FARNBOROUGH AIR SHOW Despite a series of high-profile hacks targeting US defense contractors, the Pentagon still doesn’t have a workable plan to convince companies they work with to harden their cyber defenses.
“Because of a couple of recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, told reporters here.
Fahey said Monday afternoon that companies often self-report on whether they meet federal contracting regulations. Given the constant attacks on defense contractors from state and non-state hackers, the Pentagon is looking for ways to clamp down.
“We have to develop a way that we evaluate people’s capability in cybersecurity,” from the start, Fahey said. There is talk of making cyber hygiene part of the contracting process and including it as a deciding factor in awarding contracts just like cost, schedule, and performance.
“The only way you make it serious to industry is you make it part of the competition,” Fahey said. “We know it’s really serious now that we need to make that as a priority.”
Fahey briefed alongside Eric Chewning, deputy assistant secretary for Manufacturing and Industrial Base Policy. Chewning said that the government also may conduct Red Team exercises to test new parches and assess vulnerabilities.
While there has been some movement, there is still a very long way to go before any real programs and rules are in place. Deputy Defense Secretary Patrick Shanahan warned companies in February that they need to take network security more seriously, or potentially lose business.
In June, Kari Bingen, the Pentagon’s deputy secretary for intelligence, testified at the House Armed Services Committee that “we must establish security as a fourth pillar in defense acquisition,” while making security “a major factor in competitiveness for U.S. government business.”
The plan, dubbed “Deliver Uncompromised,” is looking for ways the Pentagon can work with the defense industry on a case by case basis to toughen security and head off threats, adding security and counterintelligence assets “to augment our collection and analysis capabilities, gain a more comprehensive understanding to threats against our technologies.”
The announcement came days after reports emerged that China had hacked into a U.S. defense contractor, stealing classified information about undersea warfare technologies, including plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.
Ideas about incorporating cybersecurity in acquisition decisions and policy formation will be part of the much-anticipated Defense Industrial Base report, which the Pentagon hoped to have been made public by Farnborough. But the report continues to bounce around the White House, where it has been since April, an official told me.
Industrial base chief Chewning, who headed up the drafting of the industrial base report, said that in the past, “our industrial policy essentially was our acquisition policy. It was what we bought and how we bought it,” Chewning said, “what I’d like to be able to do is get out in front of that and think about, how do we help inform acquisition policy with an industrial policy in support of our modernization objectives.”