Pentagon Wants Industry to be Smart on Cyber, But No Plan Yet

Under constant cyber attack, the Pentagon is struggling to find ways to incorporate cyber security as part of the contracting process. 

FARNBOROUGH AIR SHOW Despite a series of high-profile hacks targeting U.S. defense contractors, the Pentagon still doesn’t have a workable plan to convince companies they work with to harden their cyber defenses.
“Because of a couple of recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, told reporters here.

Fahey said Monday afternoon that companies often self-report on whether they meet federal contracting regulations; given the constant attacks on defense contractors from state and non-state hackers, the Pentagon is looking for ways to clamp down.
“We have to develop a way that we evaluate people’s capability in cyber security,” from the start, Fahey said. There is talk of making cyber hygiene part of the contracting process, and including it as a deciding factor in awarding contracts just like cost, schedule, and performance.

“The only way you make it serious to industry is you make it part of the competition,” Fahey said. “We know it’s really serious now that we need to make that as a priority,” he said. One of the ideas floating around is delivering companies them the IT infrastructure  that is already secure.
Fahey briefed alongside Eric Chewning the deputy assistant secretary for Manufacturing and Industrial Base Policy, who said that the government is also conducting Red Team exercises in order to test ideas and assess vulnerabilities.

While there has been some movement, there is still a very long way to go before any real programs, and rules, are in place. Deputy Defense Secretary Patrick Shanahan warned companies in February that they need to take network security more seriously, or potentially lose business.
In June, the Pentagon’s deputy secretary for intelligence, Kari Bingen, testified at the House Armed Services Committee “we must establish security as a fourth pillar in defense acquisition,” while making security “a major factor in competitiveness for U.S. government business.”

The plan, dubbed “Deliver Uncompromised,” is looking for ways the Pentagon can work with the defense industry on a case by case basis to toughen security and head off threats, adding security and counterintelligence assets “to augment our collection and analysis capabilities, gain a more comprehensive understanding to threats against our technologies.”   
The announcement came days after reports emerged that China had hacked into a U.S. defense contractor, stealing classified information about undersea warfare technologies, including plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.

Ideas about incorporating cyber security in acquisition decisions and policy formation will be part of the much-anticipated Defense Industrial Base report, which the Pentagon hoped to have been made public by Farnborough. But the report continues to bounce around the White House, where it has been since April, an official told me.
Industrial base chief Chewning, who headed up the drafting of the industrial base report, said that in the past, “our industrial policy essentially was our acquisition policy. It was what we bought and how we bought it,” Chewning said “What I’d like to be able to do is get out in front of that and think about, how do we help inform acquisition policy with an industrial policy in support of our modernization objectives.”

ΠΗΓΗ