RTX fined $200 million for leaking classified military aircraft data to Russia, China | News

US defense giant RTX has agreed to a $200 million fine from Washington, DC regulators over the unauthorized disclosure of sensitive information from nearly two dozen military aircraft.

Some of this information has been passed to major geopolitical adversaries of the United States, including Russia, China and Iran.

The U.S. State Department announced the deal on August 30, saying the aerospace conglomerate committed 750 violations of the U.S. International Traffic in Arms Regulations (ITAR) between 2017 and 2023. Those rules restrict the export of sensitive military-related technology, including physical materials and information.

In addition to the $200 million penalty, RTX must enter into a three-year consent agreement with the government that requires at least one external audit of the company’s ITAR compliance program and the implementation of compliance corrective measures.

The State Department said it agreed to suspend $100 million of the fine, provided the funds are used to implement prescribed corrective measures and “strengthen RTX’s compliance program.”

RTX voluntarily disclosed the violations to regulators, who say the ITAR violations included unauthorized exports of classified defense articles and failure to establish proper jurisdiction and classification over sensitive materials.

“The majority of violations resulting from jurisdictional and classification errors, in particular, reflect a clear pattern of historical failures of systemic compliance across multiple (RTX) operating divisions,” the State Department said. “In some cases, these operating divisions have failed to fully address these failures.”

RTX is the parent company of munitions and radar maker Raytheon, engine maker Pratt & Whitney and aircraft systems supplier Collins Aerospace.

The specific nature of the security breaches varies from case to case. While in some cases, sensitive information was disclosed to friendly countries such as Australia, Germany and Norway, in other cases, sensitive information fell into the hands of adversaries such as Russia, China and Iran.

Several specific incidents are described in a invoice letter published by the Washington authorities.

In one case, controlled technical data was improperly sent to Chinese suppliers by Collins Aerospace, an RTX subsidiary specializing in aerospace systems. This data was used to purchase printed circuit boards from unauthorized subcontractors in China.

These components were then supplied to the Pentagon and other U.S. defense contractors for use in nearly two dozen military aircraft, including the Boeing VC-25 presidential airlifter, the Boeing B-1B heavy bomber, the Lockheed Martin U-2 reconnaissance aircraft, the Boeing B-52 strategic bomber, the Lockheed Martin F-16 fighter jet, the Boeing F-15 fighter jet, the Fairchild Republic A-10 attack aircraft, and the Boeing F/A-18 fighter jet.

Numerous rotary-wing aircraft, fixed-wing transport aircraft, aerial refueling tankers and unmanned aerial vehicles were also affected.

Another improper disclosure to Collins saw a Chinese national receive technical data relating to the Boeing E-3 airborne early warning and control aircraft and the Embraer KC-390 medium transport aircraft.

In another incident in 2021, an RTX employee used a company-issued laptop containing sensitive technical data while on a personal trip to Russia. Internal cybersecurity measures flagged the issue, but the location alert was dismissed as a false positive.

The laptop contained technical data on the Lockheed Martin F-22 and F-35 stealth fighters, as well as the U-2. The employee in question had traveled to Russia four times before, taking the laptop on at least one of those trips, according to the State Department.

Another incident occurred in 2019, when an employee traveled to Iran with a company laptop containing technical data on the Northrop Grumman B-2 stealth bomber and F-22 fighter jet. In that case, cybersecurity protocols remotely blocked access to the laptop’s hard drive.

According to the indictment, the majority of the violations occurred within Collins Aerospace, when the division was an independent company called Rockwell Collins.

The chain of events is complicated by RTX’s complex history of mergers and acquisitions. Rockwell Collins was acquired by defense contractor United Technologies Corporation (UTC) in 2018. UTC and Raytheon then merged in 2020, with the result being called Raytheon Technologies Corporation.

The conglomerate changed its name to the current RTX name in 2023. FlightGlobal was awaiting comment from RTX at the time of publication.

A similar letter was sent by the State Department to aircraft manufacturer Boeing earlier this year, citing 199 ITAR violations on programs including Boeing’s E-7 airborne warning and control jet, CH-47F Chinook rotorcraft and AH-64 attack helicopter. Some of the violations occurred at Boeing subsidiaries in India and Australia.

A February court order says Boeing will be fined $51 million for the violations, with $24 million of that fine suspended and used for compliance costs associated with correcting the safety deficiencies.