NATIONAL HARBOR, Md. – The Pentagon is preparing to press the defense industry to increase its cyber security, with Deputy Secretary of Defense Patrick Shanahan saying it will become a key measurement for how industry is judged by the department.
“This is a public service announcement for those of you from industry, especially for those of you that are in the, I'll call it, higher tiers,” Shanahan told an audience at the annual Air Force Association conference Wednesday.
“Cybersecurity is, you know, probably going to be what we call the ‘fourth critical measurement.’ We’ve got quality, cost, schedule, but security is one of those measures that we need to hold people accountable for,” he said.
“We're going to work with our industrial partners to help them be as accountable for security as they are for quality. And it shouldn't be that being secure comes with a big bill. It's just like we wouldn't pay extra for quality. We shouldn't pay extra for security.”
The responsibilities of primes goes beyond just ensuring their own internal cyber security, in Shanahan’s eye. The former Boeing executive laid down the gauntlet to the biggest industrial partners, saying flatly it is part of their job to make sure the lower-tier supplier are secure as well.
The Pentagon and its contractors need to take a more rigid and uncompromising approach to cybersecurity, a change in philosophy that would require a more active role from CEOs and industry leaders.
“I'm a real strong believer that the Tier 1 and Tier 2 leadership has a responsibility to manage the supply chain. And that's where we have real gaps,” he said. “Security is the standard. It's the expectation. It's not something that's above and beyond what we've done before.”
In recent years the Pentagon has been increasingly vocal about its concerns that lower-tier suppliers are not as secure digitally as they need to be; unsecured parts from those suppliers can then be incorporated into larger projects, potentially with vulnerabilities that would not be discovered until it is too late.
To try and address that, the Pentagon has been looking at a plan to launch red team cyber attacks on industrial partners, in which a cell would test vulnerabilities and try to penetrate the contractors' systems, in order to identify weaknesses.