Back to news

January 21, 2021 | International, C4ISR, Security

After huge hack, Biden security picks want more cyber coordination with industry

WASHINGTON — Two top national security nominees advocated Tuesday for stronger federal cybersecurity and increased collaboration with contractors in the aftermath of a supply chain breach that infiltrated numerous federal agencies.

If confirmed, retired Army Gen. Lloyd Austin and Avril Haines, President-elect Joe Biden's nominees for defense secretary and director of national intelligence, respectively, would start their jobs in the middle of the national security community's assessment of damage from a cybersecurity breach pinned on Russian hackers. They gained access through software from SolarWinds, a major government contractor.

“We must elevate cybersecurity as an imperative across the government in order to defend the American people and U.S. critical infrastructure,” Austin told the Senate Armed Services Committee in his answers to the lawmaker's advance policy questions. “Additionally, the government must continue to strengthen its partnership with the private sector to foster greater information sharing and collaboration.”

So far, federal investigators have discovered breaches at “fewer than 10” federal agencies, though the Pentagon and intelligence community haven't confirmed whether their offices were among the victims. Haines, who served as deputy CIA director and deputy national security adviser to President Barack Obama, found it concerning that the breach first came to light through cybersecurity company FireEye, instead of through U.S. government cybersecurity operators.

“[I] absolutely share ... concern that we're actually able to detect these because that's obviously absolutely critical to us protecting against them,” Haines said before the Senate Select Committee on Intelligence. “I think ... it was pretty alarming that we found out about it through a private company as opposed to our being able to detect it ourselves to begin with.”

In response to the breach, Austin committed to reviewing the DoD's cyber posture and emphasized that Russia must be punished for infiltrating federal networks. In the advance questions, Austin stopped short of calling the breach an act of war, arguing that designation “requires a case-by-case and fact-specific determination.”

“For example, malicious cyber activities could result in injury, death or significant property destruction,” Austin wrote. “These activities would need to be considered in their totality.”

An early January announcement from several federal investigators, including the NSA and Office of the Director of National Intelligence, stated that the breach was believed to be an espionage campaign and “likely Russian in origin.”

“If that's the case, I think Russia should be held accountable,” Austin said at the hearing. “That's my personal belief.”

Sen. Jack Reed, D-R.I., who sits on both SASC and SSCI, called the breach “the greatest cyber intrusion in the history, I think, perhaps, of the world” and said that the stovepiped nature of the U.S. national security apparatus needed to be addressed. Reed said one challenge for Haines will be developing a “more coherent, cohesive, integrated approach” to dealing with cybersecurity threats, particularly from advanced nation-state actors.

Under questioning from senators, Haines said the SolarWinds supply chain hack was a “grave threat,” and the government needs new to improve its defenses against such attacks, though she noted that she hasn't received a classified briefing on the intrusion. In 2019, a report from ODNI warned of growing software supply chain hacks that provide an “efficient way to bypass traditional defenses and compromise a large number of computers.”

“To prevent a recurrence of this kind of attack, we need to close the gap between where our capabilities are now and where they need to be in order to deter, detect, disrupt and respond to such intrusions far more effectively in the future,” Haines wrote in her questionnaire. “If confirmed as DNI, I will review the expert conclusions from the SolarWinds incident and the current intelligence about supply chain vulnerabilities and what steps may be taken to address any vulnerabilities.”

Haines told senators that she would assess how the intelligence community can improve its cybersecurity partnerships with industry and the whole federal government.

“I believe that the IC plays an integral role in detecting and warning against nation-state targeting of U.S. networks and infrastructure,” she wrote. “If confirmed, I will examine how better collaboration between the IC and the rest of the U.S. government, coupled with closer partnerships with the private sector and our international allies, can enhance our ability to deter, detect, and mitigate cyberattacks.”

Haines will review whether the intelligence community is allocating resources properly to face advanced cyber threats and will examine the adequacy of the IC's existing authorities to protect the digital infrastructure of the United States, she said. Austin pointed to a cyber-threat sharing partnership the department has with the defense industrial base and stated that the department should “continue to look for ways to better integrate with interagency partners and the private sector.”

In light of the SolarWinds breach, the senators on SSCI wrote that they are worried about a “lack of mandatory threat information sharing between the private sector and government,” adding that any information sharing from the private sector after the breach is voluntary. Haines would review the relationship.

“Information sharing between the IC and the private sector is increasingly important to ensure that our data systems and networks are secure,” she wrote. “If confirmed as DNI, I look forward to reviewing the Intelligence Community's data sharing and information exchange relationship with the private sector, to engaging with IC experts and private sector leaders on what information is currently being shared, and to examining the efficacy of the current framework for sharing threat information.”

The incoming Biden administration has signaled that it will prioritize cybersecurity in the aftermath of the SolarWinds breach. The Biden team named Anne Neuberger, the NSA's cybersecurity director who worked to improve information sharing with the private sector, to National Security Council as deputy national security adviser for cyber and emerging technology.

Haines wrote that she will “ensure” that the intelligence community has a “robust data sharing and information exchange relationship” with private companies and said that she will be “studying current information sharing to determine how it can be improved and what types of information can be shared to enhance cybersecurity protections.”

“The private sector has unique insight and expertise on malicious activity occurring within its networks,” Haines said. “Real-time integration of private sector and government data could lead to more effective prevention and mitigation outcomes.”

Cyber norms and deterrence

For the last few years, the U.S. government wrestled with the concept of deterrence in the cyber domain, a complex challenge that including resilient defenses, risk management and strong international partnerships. As the SolarWinds breach demonstrated, deterring adversaries from hacking, which is seen as below the threshold of an armed response, is difficult.

In response to a question from Sen. John Cornyn, R-Texas, about how to approach cyber deterrence, Haines pointed to many of the same tenets of current U.S. cyber deterrence, including imposition of costs for malicious actors' behavior, bringing foreign allies together to impose those costs, building resilient systems that are hard to hack, developing norms and creating strong relationship with the private sector.

Haines wrote that setting norms should include outlining sanctionable behavior with the agreement from allies. A cornerstone to sanctioning is attributing cyberattacks to actors, a challenging undertaking in the cyber realm. Sen. Mark Warner, D-Va., said he wanted Haines to be more forthcoming with attribution of cyberattacks, stating that he found it “extraordinarily concerning” that the “[Trump] White House underplay[ed] attribution on Russia.”

Attribution, Haines said, would be a major piece of the ODNI's role in deterrence.

“Something we [ODNI] can do is promote the ability to detect when adversaries are engaging in such activity so as then to provide information about attribution, for example. And then hold adversaries to account through that.”

https://www.c4isrnet.com/cyber/2021/01/20/after-huge-hack-biden-security-picks-want-more-cyber-coordination-with-industry

On the same subject

  • GenDyn contracted for parts for future submarine construction

    June 20, 2018 | International, Naval

    GenDyn contracted for parts for future submarine construction

    James LaPorta June 19 (UPI) -- The Department of Defense has awarded a contract to General Dynamics Electric Boat for work on the next nine Virginia-class attack submarines. The contract award from Naval Sea Systems Command, announced Monday, is worth $225 million under the terms of cost-plus-fixed-fee contract, which is a modification to a previous Pentagon award, the Defense Department said. The deal will see General Dynamics provide economic ordering quantity material -- parts ordered ahead of time -- for the next nine Virginia-class, nuclear-powered fast attack submarines, for work in fiscal 2019 through 2023. The nine vessels are part of the Block V generation of the Virginia class. The first four have been ordered by the U.S. Navy already, with General Dynamics set to construct SSN-802 and SSN-803 and Huntington Ingalls Industries tapped for SSN-804 and SSN-805. Work on the contract will occur in various locations throughout the United States and is expected to be complete in January 2019. The total cumulative value of the contract will be obligated to General Dynamics at time of award -- the obligated funds will be allocated from Navy fiscal 2018 shipbuilding and conversion accounts and will not expire at the end of the current fiscal year, said the Pentagon press release. https://www.upi.com/Defense-News/2018/06/19/GenDyn-contracted-for-parts-for-future-submarine-construction/8941529412778/

  • Contract Awards by US Department of Defense - January 19, 2021

    January 20, 2021 | International, Aerospace, Naval, Land, C4ISR, Security

    Contract Awards by US Department of Defense - January 19, 2021

    DEFENSE LOGISTICS AGENCY US Foods Inc., Port Orange, Florida, has been awarded a maximum $390,000,000 fixed-price with economic-price-adjustment, indefinite-quantity contract for full-line food distribution. This was a competitive acquisition with two responses received. This is a five-year contract with no option periods. Locations of performance are Florida, Cuba and Bahamas, with a Jan. 18, 2026, ordering period end date. Using military services are Marine Corps, Air Force, Navy and Army. Type of appropriation is fiscal 2021 through 2026 defense working capital funds. The contracting agency is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania (SPE300-21-D-3312). Federal Prison Industries Inc.,** Washington, D.C., has been awarded a maximum $24,708,000 modification (P00011) exercising the first one-year option period of a one-year base contract (SPE1C1-20-D-F056) with four one-year option periods for various types of trousers. This is a firm-fixed-price, indefinite-delivery/indefinite-quantity contract. Locations of performance are Texas, Alabama, Mississippi and Washington, D.C., with a Jan. 20, 2022, ordering period end date. Using military services are Army and Air Force. Type of appropriation is fiscal 2021 through 2022 defense working capital funds. The contracting activity is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania. NAVY General Dynamics Electric Boat, Groton, Connecticut, is awarded a $41,554,227 cost-plus-fixed-fee contract for engineering and technical design effort to support research and development concept formulation for current and future submarine platforms. This contract includes options which, if exercised, would bring the cumulative value of this contract to $305,521,179. Work will be performed in Groton, Connecticut (96.1%); Bremerton, Washington (1.7%); Kings Bay, Georgia (1.7%); and Newport, Rhode Island (0.5%), and is expected to be completed by September 2021. If all options are exercised, work will continue through September 2025. Fiscal 2021 research, development, test and engineering (Navy) funds in the amount of $250,000 (80%); and 2020 research, development, test and engineering (Navy) funds in the amount of $63,000 (20%), will be obligated at time of award, of which funding in the amount of $63,000 will expire at the end of the current fiscal year. This contract was not competitively procured and is a sole-source award pursuant to 10 U.S. Code 2304(c)(3) – Industrial Mobilization. The Naval Sea Systems Command, Washington, D.C., is the contracting activity. Sundance-EA Associates II,* Pocatello, Idaho, is awarded a maximum-value $30,000,000 firm-fixed-price, indefinite-delivery/indefinite-quantity contract for environmental compliance services at Joint Region Marianas, Guam. The work to be performed is for a full range of environmental support activities for naval installation environmental compliance programs to ensure the supported components, tenant commands and facilities and contractor operations demonstrate and maintain compliance with all applicable federal, U.S. territory, and local statutes, and with Department of Defense and Navy policies, permits, instructions and guidance. Environmental compliance programs include clean air, safe drinking water, clean water, hazardous waste, pollution prevention, solid waste management, pesticide compliance, emergency planning and community right-to-know act, ozone-depleting substances management, storage tank management, environmental quality assessment, environmental sampling and analysis and overall environmental compliance oversight. Future task orders will be primarily funded by operation and maintenance (Navy) funds. Work will be performed in the Joint Region Marianas area of responsibility and is expected to be completed by January 2026. Work under the initial task order will be performed in Guam and is expected to be completed by January 2022. Fiscal 2021 operation and maintenance (Navy) funding in the amount of $1,447,016 will be obligated under the initial task order at time of award and will expire at the end of the current fiscal year. This contract was competitively procured via the beta.SAM.gov website, with six proposals received. The Naval Facilities Engineering Systems Command, Marianas, Guam, is the contracting activity (N40192-21-D-1820). Northrop Grumman Systems Corp., Melbourne, Florida, is awarded a $29,776,196 firm-fixed-price, cost-plus-fixed-fee order (N00019-21-F-0064) against previously issued basic ordering agreement N00019-20-G-0005. This order procures five aerial refueling retrofit kits and installation on the E-2D Advanced Hawkeye. Work will be performed in Ronkonkoma, New York (44.53%); Baltimore, Maryland (16.62%); Irvine, California (6.48%); Hauppauge, New York (5.85%); Columbia, Maryland (4.75%); Dorset, England (3.17%); East Aurora, New York (2.64%); North Hollywood, California (2.02%); and various locations within the continental U.S. (13.94%), and is expected to be completed in May 2022. Fiscal 2021 aircraft procurement (Navy) funds in the amount of $29,776,196 will be obligated at time of award, none of which will expire at the end of the current fiscal year. The Naval Air Systems Command, Patuxent River, Maryland, is the contracting activity. AIR FORCE Range Generation Next LLC, Sterling, Virginia, has been awarded a $14,600,345 cost-plus-fixed-fee modification (P000327) to contract FA8806-15-C-0001 for a telemetry end-to-end processing system. This modification supports an increase in launch and test range requirements. Work will primarily be performed at Eastern Range, Patrick Air Force Base, Florida; Cape Canaveral Air Station, Florida; and Kennedy Space Center, Florida, and is expected to be completed May 11, 2023. Fiscal 2020 Air Force space procurement funds in the full amount are being obligated at the time of award. Space and Missile Systems Center, Peterson AFB, Colorado, is the contracting activity. ARMY Transportation Management Services Inc., Sandy Spring, Maryland, was awarded a $13,874,720 firm-fixed-price contract to provide transportation services throughout the National Capital Region from Jan.16, 2021, through Jan. 31, 2021. Bids were solicited via the internet with eight received. Work will be performed in Washington, D.C., with an estimated completion date of Jan. 31, 2021. Fiscal 2021 operation and maintenance (National Guard) funds in the amount of $13,874,720 were obligated at the time of the award. U.S. Army National Guard Bureau, Operational Contracting Division, Arlington, Virginia, is the contracting activity (W912R1-21-F-0002). *Small business **Mandatory source https://www.defense.gov/Newsroom/Contracts/Contract/Article/2476202/source/GovDelivery/

  • India, Australia cleared to buy $4.3B in US military gear

    May 3, 2021 | International, Aerospace, Naval, Land, C4ISR, Security

    India, Australia cleared to buy $4.3B in US military gear

    India wants more P-8s, and Australia wants more ground vehicles and Chinooks.

All news