August 14, 2018 |
By Ellen Nakashima
The Pentagon has a new goal aimed at protecting its $100 billion supply chain from foreign theft and sabotage: to base its weapons contract awards on security assessments — not just cost and performance — a move that would mark a fundamental shift in department culture.
The goal, based on a strategy called Deliver Uncompromised, comes as U.S. defense firms are increasingly vulnerable to data breaches, a risk highlighted earlier this year by China's alleged theft of sensitive information related to undersea warfare, and the Pentagon's decision last year to ban software made by the Russian firm Kaspersky Lab.
On Monday, President Trump signed into a law a provision that would bar the federal government from buying equipment from Chinese telecommunications firms Huawei and ZTE Corp., a measure spurred by lawmakers' concerns about Chinese espionage.
“The department is examining ways to designate security as a metric within the acquisition process,” Maj. Audricia Harris, a Pentagon spokeswoman, said in a statement. “Determinations [currently] are based on cost, schedule and performance. The department's goal is to elevate security to be on par with cost, schedule and performance.”
The strategy was written by Mitre Corp., a nonprofit company that runs federally funded research centers, and the firm released a copy of its reportMonday.
“The major goal is to move our suppliers, the defense industrial base and the rest of the private sector who contribute to the supply chain, beyond a posture of compliance — to owning the problem with us,” said Chris Nissen, director of asymmetric-threat response at Mitre.
Harris said the Pentagon will review Mitre's recommendations before proceeding. She added that the Department of Defense, working with Congress and industry, “is already advancing to elevate security within the supply chain.”
Testifying to Congress in June, Kari Bingen, the Pentagon's deputy undersecretary for intelligence, said: “We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle to grave.”
Security should be seen not as a “cost burden,” she told the House Armed Services Committee, “but as a major factor in their competitiveness for U.S. government business.”
The new strategy is necessary, officials say, because U.S. adversaries can degrade the military's battlefield and technological advantage by using “blended operations” — hacking and stealing valuable data, manipulating software to sabotage command and control systems or cause weapons to fail, and potentially inducing a defense firm employee to insert a faulty component or chip into a system.
“A modern aircraft may have more than 10 million lines of code,” Mitre's report said. “Combat systems of all types increasingly employ sensors, actuators and software-activated control devices.”
The term “Deliver Uncompromised” grew out of a 2010 meeting of senior counterintelligence policy officials, some of whom lamented that the Defense Department was tolerating contractors repeatedly delivering compromised capabilities to the Pentagon and the intelligence community.
Addressing the security issue requires greater participation by counterintelligence agencies, which can detect threats against defense firms, the report said, and ideally, the government should establish a National Supply Chain Intelligence Center to monitor threats and issue warnings to all government agencies.
Ultimately, the military's senior leaders bear responsibility for securing the supply chain and must be held accountable for it, the report said.
The Defense Department, although one of the world's largest equipment purchasers, cannot control all parts of the supplier base. Nonetheless, it has influence over the companies it contracts with as it is the principal source of business for thousands of companies. It can shape behavior through its contracts to enhance supply-chain security, the report said.
Legislation will be needed to provide incentives to defense and other private-sector companies to boost security, Mitre said. Congress should pass laws that shield firms from being sued if they share information about their vulnerabilities that could help protect other firms against cyberattacks; or if they are hacked by a foreign adversary despite using advanced cybersecurity technologies, the report said.
Contractors should be given incentives such as tax breaks to embrace supply chain security, the report suggested.
The Department of Homeland Security is addressing the security of the information technology supply chain through its newly established National Risk Management Center. “What we're saying is you should be looking at what vendors are doing to shore up their cybersecurity practices to protect the supply chain,” said Christopher Krebs, DHS undersecretary for the National Protection and Programs Directorate.
The National Counterintelligence and Security Center, an agency of the Office of the Director of National Intelligence that coordinates the government's counterintelligence strategy, said in a report last month that software-supply-chain infiltration has already threatened critical infrastructure and is poised to endanger other sectors. According to the NCSC, last year “represented a watershed in the reporting of software supply chain” attacks. There were “numerous events involving hackers targeting software supply chains with back doors for cyber espionage, organizational disruption or demonstrable financial impact,” the agency found.