SAN DIEGO ― The Pentagon and its contractors need to take a more rigid and uncompromising approach to cybersecurity, the Defense Department’s deputy secretary said Feb. 6, a change in philosophy that would require a more active role from CEOs and industry leaders.
Speaking at the West 2018 conference, Patrick Shanahan told reporters the Department of defense must view cybersecurity for industry with a smaller margin for error than in the past.
During his keynote address, he suggested contractors one day might have to verify that their products are cyber-secure. In slides, he said cybersecurity is “foundational to business with DoD.”
“It’s one of those things that should be uncompromising,” he said. “It’s less about a threat and more about, I call it, good hygiene. In institutions or companies where you have that level of discipline where I grew up in, you’re uncompromising.”
Shanahan also suggested that those who blanch to such hard-line tactics may not be viewed kindly by history.
“My preference would be to drop the safe or come down hard because we should,” he said. “Remember all those long debates over smoking? ‘Oh, everyone’s going to be upset when we take away smoking.’ It’s the same thing. We need to have the same intolerance on cyber. There’s basic pieces we need to correct.”
Shanahan said his comments were not based on a specific cyber incident, but rather a philosophy of “who you are, how you grew up.”
Shanahan was previously an executive at Boeing for more than 30 years. Last month, Defense Secretary Jim Mattis directed a DoD-wide review of fitness app use policies following news that an app used by troops revealed sensitive military information.
As a result, Shanahan said, he stopped wearing a FitBit.
But since becoming the No. 2 at the Pentagon, Shanahan said he’s noted a different approach to security from the one he witnessed in industry.
“When I look at the processes, there’s a lot of room to improve that,” he said. “In areas of safety, protecting your workers, in terms of protecting our data or protecting their information, there should be this standard. You never cross the line.”
Instead he wants to ensure a similar philosophy permeates the DoD and contracting community almost as a condition of employment.
“In the aerospace industry, the culture is around product integrity. If you make a mistake, there’s full disclosure. They’re not fearful because, hey, we’ll go fix it because the integrity of the product supersedes everything. We want, in this world, where cyber continues to evolve … to create that culture and everyone’s a sentinel on watch. The CEOs [have] at the top of their list: Are we safe, are we secure, are we protecting our secrets?”