US defence giant RTX has agreed to a $200 million fine from regulators in Washington DC related to the unauthorised disclosure of sensitive information from nearly two dozen military aircraft.
Some of that information found its way to the USA’s primary geopolitical adversaries, including Russia, China and Iran.
The US Department of State announced the settlement on 30 August, saying the aerospace conglomerate committed 750 violations of the USA’s International Traffic in Arms Regulations (ITAR) between 2017 and 2023. Those rules restrict the export of sensitive military-related technologies, including both physical materials and information.
In addition to the $200 million penalty, RTX must submit to a three-year consent agreement with the government that requires at least one external audit of the company’s ITAR compliance programme and the implementation of remedial compliance measures.
The state department says it has agreed to suspend $100 million of the fine, on the condition those funds are used to implement the prescribed corrective measures and “strengthen RTX’s compliance programme”.
RTX voluntarily disclosed the violations to regulators, who say the ITAR breaches included unauthorised exports of classified defence articles and failure to establish proper jurisdiction and classification over sensitive materials.
“The majority of violations resulting from jurisdiction and classification errors, in particular, reflect a clear pattern of historical systemic compliance failures in multiple of [RTX’s] operating divisions,” the state department says. “In some instances, these operating divisions failed to fully remediate these failures.”
RTX is the parent company for munitions and radar manufacturer Raytheon, engine-maker Pratt & Whitney and aviation systems supplier Collins Aerospace.
The specific nature of the security violations varies from case to case. While some instances saw unauthorised disclosures to friendly nations like Australia, Germany and Norway, other examples resulted in sensitive information falling into the hands of adversaries such as Russia, China and Iran.
Several specific incidents are outlined in a charging letter released by authorities in Washington.
In one instance, controlled technical data was improperly sent to Chinese suppliers by RTX’s aviation systems subsidiary Collins Aerospace. That data was used to procure printed wiring boards from unauthorised subcontractors in China.
Those components were subsequently provided to both the Pentagon and other US defence contractors for use in nearly two dozen military aircraft, including the Boeing VC-25 presidential transport aircraft, Boeing B-1B heavy-bomber, Lockheed Martin U-2 reconnaissance jet, Boeing B-52 strategic bomber, Lockheed Martin F-16 fighter, Boeing F-15 fighter, Fairchild Republic A-10 ground-attack jet and the Boeing F/A-18 fighter.
Numerous rotorcraft, fixed-wing transports, aerial refuellers and uncrewed aerial vehicles were also impacted.
Another improper release at Collins saw a Chinese national receive technical data related to the Boeing E-3 Airborne Warning and Control System aircraft and the Embraer KC-390 medium transport jet.
In a separate incident from 2021, an RTX employee used a company-issued laptop containing sensitive technical data while on a personal trip to Russia. Internal cybersecurity measures flagged the issue, but the location alert was ignored as a false positive.
The laptop contained technical data on the Lockheed F-22 and F-35 stealth fighters, as well as the U-2. That employee had travelled to Russia on four prior occasions, bringing the laptop on at least one those earlier trips, according to the state department.
Another incident in 2019 saw an employee travel to Iran while carrying a company laptop containing technical data on the Northrop B-2 stealth bomber and F-22 fighter. In that case, cybersecurity protocols remotely froze access to the laptop’s hard drive.
According to the charging letter, the majority of violations occurred within Collins Aerospace, back when the division was an independent firm called Rockwell Collins.
The chain of events is complicated by RTX’s tangled corporate history of mergers and acquisitions. Rockwell Collins was acquired by defence contractor United Technologies Corporation (UTC) in 2018. UTC and Raytheon subsequently combined in 2020, with the result being called Raytheon Technologies Corporation.
The conglomerate re-branded to the current RTX name in 2023. FlightGlobal was awaiting comment from RTX at the time of publication.
A similar charging letter was sent by the state department to airframer Boeing earlier in the year, outlining 199 ITAR violations on programmes including Boeing’s E-7 airborne early warning and control jet, CH-47F Chinook rotorcraft and AH-64 attack helicopter. Some of the violations occurred at Boeing subsidiaries in India and Australia.
An associated court order from February indicates Boeing was fined $51 million for the infractions, with $24 million of that to be suspended and directed toward compliance costs associated with addressing the security lapses.