Defense contractors are not required to disclose their cybersecurity effort and waiting on them to voluntarily do so has left gaps in security, a top defense cyber official said on Nov. 16 at Politico’s Defense Summit.
David McKeown, the Pentagon’s acting principal deputy chief information officer, elaborated that the voluntary nature of disclosing cybersecurity efforts and practices is a “failing point.” While contractors are expected to adhere to specific cybersecurity standards, “assessments conducted by the [Department of Defense (DoD)] show that most fail to meet those standards,” he said.
McKeown listed various ways DoD cyber experts can assist vendors, free of charge, to meet those expected cybersecurity standards, including on-site network assessments, sharing threat intelligence, shoring up email security, and providing protective network-security services.
“But only around one percent of our hundreds of thousands of contractors take advantage of these offerings”, he said.
McKeown explained that the upcoming Cybersecurity Maturity Model Certification program – expected to go into effect early next year – will require all defense contractors to go through a third-party verification process attesting to their cybersecurity and processes. The program “is an opportunity for us to reach out to contractors,” he said.
In addition, Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Committee’s Subcommittee on Cybersecurity, said the United States is facing a “public-policy challenge,” when it comes to defending the United States and its citizens against cyberattacks.
“If you were to ask someone in the public, who’s responsible for defending me against an incoming missile attack, well, everybody would say it’s the Pentagon, it’s the [DoD]. But what about an incoming attack on a cyber system? Well, why wouldn’t it be the [DoD]? And yet the [DoD] does not work within the United States, Homeland Security does,” Sen. Rounds said.
Current coordination and information sharing dynamics between DoD and Homeland Security and companies is a voluntary process. Sen. Rounds explained that there must be a standard of acceptance for what is considered appropriate and expected defensive capabilities “built into everybody’s systems by the businesses and the individuals themselves,” he said.
“That coordination, that ‘whole of country’ is critical, but that requires a national policy that understands it, and appropriately implements it. We’ve got a long way to go on that,” Sen. Rounds said.