Despite conventional wisdom that may suggest otherwise, the Department of Defense is willing to pay extra for security measures in defense systems bought from contractors, Pentagon officials said at the Professional Services Council Federal Acquisition Conference June 13.
“Security is an allowable cost,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber. She emphasized that philosophy had the backing of her boss, Kevin Fahey, assistant secretary of defense for acquisition.
Fahey criticized those who say security should be a trade-off in an acquisition, which places the criteria on the same plane as cost, schedule and performance.
“That’s stupid as shit,” Fahey said. He added, “in our contracts in the future, cyber is going to be a requirement.”
The federal acquisition process is primarily driven by the need to meet cost, performance and scheduling goals, an emphasis that poses a major security risk, according to a 2019 report from the MITRE Corporation, a non-profit organization that does government research. Instead, the report said, the Defense Department needs to focus on security measures.
“Defense acquisition only will function in a secure environment,” Arrington said. “Only. So cost, schedule and performance cannot be traded for security.”
Under the current system, Arrington said, it’s like someone bought a Maserati, installed a high-tech security system, put up a fence around it, but then left the gate open, the keys on the dashboard and the doors open. Now, she said the government and industry must think critically about security.
“It’s not the new widget and software, it’s the process you have to think about in security,” Arrington said.
Because so many contractors have access to Defense Department data, Arrington stressed that the department and contractors must work together on the security issues.
Intellectual property theft from adversaries, such as China, is a primary threat faced by Defense Department and its contractors. China accounted for more than 90 percent of Justice Department’s economic espionage cases and two-thirds of its trade secrets cases from 2011-2018, according to a Congressional Research Service report.
“We should be infuriated as a nation about what’s happened to our data,” Arrington said.
The MITRE report noted that the Defense Department’s financial influence - and its $700 billion budget - can impose the security changes needed on thousands of businesses. And Pentagon leaders appear to be willing to flex those muscles with its newly announced Cybersecurity Maturity Model Certification, an effort to create one unified cybersecurity standard. The DoD is working with Johns Hopkins University and Carnegie Mellon University to develop that criteria.
“We all know that what we’ve been doing isn’t working so we have to come up with a different solution,” Fahey said.
The new model will include third party cybersecurity certifiers to “conduct audits, collect metrics, and inform risk mitigation for the entire supply chain,” Arrington’s presentation said.
“Every contract that goes out will have a requirement and every vendor on that contract will have to get certified,” Arrington said. “Security is an allowable cost.”
How security will be measured is another challenge faced by government agencies as they work to implement tighter security requirements on their systems. Arrington and Joyce Corell, assistant director of supply chain and cyber directorate at the Office of the Director of National Intelligence, said their agencies need to move away from compliance checklists to assess security.
“It has to be something more than a compliance checklist that we can measure,” Corell said.
The new DoD standard will not allow contractors to self-attest because “when you look in the mirror, it’s really hard to find flaw,” Arrington said.
“If we were all honestly doing all of the … requirements, there wouldn’t be a plane flying around from China that looks suspiciously like the F-35,” she said. “I can’t say it any clearer than that, ladies and gentlemen. If we were all doing it right, that wouldn’t be happening.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.