD information”, according to the summary.

Of 1,716 ongoing investigations by the Defense Criminal Investigative Service, 67 are related to cybercrimes and computer network intrusions, according to the watchdog office’s report.