WASHINGTON — As defense contractors are battling ever more sophisticated cyber threats and baffled by ever-stricter security rules, the Pentagon today wants them to know: We hear you, and help is on the way, real soon now.
That was the message around today’s rollout of the new Defense Industrial Base (DIB) Cybersecurity Strategy for 2024-2027, [PDF] a three-year plan to strengthen, streamline and centralize Department of Defense support to contractors and small subcontractors.
A long list [PDF] of free, taxpayer-funded services is already available. But they’re scattered across a multitude of different agencies, such as the DoD Chief Information Officer, the DoD Cyber Crime Center (aka DC3), the Defense Counterintelligence & Security Agency and even the mighty and mysterious National Security Agency. Those organizations don’t always work that well together, let alone with their ostensible customers in the defense industrial base. Congress took notice and, starting in the National Defense Authorization Act for 2020, required the Pentagon to come up with “a consistent, comprehensive framework.” That mandate helped put the Pentagon on the path to develop the strategy published this morning.
“The reason why we’re here today is there was a NDAA Section 1648 [PDF] which directed us to come up with an overarching strategy,” said David McKeown, the Pentagon’s Senior Information Security Officer and a deputy to the CIO, at today’s press briefing on the strategy.
“We were very disjointed in the different stakeholders in the department that delivered services,” he admitted bluntly. “A lot of DIB partners were complaining that we didn’t have a single point of entry. The goal here with this strategy is to highlight a way forward: We will have a more centralized approach and more cogent approach, where everybody in the department knows what their role is.”
RELATED: ‘I’m disappointed’: Pentagon CIO cybersecurity chief asks industry, where’s my AI?
One fix in the works: creating a single point of contact for companies confused by all the would-be helpers and the bureaucratic hurdles in the way of accessing those free services.
“Rather than having to have 15 different connections to different stakeholders,” McKeown said, “[where] you can reach out to each one of those organizations individually and ask for help … we want to make that more streamlined, where somebody can come into a single point and more of a concierge fashion, be walked along, understanding what it is they need to protect, how they need to protect it, and getting them the resource help that they need to do that.”
When will this one-stop-shop open for business? “As we work on the implementation plan, we will flesh that out,” McKeown said.
In the near term, the most immediate action will be to clear up the official regulations on “Safeguarding Covered Defense Information and Cyber Incident Reporting,” known as section 7012. “There’s room for improvement on the wording of 7012,” McKeown acknowledged. “I published some guidance on this — I think it was overly restrictive.”
To help fix that, McKeown is convening interested companies at a “DIB Summit” on April 8 and 9 to hear their feedback, particularly on making it easier for contractors to use cloud services while still complying with DoD cybersecurity requirements.
Beyond the summit, McKeown is working with the DoD Office of Small Business Programs on a Pentagon-provided cloud service that smaller subcontractors can use, so they don’t have to buy or build one for themselves. “We should see some movement on that here pretty soon,” he said. “[We’ll] try to get those pilots underway this year.”
“We’re going to target between 50 and 75 small businesses that can be part of that pilot,” McKeown said. If that pilot proves the cloud concept works, “we’ll have to look at how we scale that up and offer it to more and more small businesses over time.” That may require DIB contractors to help pay for the cloud services, he said.
Small businesses also deserve better guidance from the Pentagon on how crucial their particular product is to the military and how stringently they must protect it, he said. (While many components are widely available on the open market, a surprising number of seemingly mundane items require specialized engineering only a handful of vendors can provide, like artillery ammunition or valves for nuclear submarines).
“The government needs to help out in identifying, during the build-out of the contract … the most important parts,” McKeown said. “We need to do a good job of identifying how everyone should be handling the technology and engineering data surrounding those individual components.”
The new strategy also includes expanding the existing, purely voluntary DIB Cybersecurity Program, for which between a thousand and 1,500 companies have already signed up. One reporter asked if that risked overwhelming the program.
“We hope that it becomes a problem,” McKeown replied: That would mean a lot more companies are choosing to participate. Many of the program’s aspects “aren’t hard to scale up,” he added: They just require sending emails on cyber threats to a longer list of addresses or letting more people download digital reference materials. Some of the more sophisticated services, like free scanning of contractors’ networks, would cost money to expand beyond a certain point, but they’re not there yet.
“In the future, maybe we might have some issues there,” he said. “But right now we have enough capacity and we’re beating the drum trying to get people to come into the program. So, please, help us have a problem there.”
“Beating the drum” to raise awareness matters because, ultimately however hard the Pentagon tries to help, and however easy it makes it to access support, it’s still up to contractors and their employees to take their own security seriously.
“In this day and age, especially in the United States of America, everybody should believe the power of the hacker,” McKeown said. “It’s been proven out numerous times … Colonial Pipeline … the Chinese copy of the F-35. …So hopefully everybody understands that this is a real threat.”