Cybersecurity in the Defense Industrial Base
The consistent theme emerging within the defense sector is that the cyber defense relationships and processes that have been so successful with the large U.S.-based system integrators for the last decade are becoming ill-suited to an industry where much of what we need to protect increasingly lies with smaller, less capable, or international suppliers. These vendors find the emerging compliance culture untenable. Government and industry must revisit and revise the existing processes to find better ways to make the public-private partnership more inclusive. Adding to this is the emergence of nation state attackers against government and industry which demands a new strategic, collaborative response that is national, and may also involve an international response strategy. This chapter outlines the progression of the defense industrial base regulatory model and how we should begin to move beyond a strict regulatory approach. It recommends the adoption of a collective defense approach to help secure the smaller players in the DIB supply chain, which create risk for the entire sector. It offers several potential solutions, such as a program for email screening, a DIB Domain Name Service, and a centrally managed work environment for DoD contracts. The chapter concludes with a discussion on incentives for small and medium sized businesses, underscoring that adoption of cybersecurity programs needs to be dirt cheap and easy to use.
WHAT MAKES THE DIB SECTOR UNIQUE
The defense industry has a different economic model than most industries, and investing in cyber protection is not a function of traditional economic risk management. Top-tier defense companies sell to national governments with few alternatives, and the Pentagon is unlikely to opt for lower cost products from rival nations, especially should the design suspiciously resemble American-made technology.
The defense industry invests in cybersecurity, despite the lack of traditional economic interest, out of a fundamentally patriotic sense of responsibility to our warfighters and because strong data and network security are essential to brand credibility when doing business with the military.
However, small- and medium-sized companies lower in the defense supply chain have a greater proportion of commercial business than defense business. The greater the commercial component of a business, the more the traditional economic risk-assessment calculations predominate. Financial conditions facing SMBs do not afford them the luxury of uneconomic investments in cybersecurity.
Differences in incentive structures have created a two-tiered defense ecosystem. One tier contains the large, well-funded system integrators and the other everyone else. Into this mix, DoD has introduced new compliance requirements, in an attempt to artificially influence traditional economic based risk-management calculations.
CHALLENGES FACING THE NEW ADMINISTRATION
Modern weapons systems are built via a supply chain hundreds of companies long, spanning multiple countries and subject to cyber manipulation. Defense developers and innovators are at risk of intellectual property theft through cyber espionage. Second-level nations skip generations of research development, becoming competitive with US weaponry, and the economic losses portend negative downstream effects on future investment and innovation.
Government reporting and information-sharing requirements are confusing and divert resources away from security to compliance. New regulations have significantly increased costs of doing business with the government and shifted cybersecurity focus from incentives, as called for in Executive Order 13636, to compliance with standards. These increased costs dwarf information technology budgets for small businesses. However, compliance alone will not generate security and must not be confused with it.
The collaboration process codified in the Defense Industrial Base Framework Agreement has been successful but is labor-intensive. Cyber threats have expanded to attack the defense supply chain, an ecosystem of smaller, less cyber-capable companies, ill-suited for such processes.
Cybersecurity policies assume US-based companies operating on American soil. Yet, reductions in defense spending led many companies to expand their presence overseas, creating a very different set of dynamics for cyber defense in the sector. The requirements levied by the International Trafficking in Arms Regulations drives the defense industry into maintaining two distinct networks—one for US persons and one for non-US employees—making a unified cyber defense both difficult and expensive. Privacy
laws of many of countries also make a unified monitoring environment difficult.
Most countries now require coproduction or offset suppliers. As the demand for coproduction rises in the value chain, so does the need to defend the networks of suppliers, resulting in policy challenges to the defense industry in two areas: first, current information-sharing policies preclude open sharing of information with foreign partners; second, the Defense Federal Acquisition Regulation Supplement rules on safeguarding defense information mandate application of NIST controls to overseas suppliers anytime covered information is involved. But few foreign companies are likely to submit themselves to DoD-imposed standards, leaving defense companies to choose between continuing with a foreign supplier who is out of compliance or abandoning the supplier and failing to meet contractual offset requirements.
RECOMMENDATIONS
INSTITUTE A TIERED MODEL FOR GRADING CYBERSECURITY COMPETENCY
The current regulatory compliance model is binary—either comply with everything or fail. Turn it into an incentive model with different tiers of compliance, where each level represents a concrete improvement in security. Companies will then prioritize efforts, and the government and larger defense contractors could tailor contract requirements to a certain level of security, incentivizing suppliers to move to the next tier to gain eligibility for larger contracts. This would transform the compliance environment to a competitive one, which will then incentivize defense companies to advance tiers in order to set themselves apart from their peers or gain market share.
A maturity model would also allow small- and medium-sized defense contractors to realistically participate.
INFORMATION SHARING BEYOND THE ELITES
Current close-hold information-sharing methods are designed for companies with the infrastructure and staff capable of manually receiving complex threat data, evaluating these data for their environment, and applying them to any number of defensive systems. Small companies cannot do this.
Instead, sharing with small companies requires a passive model where the company can accept threat data in an automated system and have these data applied to their network. The Pentagon needs to work with industry to create a broader information-sharing environment that is affordable and passive. Defense can allow large system integrators to share DoD-provided unclassified threat indicators with defense contractors in their supply chain via automated monitoring systems. Extending to the supply chain can have
a high payoff at a low cost.
DOD SHOULD MOVE TO BETTER ACCOMMODATE A GLOBAL DEFENSE INDUSTRIAL BASE
Defense needs to work with industry to develop operating concepts for cyber defense in an increasingly global market. Compliance regimes and information-sharing processes must both be modified to accommodate overseas suppliers and coproduction agreements. They must also work to develop a way to share cyber-defense information with foreign suppliers of critical items. DoD should work with NIST to find an acceptable international standard that can serve as an overseas substitute for defense-controlled information
cybersecurity controls.
THE PENTAGON NEEDS TO INCREASE ITS FOCUS ON SMALL BUSINESSES
Defense depends on small businesses to support its missions, spark innovation, and develop technologies to support soldiers. While the Office of Small Business Programs has acknowledged that cybersecurity is an important and timely issue for small businesses, it has not identified or disseminated any cybersecurity resources in its outreach and education efforts to defense-sector small businesses. The next administration should ensure cybersecurity is a part the OSBP outreach and take steps to stabilize the office’s performance and leadership team.