WASHINGTON, D.C. – The Pentagon’s acquisition community is going after two major sources of risk within the industrial base: the cybersecurity of companies that do business with the Defense Department, and fragility within certain critical suppliers.
Ellen Lord, under secretary of defense for acquisition and sustainment, said Thursday at the U.S. Naval Institute annual meeting that “cybersecurity is probably the largest emerging threat we have.”
“However, we have these high-level [National Institute of Standards and Technology] standards that we say industry has to comply with. It is not particularly easy to understand how to comply with a hundred and twenty-some separate requirements,” she said.
“So what I’ve mandated is, this year we will come up with a National Cybersecurity Standard with metrics, and we will develop third-party independent auditors who can go and audit against those cybersecurity standards. This is very similar to ISO standards for quality. In that way, we will be able to discriminate between a company that is really cyber-secure and one that is not.”
The Navy has had its share of challenges in this area recently, with companies working with the Navy on undersea warfare research or acquisition projects being especially prone to cyber attacks. The Washington Post reported in June that a contractor working with the Naval Undersea Warfare Center in Rhode Island on a supersonic anti-ship missile was hacked by the Chinese government. In December, The Wall Street Journal reported on a Navy review of cyber vulnerabilities that highlighted many attacks in recent months, mostly tied back to China.
Lord noted in her remarks, though, that small businesses often don’t have the money or the in-house expertise to build up their cyber protections in the way that large corporations do, and too-strict cybersecurity requirements could be a barrier to doing business with the Pentagon for many companies.
“Small business is really our innovation engine, and if we levy all our requirements on many small businesses, we will literally put them out of business. Or we will push them to the edge of where it is just too difficult to do work with the Department of Defense so I’m just not going to,” she said.
She said it’s on the Pentagon to figure out how to balance the need to leverage small businesses while keeping data and networks secure. One innovative solution DoD has implemented recently is created secure enclaves in the cloud where small business software developers can work – essentially using the cloud as government-furnished equipment on a project and allowing the small companies to contribute to the project “in a very safe and secure way” where the Pentagon is responsible for protecting against cyber attacks to that space.
Though more work remains to be done, Lord said software underpins every weapon, ship, plane and system the military uses and that the Defense Department must ensure its software is not vulnerable to hacks and attacks.
Another ongoing industrial base concern is fragility – the idea that a critical component may only have one source that could be at risk of going out of business, that a sole source may have ties to another country like China, or that the existing sources cannot keep up with current demand but other companies are not willing to break into the market.
Asked by USNI News what the Pentagon is going about these fragility issues, especially as it relates to the submarine industrial base – which is struggling to keep up with an increase in new construction and maintenance activities across all classes of submarines – Lord said a September report, “Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States,” helped home in on the areas of greatest concern and generate an implementation plan that guides Pentagon talks with industry.
“We’ve identified where we have fragility. A whole number of issues there: we might be sole-sourced to China on certain rare earth metals. We might have only one company that produces critical energetics. So what we’ve done is used the report to guide us to what we need to look at to shore up,” Lord said.
Most of DoD’s work happens with prime contractors, who are responsible for understanding the vendor base that underlies their programs.
“Often these companies might not have a problem with their first-level suppliers, but about six levels down in the supply chain they do have a problem. So what we help to do is shine a light on that. Okay, you’ve identified a problem, now what do you do about the problem? We are pointing to authorities we have … different pots of money we have where we can shore up some of these areas,” she said.
“We also – and I think this is really the most innovative thing we’re going to do … we are creating a Trusted Capital Marketplace where we have a list of companies from a whole series of different industry segments that need capital infusion, and the actual business case analysis is such that it doesn’t attract a lot of typical investors,” Lord said.
“But we’re very very fortunate that we have a lot of patriotic venture capitalists in this world, a lot of families with funds that they want to invest, and they’re interested in understanding where they can invest in our nation’s industrial base to make a difference towards our safety and security. So we are creating a marketplace to bring these two groups together to help with that.”
Lord said that the marketplace would roll out in the next three or four weeks, and she said that data analysis underpins the companies that the Pentagon will highlight as those in need of a cash infusion to help ensure the health of the industrial base and the stability of important acquisition programs.