THE PENTAGON: The Defense Department is working on a “do not buy” list of software vendors who may have been compromised by foreign governments, but is still in the early stages of formulating a plan to ensure the defense industry follows suit.
Ellen Lord, the Pentagon’s chief weapons buyer, told a small group of reporters here Friday morning that her office is trying to put rules in place to protect against buying “software that has Russian or Chinese provenance, for instance, and quite often that’s difficult to tell at first glance because of holding companies,” that move the software through the open market.
The concern over compromised technology has been heightened after a series of high-profile hacking incidents where U.S. shipbuilding plans and other programs have been compromised by Chinese hackers. Pentagon leadership is especially sensitive to the issue as they rush to keep ahead of Chinese and Russian military modernization programs in areas like hypersonics, satellites, drones, and submarine warfare.
Last month, the Pentagon’s deputy secretary for intelligence, Kari Bingen, told the House Armed Services Committee that the military needs to “establish security as a fourth pillar in defense acquisition,” joining cost, schedule, and performance, while making security “a major factor in competitiveness for U.S. government business.”
The plan, “Deliver Uncompromised,” is looking for ways the Pentagon can work with the defense industry to toughen up security, adding counterintelligence assets to the acquisition process “to augment our collection and analysis capabilities, gain a more comprehensive understanding to threats against our technologies.”
Lord said that the issue of cyber security was the main focus of her most recent meeting with the heads of the major defense industry associations, and she has taken to bringing intelligence staffers along with her to meetings with industry to impress on them the dangers.
“It’s a huge education process” for industry, she said.
Lord also issued a warning for defense contractors who don’t begin scrubbing their systems and hardening cyber defenses: change is coming.
“There is an expectation that standards will be met within industry, and up to this point in time there has really been self-reporting,” on any issues, she said. “We are actually going to go in and ‘red team’ industry to see how robust their systems are. The reality of the world we live in means cyber security is going to become more and more of a discriminator” how how the department deals with the industrial base.
It’s unclear how those efforts have gone so far, but Lord admitted that “there has been a large pushback from industry” over getting fully compliant with the Pentagon’s new rules. While the Pentagon may have relaxed some of its security standards in recent years, according to Lord, “I don’t think we can continue to do that going forward, and in fact we’re probably going to have to increase some of those requirements.”