At the West 2018 conference in February, Patrick Shanahan, the deputy secretary of defense, gave one of those keynote speeches that was long-ish on vision and can pass for news among a corner of the press corps.
On the opening day, Shanahan talked about the need to bolster cybersecurity — an unquestionably important priority for any organization in the United States, much less the Department of Defense. Shanahan, who is still quick to remind audiences he spent three decades at Boeing, then said the Pentagon needs to hold companies more accountable for their cybersecurity practices — agreed — and implied that CEOs in the defense community need to take the issue more seriously. Sure, great.
As if to drive home the point, he compared poor cybersecurity practices to smoking a few decades ago when the unhealthy habit was common and far less people talked about the long-term risks.
All of this is unassailable ... except it puts most of the onus on industry and ignores a simpler solution. To make cybersecurity a priority within the defense community, the Pentagon has its acquisition office.
There’s a defense community cliché that industry mimics the military it serves. Today, industry is just as serious about cybersecurity as it believes the Pentagon wants it to be. According to the fiscal 2019 budget request, the Pentagon is serious to the tune of $15 billion — up nearly 18 percent from two years ago. Fairly serious, but unquestionably more could be done.
It’s easy to imagine the long-lasting reverberations if a prime contractor lost a big deal for cybersecurity reasons or if the Pentagon put a program back up for competition after a breach or known vulnerability. The level of cyber hardening and network protection would increase exponentially.
Yet, for as much as senior leaders say they are worried about cybersecurity, they spend more time talking about innovation. Why? Because DoD leaders are terrified of falling behind and, frankly, too often cyber discussions make people’s eyes glaze over because it can be out of their comfort zone.
Worse, more stringent cyber requirements might make small, groundbreaking companies question the value proposition of doing business with the DoD.
If the Defense Department falls behind on cybersecurity, catching up is significantly harder, and any effort at innovation matters little to none.
The Pentagon can talk about hardened networks and security being baked in and not bolted onto weapon systems, but until contracts are won and lost on the security of those companies, cyber remains a hollow promise.