Back to news

June 26, 2020 | International, C4ISR, Security

‘Lightning in her veins’: How Katie Arrington is convincing defense contractors to love cybersecurity

Andrew Eversden

Katie Arrington's job is to win the room.

She's at San Francisco's Moscone Center on Feb. 26 at the RSA Conference, one of the largest cybersecurity events. In the last year, she's spoken at more than 100 events, which may explain why today, she's sick. Her voice, typically loud and energetic, is raspy and shaky.

Arrington's title is clunky: chief information security officer for acquisition in the Office of the Under Secretary of Defense for Acquisition and Sustainment. Translated, she's leading the Pentagon's effort to add new cybersecurity requirements for the 300,000 companies that do business with the Pentagon. Her challenge, almost every day, is to convince industry it should embrace the Defense Department's new auditing standards, which are aimed at improving cybersecurity.

In this room, she sits next to a top American executive from the Chinese technology company Huawei to discuss — rather, argue about — supply chain security, alongside a Harvard lecturer and think tank fellow. In the months leading up to the panel, the U.S. government and Huawei fought in court over a provision in the fiscal 2019 defense policy bill that bans federal agencies from buying the company's equipment.

The audience is shoulder to shoulder, no seat spared. “This session promises to be one of the most interesting, colorful and perhaps debate[d] topic,” the moderator begins.

Arrington, however, doesn't understand what all the “hoopla” is about.

“Really, honestly, it's not that big of a deal,” she told C4ISRNET hours before the session.

The Department of Defense has made the RSA Conference a greater priority in recent years as it tries to heal a strained relationship with Silicon Valley. Outside the Capital Beltway, the cybersecurity community often views the department's mission with skepticism or that of an overly strict parent.

In contrast, defense leaders see themselves as offering lucrative contracts with reasonable sets of security requirements for winning the work, which can range from the acquisition of military weapons systems and basic IT tools to mowing grass at military bases.

But after years of suppliers with weak cybersecurity tormenting the department, it's now Arrington's job to find a solution. The conventional wisdom among defense officials is that cybersecurity problems can't be solved — they can only be mitigated.

“Supply chain security is an insurmountably hard problem,” said fellow panelist Bruce Schneier, the Harvard lecturer and well-known technology guru.

So Arrington flies all over the country, speaking to room after room of defense contractors and trying to convince them, somehow, that they must impose tighter cybersecurity controls. And if they don't? The Pentagon could lose out on state-of-the-art technology to protect national security secrets.

And if industry doesn't care about that? Then businesses will lose out on profitable DoD contracts.

The underdog

Arrington has spent much of the last two and a half years shuffling in and out of rooms, working to persuade audiences she can solve pressing community problems. In 2018, it was a different cause: politics.

Her problem then was Rep. Mark Sanford. Sanford, she said, spent too much time on cable news fighting with President Donald Trump and not enough time on local issues. So Arrington challenged him in a Republican primary.

Sanford, the former South Carolina governor of “hiking the Appalachian Trail” fame, had never lost an election. But Arrington, endorsed by the president, pulled off the unexpected, knocking off the political powerhouse by about 2,500 votes and adding her name to South Carolina political folklore.

“If somebody tells her she can't do something, she ignores that,” said Andrew Boucher, a consultant for Arrington's congressional campaign. “She ignores the naysayers.

Now, Arrington, 49, is leading a robust overhaul of the Pentagon's cybersecurity requirements for contractors, known as the Cybersecurity Maturity Model Certification, or CMMC. The department is pushing the reform at a breakneck pace, at least as far as Defense Department reforms go. Her team has issued several drafts and the final standards in the past year.

“She's got lightning in her veins,” said retired Adm. James Stavridis, the former supreme allied commander of NATO and a member of the board of directors for PreVeil, an email encryption company. “She's smart, and she's smart enough to know she doesn't know everything.”

That lightning kept CMMC on pace for its final standards rollout in January, an aggressive timeline that one trade association representative characterized as a “herculean effort.” This summer, CMMC is scheduled to be included in requests for information for upcoming Pentagon contracts.

If all goes according to plan, CMMC would mitigate several cybersecurity issues that plague the DoD supply chain, and the government would have a mechanism to verify contractors' cybersecurity claims. The guidance recognizes that security differs from business to business while allowing the government insight into companies' cyber posture before awarding contracts.

The problem now is a system where companies can self-assess their cyber defenses. Arrington describes it this way:

“Everybody thinks when they walk out of the room in the morning, when they walk away from the mirror, they look great, [but] when you put the mirror up and you say, ‘Yeah, nope' — you didn't draw your eyebrows on right today.”

Through these changes, the department has to retain a fair and competitive acquisition process. It's a massive overhaul that needs a charismatic and competent leader to succeed, said David Berteau, president and CEO of the Professional Services Council, a trade organization that represents more than 400 government contractors.

“Very little important change gets done without a vocal, capable champion present all the way through,” he said.

That's Arrington.

Experts estimate that China steals hundreds of billions of dollars worth of American intellectual property annually, including military technology. The federal government's concern with Huawei is that its presence could allow the Chinese government to access the feds' data. Chinese actors have continuously breached Navy contractors, as the Wall Street Journal reported in 2018. In addition, China accounts for 90 percent of the U.S. Justice Department's economic espionage cases as well as two-thirds of its trade secrets cases, according to a 2019 Congressional Research Service report.

Pentagon officials see the success of CMMC as critical “because of the ongoing and escalating threat of cybersecurity challenges,” said Berteau, who also worked for six defense secretaries. “It has real consequences for America, above and beyond the consequences for a particular contract or a particular program.”

But leaders in the defense industry still have questions. Company executives wonder what level of certification they will need, a centerpiece of CMMC that will affect competitiveness. Business leaders also don't know when they need to get the certifications. Others still have questions about reimbursement for “allowable costs” for compliance, or don't understand how subcontractors can recover compliance costs, if at all.

Though some industry members have criticized the Pentagon for the rapid speed at which CMMC has proceeded, others acknowledge it is years overdue. For each day CMMC isn't part of solicitations, the Defense Department is losing out on implementing tighter cybersecurity controls until contracts expire, the argument goes. And Arrington is quick to mention the standards need to be in RFPs this fall.

“Our adversaries ... their whole job is to have us not exist. The easiest way to do that has been through our supply chain,” she said on a January podcast. “It's the easiest way to get access to us.”

‘Everybody has a superpower'

Tensions rise on the RSA Conference panel after Arrington explains why the Defense Department must stay away from risky technology that may allow access into DoD networks through backdoors.

Why, she questions, would the federal government use hardware made by a company with close ties to the Chinese government — the same government that's plotting economic domination, trampling over human rights and looking to spread communism?

But isn't it true there are several other countries that can install backdoors and launch virtual attacks, responds Huawei's Andy Purdy, implying the United States has that capability as well?

“That's ridiculous!” Arrington says, with her arms outstretched to her sides. “The bottom line is we're a democracy, we're different!”

In the last 18 months, Arrington's earned a reputation for her candor with the defense-industrial base, a community of vendors accustomed to dry presentations on programs from other senior DoD officials. She responds to criticism on LinkedIn. She's direct with contractors, once telling them to chant: “We all are going to get breached.” Then there's the origin story of the acronym that became shorthand for her program.

“It was a glass of wine on a Friday night, and that's how you got ‘C-M-M-C,' ” Arrington jokingly said Jan. 28 at the law firm Holland and Knight. “Really, unique, huh? Yeah, I went cray-cray on the acronym.”

But joking aside, Arrington knows the government contracting process can be cumbersome. She reminds audiences that she came up in industry and understands.

“Ladies and gentlemen, we're a ‘we,' ” Arrington said in June last year, as if it were an applause line on the campaign trail.

Her approach, she said, is part of a paradigm shift that defense contractors must adopt. Accepting there's a risk of a breach will lead to stronger cyber defenses. To get this done will require a web of industry relationships. Arrington knows this. “Everybody has a superpower,” she said in an interview, and hers is collaboration.

Sources in industry agreed, telling C4ISRNET that Arrington and her team's success thus far is due to their engagement with small businesses, prime contractors and trade associations.

“It's collaboration! That's what the human condition is about. What we can do together is far more impactful than what we'll ever do on our own,” Arrington said.

Driven to serve

Twenty-eight minutes into the RSA session, the prickly nature of the panel prompts the moderator to quip: “I'm glad we're at least expressing how we feel here.”

Huawei's Purdy is passionately arguing that all bad technology should be removed from the supply chain, when Arrington cuts him off. He shuts his eyes momentarily and takes a deep breath.

She continues until Harvard's Schneier says that “5G's lost, and our only hope now is to try to secure 6G.” He then adds: “I'm rooting for you, but I'm not optimistic.”

Arrington — again finding herself on the defensive — interrupts the moderator to pointedly ask Schneier who he's really rooting for. He responds by saying he hopes Arrington can build a Huawei-free 5G network.

“Why would I have to build a 5G network? When did the Department of Defense ever build a network?” Arrington asks, snapping her head back to look at the packed audience, her eyebrow furrowed on a face of sarcastic confusion.

The quip earns laughter from the crowd, a sign her humor and wit are working to her advantage.

Arrington “fell in love” with cybersecurity when she worked at the defense giant Booz Allen Hamilton. She's fascinated by the power and interconnectedness of technology. Cyber, she said, is like fire: It can provide benefits such as warmth or help with cooking. But handled improperly, it will burn you.

Similarly, poor cyber hygiene can destroy everything a victim is connected to, including national security secrets. Or, as she said on a January podcast, “When Al Gore created the internet, he did not realize what he was doing.”

She's also long been attracted to solving problems in public life; even President Jimmy Carter encouraged her at five years old to find solutions to problems. And there are plenty of problems to solve in local politics. So in 2016 she turned politician, winning a seat in the South Carolina House of Representatives. That was a “great training ground” that prepared her to wrestle with contractors' concerns.

“Your job is to listen to all the disparate pieces and work on the best solution set for all,” she said.

Her foray into the South Carolina political scene was brief — just two years — before she launched her bid for Congress. Ten days after she beat Sanford in the Republican primary, however, Arrington and a friend were hit head on by a drunk driver. They were taken to the hospital with life-threatening injuries. She was bleeding to death. Her back was fractured. Several ribs were broken. A main artery in her legs partially collapsed. Doctors had to remove part of her colon and small intestine.

She spent two weeks in the hospital. When Boucher visited, she wrote a note — unable to speak due to the tubes down her throat — telling him: “Two weeks and I will be right back at it.” He joked to her that finally he could tell her what to do without her talking back.

With the hand that wasn't strapped down, she flipped him off.

After a few weeks of recovery, she was in “tremendous” pain that limited how much time she could spend campaigning, Boucher said. Arrington spent weeks in a wheelchair, then used a cane. But toward the end of that summer, she helped pack and deliver sandbags as the area prepared for a hurricane.

For Arrington, the wreck gave her a new perspective.

“Even when you think you are at your worst, the sun will rise and you can make it better the following day,” Arrington said in an interview. “I mean, you don't go through what I went through with my car accident and getting that awareness of ‘tomorrow will be OK, like, I'm alive.' ”

She went on to lose the election. But the week after the congressional race concluded, both candidates left for Washington, D.C., on the same day, with Arrington cryptically telling the Post and Courier she was “going to see some groups of people.” Later, she joined the Defense Department.

“I teared up walking into the Pentagon the first day like, ‘OK, I'm really going to make a change now. I'm really going to be part of the solution,' ” she said.

Unfinished business

On stage at RSA, Chinese IP theft is a primary point of discussion. Arrington's CMMC effort is designed to defend against that, but the panelists continue to poke at the government's decision to ban Huawei.

At one point the moderator asks Arrington: What if Huawei were to go through the CMMC process and earn certification? Then could its hardware be used in DoD networks?

“It's against the law. Why are you asking a silly question?” Arrington quips, staring unflinchingly back at the laughing moderator, the crowd cheering in the background. “This is a moot point. The law is done.”

But now Schneier wants to deal in hypotheticals: If it was legal, would it be reasonable to allow Huawei into the process?

Before answering no, she says: “Even Huawei can admit [that] their programmers are where Microsoft was 25 years ago, right?”

Purdy looks forward, tongue literally in cheek, tugging awkwardly at his black dress shirt.

As CMMC becomes part of every acquisition, Arrington wants to move ahead with tools that highlight cybersecurity gaps in the supply chain, and she expects international allies to adopt some standards. Her goal for CMMC isn't for it to serve as checklist, but rather as a living document that can evolve to address new threats.

Eighteen months into the job, Arrington is struggling with at least two other problems. The first is there aren't sinks to rinse out coffee mugs in the Pentagon.

“We have to wash our coffee cups in the bathroom, it's not a big deal,” she said. “But if I could figure something out like a little kitchenette, that would be nice.”

The second is her work-life balance, she said. When she says she'll meet with industry, she means it.

For more than a year Arrington's been the public face of CMMC. That leaves a third problem lingering as a presidential election approaches: What happens to Arrington, and CMMC, if there's a new administration next year? For now, her trip to San Francisco is just another packed bag, another flight and another opportunity to evangelize to an audience of cybersecurity professionals.

By now, the panelists have targeted her on several occasions, and at the end, the moderator says: “Katie, looks like they're, like, beating up on you here.”

“We don't mean to, though,” Schneier interjects. “You're, like, on the good side.”

“I am on the good side,” Arrington replies.

The audience applauds. She wants to add another comment, but the clapping cuts her off. She waits. Even Purdy gives her a few claps.

“I came here today because sometimes you just gotta say the truth and you just gotta hold the line.”

She's won over this room, and she did it while making the case for more stringent requirements that put additional burdens on companies.

Her voice was nearly gone, but another room, another meeting of industry leaders awaits. For Arrington, another set of problems is always waiting.

https://www.c4isrnet.com/cyber/2020/06/25/lightning-in-her-veins-how-katie-arrington-is-convincing-defense-contractors-to-love-cybersecurity/

On the same subject

  • How the Army is modernizing the old, introducing the new

    September 13, 2019 | International, C4ISR

    How the Army is modernizing the old, introducing the new

    By: Mark Pomerleau Maj. Gen. Randy Taylor led the Army's sustainment efforts for the past two years as leader of Communications-Electronics Command at Aberdeen Proving Ground, Maryland. CECOM works to repair, restore and maintain all the Army's communications, electronics, cyber and intelligence equipment once it's been used by soldiers. In June, Maj. Gen. Mitchell Kilgo took over Taylor's position at CECOM and Taylor departed for U.S. Strategic Command. Before he left, Taylor spoke with C4ISRNET staff reporter Mark Pomerleau. C4ISRNET: You are leaving CECOM this summer after two years. What's changed? MAJ. GEN. RANDY TAYLOR: Fifty-five to 70 percent of, not just time, but expense is in sustainment. Every dollar that we don't use appropriately on the sustainment side takes a dollar away from [new programs]. One simple, but not glamorous thing that has made a tremendous impact is just making sure that — when it comes to sustaining C5ISR on the battlefield — the parts we need are at the right place at the right time. We've gone from, no kidding, like 77 percent supply availability with these parts two years ago to now this year we are currently at 90 percent and we're going to finish this fiscal year at 93 percent supply availability. Transformational. In our world, a part — the piece of a complicated platform or just the mission command system — might be the difference between it working or not, between somebody fighting or winning or not ... living or dying. C4ISRNET: Are you using any emerging technologies to get those parts in the right place at the right time? TAYLOR: We're looking at these platforms that already have built-in sensors and built-in discipline of really getting that feedback on usage, on wear and sustainment demand. We're starting there when it comes to applying AI to sustainment. I see C5ISR being a natural progression of that, but not the best place to start because even though things are becoming more and more connected, a lot of this is still very disparate networks, the disparate ability to monitor usage and age, etc. C4ISRNET: What about using AI with the network? TAYLOR: That's incredibly interesting because it is so tempting for us as an institution to go out and modernize the network by buying the latest and greatest, spiral develop it — field a different capability set every two years and get all this new stuff and all the varieties between different units and this piece of network gear and that piece of network gear and then forget about sustainment in our hubris or excitement to modernize. Then this all comes crashing down a couple years from now because we didn't have the demand history to know how to start the parts, train the technicians, and different units have different equipment. Organically, we just haven't prepared ourselves to take all that on. So, on the new modernized network, we have a mnemonic device to help remember this: Five-three-one. Starting with five: that is acquire these new C5ISR capabilities with a five-year warranty from the manufacturer. Even though that doesn't sound exciting, it is very significant. Most of the time this stuff just comes with a one-year warranty. And these warranties cost money and every dollar a program manager spends on a warranty is one less dollar he can put toward a quantity increase. That five-year warranty gives us the lead time we need as an Army and at CECOM; it gives us lead time so by year three — that's the three in five-three-one — the Army makes a decision to keep or kill. Basically, to sustain or not the thing we just modernized. Some of it we'll kill by saying, “Okay, that technology is perishable, Moore's Law. We want to replace it with the next best thing so why sustain it?” Or we might say, “It's low cost; it's essentially disposable.” C4ISRNET: Is that a new approach from years past? TAYLOR: Absolutely. Institutionally, we do a terrible job deciding to end things. We have a tendency to perpetuate indefinitely until there's some kind of compelling decision point that forces us to that. We're not really designed now to think about it that deliberately, that early. So, we're working with Army Futures Command, who can help lead that decision-making. And then — if the Army decides to sustain it, keep it past its warranty period ... five years in most cases — we have to decide, okay, then who's going to sustain it? Most of that will be sustained by CECOM. Then we have to work out a plan to transition it over to sustainment. C4ISRNET: Does that change how the network will look? TAYLOR: The network writ large, for as long as this discussion is relevant, will consist of new parts and old parts. Modernized network cross-functional team parts and legacy? That's already in the field that will be out there in some form. The biggest thing on an enterprise level that's keeping the rates from being higher is the fact that a large amount of what is fielded in the network has never gone back to the depot for reset, repair, overall, anything like that. When you pick that apart, the reason it hasn't gone back is we've made it, in the past, too hard to get it back to the depot. It's taken too long. All of the legacy radios. All of the WIN-T components to include Point-of-Presence and Soldier Network Extension, radars, generators, night-vision devices ... Back under the [Army Force Generation] model when we had about six months to reset, this was alright. But still, people didn't turn their stuff in. Nobody wanted to be without their equipment for six months because we were taking all of six months and then some at the depot to turn this thing and send it back to them. We've since completely changed that. C4ISRNET: How so? TAYLOR: Now, the C5ISR units can bring in basically all their major C5ISR platforms, turn them all in and then almost immediately drive away with something that's been totally refurbished. We've started already to do that in partnership with Forces Command, which gives us the priorities. We've seen a big spike in turning this stuff around, which really helps improve operational readiness. At the same time, we're doing all that. We made great strides in something we call “repair cycle time.” Take something like a Satellite Transportable Terminal. We used to take over six months to turn an STT to overhaul it, send it back. We do that now in less than two months. But units don't even have to wait that long because they have a repair cycle flow. Everything is accelerated now so that we can better modernize the old, introduce the new and keep this capable as we go forward. C4ISRNET: What kinds of challenges are ahead in software? TAYLOR: A big challenge with software is intellectual property. It used to be the way we looked at intellectual property rights is we kind of saw it as a binary decision. The government either bought it or we didn't. Most times we didn't because it was very expensive to buy it ... They developed it, they give us capabilities we contracted for, but they own the inner workings of it. Same thing on the hardware side. We have someone build a platform, they give us a platform, but they don't give all the engineering diagrams and all the specs on how to build the subcomponents. But we found we were at these very vulnerable points where something became obsolete, meaning we had a part on a platform and then, for example, the manufacturer stopped making it because there was no business case or maybe a sub vendor went out of business, and now we had to manufacture it organically or hire someone else, but we didn't have the intellectual property. So, it took forever to re-engineer it. C4ISRNET: And the same with software? TAYLOR: Same thing on the software side. We didn't have the code and it would just be too expensive then to try to figure it out on our own. What we do now is we have an agreement saying if any of these trigger events occur in the future, I'm going to have rights to this intellectual property you developed. I, the government, will have rights, and it's going to be at a pre-negotiated price. And what we're going to do to protect each one of us here is we're going to hold your intellectual property with a third, neutral party that will hold your software. You'll be required to update it, keep it current, they will protect it from the government or any competitor seeing it until these trigger events occur and then I will pay you for what I need when I need it. That is a brand-new way of doing business. It's been in practice a little bit in industry but not in the Department of Defense. C4ISRNET: That's important if a new radar signature comes up and you need to make a quick change. TAYLOR: Absolutely. Anything. The threat environment changes, you've got to get in there. C4ISRNET: What about software licenses? TAYLOR: If you look at the trend of how software sustainment was going, before we did a big course correction, we were approaching the point theoretically where all our sustainment dollars would go to software and [we would] have nothing left for the hardware. We got that under control now. A big part of that rebalancing is reducing the licensing cost. It first started with getting to fewer baselines because it kind of got away from us in the surge and in the war years. We had so many different versions of different software and different platforms. So, we worked with the [program executive offices] and consolidated that down to the minimum feasible number of baselines. We've also negotiated some better enterprise licenses and there have been some efficiencies there. Right now, on the sustainment side, the folks that go in and make these modifications for the government, we're going from what was 43 contracts now being reduced to 34 sustainment contracts. That's still a lot but that's a huge inefficiency there. https://www.c4isrnet.com/opinion/2019/09/12/how-the-army-is-modernizing-the-old-introducing-the-new

  • U.S. Air National Guard recommend fielding Leonardo’s BriteCloud 218 decoy after successfully completing an extensive US Defense Department test programme

    November 25, 2022 | International, Aerospace

    U.S. Air National Guard recommend fielding Leonardo’s BriteCloud 218 decoy after successfully completing an extensive US Defense Department test programme

    The U.S. Air Force has subsequently designated BriteCloud 218 as AN/ALQ-260(V)1, identifying it as an airborne electronic warfare countermeasure

  • Netherlands to deploy Reapers to Romania

    January 15, 2024 | International, Aerospace

    Netherlands to deploy Reapers to Romania

    The Netherlands is to deploy General Atomics Aeronautical Systems Inc (GA-ASI) MQ-9A Reaper unmanned aerial vehicles (UAVs) to Romania to help bolster NATO's eastern flank, it was announced on 12 January. The Royal Netherlands Air Force is r...

All news