WASHINGTON — In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.
But it’s unclear whether the defense industry has bought into the nascent effort.
“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers Thursday.
“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”
The Washington Post reported June 8 that Chinese government hackers had compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.
On Thursday, Bingen and other Pentagon officials testified before the House Armed Services Committee on the broader problem: China’s sweeping efforts to transfer U.S. military technology, which include targeted commercial investments, predatory trade practices and illegal intellectual property theft, all aimed at eroding America’s military edge.
“The Chinese theft of technology and intellectual property, through the exfiltration of the work of others is not unlike the Chinese construction of islands to encroach upon the geographic domains of international waters and those of other sovereign nations,” said Under Secretary of Defense for Research and Engineering Michael Griffin.
“It circumvents the autonomy of nations in a departure from a rules-based global order. It is adversarial behavior and its perpetrator must be treated as such.”
The officials highlighted a four-pronged effort at the Pentagon, which includes a new program called “Deliver Uncompromised,” to safeguard the parts used in American military hardware — for instance, microelectronics.
“We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle to grave,” Bingen said.
The panel’s ranking member, Rep. Adam Smith, D-Wash., ripped the administration for lacking an industrial-base policy and for the military’s cybersecurity efforts.
“We had a briefing yesterday on a cyber breach, and it was shocking how disorganized, unprepared and, quite frankly, utterly clueless the branch of the military was that [it] had been breached,” Smith said.
“Even in this day and age, we still have not figured out how to put together a cyber policy to protect our assets. In particular, with our defense contractors, who we work with, who store our data, but don’t have adequate protection. But even within the DoD, we don’t have a clear, cohesive policy to put in place.”
He voiced support for a proposal in the Senate-passed defense policy bill that would expand the Committee on Foreign Investment in the United States, tasked with reviewing foreign takeovers of U.S. companies for national security concerns. The measure was not in the House bill; lawmakers are working to reconcile the two bills this summer.
As the Pentagon discussed its four-pronged strategy, lawmaker questions revealed possible friction points, such as how to mandate stiffer security without burdening smaller military contractors. Bingen acknowledged the problem, but said the effort was too new to have solved it.
Bingen seemed to suggest that industrial security procedures are largely one-size-fits-all, what she called “checklist-based.” But the goal is for the program to be “risk-based … informed by the threat and the department’s technology protection priorities” — though she acknowledged that may trigger pushback from some companies.
“They are now, based on DoD’s critical technologies list, going into these companies to look more holistically,” she said. “Its probably going to be more uncomfortable for industry, but we need them as a partner to do this if they’re going to be able to deliver uncompromised.”
Under Secretary of Defense for Intelligence Joseph Kernan has directed the Defense Security Service to develop a program to better protect its “controlled unclassified data,” which “in aggregation can be as damaging as a breach of classified information,” Bingen said. That could cover both technical or personal information.
Asked about the breach reported by The Washington Post, House Armed Services Committee Chairman Mac Thornberry, R-Texas, told reporters afterward he was less focused on a single incident than the threat overall.
“The key point I took away from this hearing was not to look at any one incident we read about but to look at the broad pattern of activity. That’s the real concern for national security,” he said.
“We’re not going to pass a bill to fix it all, but good heavens we have a lot of catching up to do because we have not updated our laws to reflect changes in world circumstances or the change in technology, primarily cyber.”
During the hearing, Washington Democrat Rep. Rick Larsen, a member of the sub-panel on emerging threats, offered a harsher assessment of the government’s response so far — particularly America’s contradictory and seemingly disorganized trade policies in Asia.
“On the debate about ‘whole-of-government approach,’ I’m concerned you throw [the phrase] around like its candy at a parade,” Larsen said, adding ruefully: “If only we had a National Security Council mechanism to develop a whole-of-government approach that’s used by the White House, then we might have one.”
Joe Gould is senior Pentagon reporter for Defense News, covering the intersection of national security policy, politics and the defense industry.