In the last decade, the way in which nation states have targeted the U.S. has changed dramatically. Where warfare was once predictably physical in nature, more and more of today’s threats come via virtual and digital channels.
After more than a decade of massive intellectual property theft including the theft of massive amounts of highly sensitive data from a U.S. Navy contractor’s computer systems, allegedly by Chinese hackers, the Department of Defense (DoD) has sought new guidance on how to secure its $100bn supply chain in the face of modern threats.
In the recent report Deliver Uncompromised, researchers Mitre Corp. discuss how the Department of Defense (DoD) and intelligence agencies can adapt to meet the growing threat of cyber warfare. They identify a number of ways in which national security can be compromised remotely, including the virtual hijacking and sabotage of military equipment; the infiltration of software for espionage purposes; and the data theft to which the Navy contractor fell victim.
Up until now, the focus has been on encouraging contractor compliance. A recent example is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, a framework that lays out how contractors must safeguard sensitive defense information and report cyber security incidents. By December 2017, prime contractors were required to demonstrate exactly how they’d implemented mandatory policies and achieved full compliance.
However, the Deliver Uncompromised report argues for a full cultural shift in the way in which the issue of cybersecurity is framed, with an emphasis on the role of the contractor. Instead of simply requesting or even mandating co-operation in support of their security objectives — a reactive role — the report recommends that defense and intelligence agencies encourage contractors to share ownership of the problem itself and proactively develop solutions.
At present, the DoD chooses suppliers based on cost, schedule, and performance, but the report notes that this can actually encourage suppliers to cut corners on their security provision. Factoring in the price of implementing enhanced security measures makes the supplier less attractive to the DoD in terms of cost, but when the alternative is to eat the cost themselves, most businesses will choose to simply do the bare minimum in order to achieve compliance.
In order to avoid the ‘compliance effect’ and incentivize suppliers to go above and beyond, DoD is attempting to elevate security to a key metric in the procurement process, on par with cost, schedule, and performance. In making enhanced security a competitive advantage and not just a ‘check box’, the DoD is essentially leveraging its position as the primary source of revenue for many of its contractors in order to shape their behavior.
That’s not to say compliance is moving down the agenda; quite the opposite, in fact. Deliver Uncompromised identifies a number of major holes in current compliance legislation, noting that they undermine any ‘softer’ attempts by the DoD to influence suppliers.
First, the report says, it’s unclear what tangible consequences a contractor will face in the event that their non-compliance with DoD mandates leads to a security breach. Because there are so few financial repercussions, the very real risk is that some suppliers will fail to commit the necessary resources to implement their contractual obligations, while others will ignore them altogether.
To address this risk, Deliver Uncompromised recommends that DoD re-examines financial liability processes for suppliers that fail to take reasonable or timely assurance measures to protect the DoD from threat. It also implores the DoD to consider seeking the legislative authority to hold suppliers liable for gross negligence in circumstances where cyber security obligations have not been met.
Software was identified as a major area of vulnerability for the DoD supply chain, especially given the widespread use of open-source software components with uncertain origins. And yet, the report says, the current practice is to absolve users, operators, and even developers from responsibility for security threats arising from software failure.
Deliver Uncompromised calls for an overhaul of this policy and suggests that the DoD demand much higher standards of security throughout the life cycle of mission-critical software. It also recommends placing much greater accountability on users, operators, and developers, which may be achieved by soliciting the help of Congress to change laws surrounding software immunity.
What does this mean for you as a defense supplier?
If a significant proportion of your revenue depends on government contracts, it’s likely you already know that compliance is becoming an increasingly important decision factor in the awarding of contracts. However, it’s no longer enough to simply comply.
Deliver Uncompromised is a crystal-clear statement of the DoD’s intent to reward suppliers that go above and beyond in terms of security. In fact, the cultural shift is already happening, with the 2017 case of IPKeys Technologies serving as a prime example.
IPKeys protested to the U.S. Government Accountability Office (GOA) when they lost out on a defense contract to a higher-priced competitor. While both companies met the mandatory cybersecurity compliance requirements, the awardee had demonstrated a proactive commitment to non-mandatory security frameworks, too. Despite their higher cost, the awardee went above and beyond compliance and received a higher value rating — and won the contract — as a direct result.
The GAO denied the protest, strengthening the notion that minimum security compliance is no longer enough to remain competitive. Should the DoD implement the recommendations outlined in Deliver Uncompromised — and they likely will, given the current concerns about foreign interference and cyber attacks — enhanced security will become a legal matter as well as a commercial one.
For you, that means getting ahead of the game and fortifying your cyber security now. While other suppliers continue to do the bare minimum in order to check off compliance boxes, your focus should be on strengthening security procedures and adding value wherever possible. Take these measures now, and when the legislative environment inevitably moves forward, you’ll be leading the way — not scrambling to keep up.
Want to remain a competitive defense supplier?
Then now is the time to start enhancing your security practices with a comprehensive, free cyber security evaluation from CyberSheath. Let us help you to make sense of the changing security environment and make sure your business stays one step ahead. Contact us now to arrange your free evaluation.