Cost Isn’t Everything. Pentagon Should Judge Contractors on Cybersecurity, Report Says

Security would be ‘fourth pillar' in weapons purchase decisions

The Pentagon should take into account the cybersecurity capabilities of defense contractors in addition to cost and performance measures when awarding contracts, a U.S. government-funded think tank recommended in a report published Monday.

Through its buying process, the Pentagon “can influence and shape the conduct of its suppliers,” the Mitre Corp. said in a report titled “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.”

The Defense Department “can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments,” the report said.

The Pentagon must consider new measures because the very nature of war is changing, the Mitre report said. Adversaries no longer have to engage the United States in direct conflict using weapons but can respond to American military strikes “through blended operations that take place through supply chain, cyber domain, and human elements,” the report noted.

The report recommends that security be made a “primary metric” in Pentagon weapons purchase and sustainment decisions and that the Defense Department increase awareness of risks associated with its supply chains. It also calls for a National Supply Chain Intelligence Center that would include officials from the FBI, Homeland Security, the Pentagon and intelligence agencies to track risks and advise agencies.

When choosing current or new contractors, in addition to considering cost, performance and schedule, the Pentagon must also make security a so-called “fourth pillar,” the report said. Contractors should be continuously monitored and assessed for the degree of risk they pose, the report said.

In addition to measuring a contractor's ongoing performance on a contract, an independent, federally-funded research agency could develop a risk rating similar to credit ratings done by agencies like Moody's, the report said. Mitre is a federally-funded research and development center.

The Pentagon did not respond to an email seeking comment on the report.

The report and its recommendations come as U.S. intelligence officials have become increasingly alarmed at potential cybersecurity risks that may be embedded in vast computer networks and systems that power government agencies as well as weapon systems. Last year the Trump administration banned federal agencies from using a popular anti-virus software made by Kaspersky Labs, which was alleged to have close ties with Russian intelligence services.

Full Article: https://www.rollcall.com/news/politics/pentagon-judge-contractors-cybersecurity