Signage for Palantir is seen during the Association of the United States Army annual meeting and exposition at the Walter E. Washington Convention Center in Washington on Oct. 14, 2024.
Nathan Howard | Reuters
The much-needed modernization of the U.S. Army’s battlefield communications network being undertaken by Anduril, Palantir and others is rife with “fundamental security” problems and vulnerabilities, and should be treated as a “very high risk,” according to a recent internal Army memo.
The two Silicon Valley companies, led by allies of U.S. President Donald Trump, have gained access to the Pentagon’s lucrative flow of contracts on the promise of quickly providing less expensive and more sophisticated weapons than the Pentagon’s longstanding arms providers.
But the September memo from the Army’s chief technology officer about the NGC2 platform that connects soldiers, sensors, vehicles and commanders with real-time data paints a bleak picture of the initial product.
“We cannot control who sees what, we cannot see what users are doing, and we cannot verify that the software itself is secure,” the memo says.
Palantir and Anduril did not comment for this story.
The assessment, seen by Reuters and first reported by Breaking Defense, comes just months after defense drone and software maker Anduril was awarded a $100 million to create a prototype of NGC2 with partners including Palantir, Microsoft and several smaller contractors.
The Army should treat the NGC2 prototype version as “very high risk” because of the “likelihood of an adversary gaining persistent undetectable access,” wrote Gabrielle Chiulli, the Army chief technology officer authorizing official.
Despite the early September memo’s scathing critique, Leonel Garciga, Army chief information officer and Chiulli’s supervisor, said in a statement to Reuters that the report was part of a process that helped in “triaging cybersecurity vulnerabilities” and mitigating them.
In March, the 4th Infantry Division used the system in live-fire artillery training at Fort Carson, Colorado, in an exercise Anduril described as demonstrating faster and more reliable performance than legacy systems.
The Army memo identifies some major security gaps.
The report says the system allows any authorized user to access all applications and data regardless of their clearance level or operational need. As a result, “Any user can potentially access and misuse sensitive” classified information, the memo states, with no logging to track their actions.
Other deficiencies highlighted in the memo include the hosting of third-party applications that have not undergone Army security assessments. One application revealed 25 high-severity code vulnerabilities. Three additional applications under review each contain over 200 vulnerabilities requiring assessment, according to the document.
