Cybersecurity in the Defense Industrial Base

WHAT MAKES THE DIB SECTOR UNIQUE
The defense industry has a different economic model than most industries, and investing in cyber protection is not a function of traditional economic risk management. Top-tier defense companies sell to national governments with few alternatives, and the Pentagon is unlikely to opt for lower cost products from rival nations, especially should the design suspiciously resemble American-made technology.

The defense industry invests in cybersecurity, despite the lack of traditional economic interest, out of a fundamentally patriotic sense of responsibility to our warfighters and because strong data and network security are essential to brand credibility when doing business with the military.

However, small- and medium-sized companies lower in the defense supply chain have a greater proportion of commercial business than defense business. The greater the commercial component of a business, the more the traditional economic risk-assessment calculations predominate. Financial conditions facing SMBs do not afford them the luxury of uneconomic investments in cybersecurity.

Differences in incentive structures have created a two-tiered defense ecosystem. One tier contains the large, well-funded system integrators and the other everyone else. Into this mix, DoD has introduced new compliance requirements, in an attempt to artificially influence traditional economic based risk-management calculations.

CHALLENGES FACING THE NEW ADMINISTRATION
Modern weapons systems are built via a supply chain hundreds of companies long, spanning multiple countries and subject to cyber manipulation. Defense developers and innovators are at risk of intellectual property theft through cyber espionage. Second-level nations skip generations of research development, becoming competitive with US weaponry, and the economic losses portend negative downstream effects on future investment and innovation.

Government reporting and information-sharing requirements are confusing and divert resources away from security to compliance. New regulations have significantly increased costs of doing business with the government and shifted cybersecurity focus from incentives, as called for in Executive Order 13636, to compliance with standards. These increased costs dwarf information technology budgets for small businesses. However, compliance alone will not generate security and must not be confused with it.

The collaboration process codified in the Defense Industrial Base Framework Agreement has been successful but is labor-intensive. Cyber threats have expanded to attack the defense supply chain, an ecosystem of smaller, less cyber-capable companies, ill-suited for such processes.

Cybersecurity policies assume US-based companies operating on American soil. Yet, reductions in defense spending led many companies to expand their presence overseas, creating a very different set of dynamics for cyber defense in the sector. The requirements levied by the International Trafficking in Arms Regulations drives the defense industry into maintaining two distinct networks—one for US persons and one for non-US employees—making a unified cyber defense both difficult and expensive. Privacy
laws of many of countries also make a unified monitoring environment difficult.

Most countries now require coproduction or offset suppliers. As the demand for coproduction rises in the value chain, so does the need to defend the networks of suppliers, resulting in policy challenges to the defense industry in two areas: first, current information-sharing policies preclude open sharing of information with foreign partners; second, the Defense Federal Acquisition Regulation Supplement rules on safeguarding defense information mandate application of NIST controls to overseas suppliers anytime covered information is involved. But few foreign companies are likely to submit themselves to DoD-imposed standards, leaving defense companies to choose between continuing with a foreign supplier who is out of compliance or abandoning the supplier and failing to meet contractual offset requirements.

RECOMMENDATIONS

INSTITUTE A TIERED MODEL FOR GRADING CYBERSECURITY COMPETENCY
The current regulatory compliance model is binary—either comply with everything or fail. Turn it into an incentive model with different tiers of compliance, where each level represents a concrete improvement in security. Companies will then prioritize efforts, and the government and larger defense contractors could tailor contract requirements to a certain level of security, incentivizing suppliers to move to the next tier to gain eligibility for larger contracts. This would transform the compliance environment to a competitive one, which will then incentivize defense companies to advance tiers in order to set themselves apart from their peers or gain market share.
A maturity model would also allow small- and medium-sized defense contractors to realistically participate.

INFORMATION SHARING BEYOND THE ELITES
Current close-hold information-sharing methods are designed for companies with the infrastructure and staff capable of manually receiving complex threat data, evaluating these data for their environment, and applying them to any number of defensive systems. Small companies cannot do this.

Instead, sharing with small companies requires a passive model where the company can accept threat data in an automated system and have these data applied to their network. The Pentagon needs to work with industry to create a broader information-sharing environment that is affordable and passive. Defense can allow large system integrators to share DoD-provided unclassified threat indicators with defense contractors in their supply chain via automated monitoring systems. Extending to the supply chain can have
a high payoff at a low cost.

DOD SHOULD MOVE TO BETTER ACCOMMODATE A GLOBAL DEFENSE INDUSTRIAL BASE
Defense needs to work with industry to develop operating concepts for cyber defense in an increasingly global market. Compliance regimes and information-sharing processes must both be modified to accommodate overseas suppliers and coproduction agreements. They must also work to develop a way to share cyber-defense information with foreign suppliers of critical items. DoD should work with NIST to find an acceptable international standard that can serve as an overseas substitute for defense-controlled information
cybersecurity controls.

THE PENTAGON NEEDS TO INCREASE ITS FOCUS ON SMALL BUSINESSES
Defense depends on small businesses to support its missions, spark innovation, and develop technologies to support soldiers. While the Office of Small Business Programs has acknowledged that cybersecurity is an important and timely issue for small businesses, it has not identified or disseminated any cybersecurity resources in its outreach and education efforts to defense-sector small businesses. The next administration should ensure cybersecurity is a part the OSBP outreach and take steps to stabilize the office’s performance and leadership team.