MITRE, a manager of Federally-funded research and development centers targeting Federal defense, intelligence, and cybersecurity functions, recommended in a new report released today that the Defense Department (DoD) undertake a sweeping menu of actions to improve military supply chain security, and warned that maintaining the status quo of current security policy may have ruinous consequences.
Among its extensive list of recommendations, MITRE said a new DoD strategy to reduce supply chain risk would include better cooperation with intelligence agencies and the Department of Homeland Security, and provide contractors with incentives to improve security in order to win DoD business.
Among a list of 15 suggested strategic elements that MITRE said DoD could pursue to improve supply chain security are: elevating security as a “primary metric” in DoD acquisition and sustainment; forming a “whole-of-government national supply chain intelligence center”; conducting an education, awareness, and ownership of risk campaign; creating a chain of command for supply chain that reports to the Deputy Secretary of Defense; creating automated assessment and continuous monitoring of defense industrial base software; improving protections for DoD system design and operational data; and requiring vulnerability monitoring, coordinating, and sharing across the supply chain of command.
On the legislative front, MITRE recommended strategic elements through which DoD would advocate on a number of issues including litigation reform, liability protection, and tax incentives, as well as private insurance initiatives.
MITRE pulled few punches in its description of the current level of supply chain risk and the steps it is recommending to reduce the risk. Regarding that risk, the organization said adversaries conducting asymmetrical actions through the supply chain, cyber domain, and human elements “can render our national capability to project power–hard or soft–non-mission ready and collapse or even reverse the decision cycle.”
And as to the current state of readiness to meet such threats, MITRE said, “Today, various parts of the Department of Defense (DoD) and the Intelligence Community (IC) are generally aware of cyber and supply chain threats, but intra- and inter-government actions and knowledge are not fully coordinated or shared.”
“Few if any holistically consider the entire blended operations space from a counterintelligence perspective and act on it. Risk quantification and mitigation, as a mission, receive insufficient resources and prioritization. Too little attention is directed toward protection of operational security or software assurance. There is no consensus on roles, responsibilities, authorities, and accountability,” it said.
“Responsibilities concerning threat information are ‘siloed’ in ways that frustrate and delay fully informed and decisive action, isolating decision makers and mission owners from timely warning and opportunity to act,” it said.
On the remedies front, MITRE said “DoD must make better use of its existing resources to identify, protect, detect, respond to, and recover from network and supply chain threats. This will require organizational changes within DoD, increased coordination with the IC, and more cooperation with the Department of Homeland Security and other civilian agencies. It will also require improved relations with contractors, new standards and best practices, changes to acquisition strategy and practice, and initiatives that motivate contractors to see active risk mitigation as a ‘win.’ Risk-based security should be viewed as a profit center for the capture of new business rather than a ‘loss’ or an expense harmful to the bottom line.”
“While DoD cannot control all the actions of its numerous information system and supply chain participants, it can lead by example and use its purchasing power and regulatory authority to move companies to work with DoD to enhance security through addressing threat, vulnerabilities, and consequences of its capabilities and adapt to dynamic, constantly changing threats,” MITRE said.
MITRE also said that while DoD has the strongest influence over the companies it contracts with directly, DoD spending “is a principal source of business for thousands of companies” and can “reward the achievement, demonstration, and sustainment of cyber and supply chain security.”
“Cyber and supply chain vulnerability extends well beyond DoD, across government and into the private sector,” MITRE said. “Nonetheless, DoD has potentially decisive influence in this space.”
The wider effort to reduce supply chain risk, MITRE said, “will take time and will present many challenges–but perpetuation of the status quo is unacceptable. We are past the time when we can be satisfied with responses that are incidental or merely incremental.”