FARNBOROUGH, England – The Pentagon is considering a process that will alow the Department of Defense to challenge the cyber security of its contractors.
Asked if the Defense Department was looking at a “red team” cyber process for its industrial partners, Kevin Fahey, assistant secretary of defense for acquisition, told reporters, “we will.”
“On a quarterly basis, we have a big event with industry. In our last engagement, which was just a couple weeks ago, that was a main topic of discussion,” Fahey told reporters Monday at the Farnborough Airshow.
“From an industry relationship, their feedback to us was that’s what they want: us to red team,” he added.
In this scenario, a red team cell would test vulnerabilities and try to penetrate the contractors' systems, in order to identify weaknesses. America’s defense industrial base has been raided over the last few years, an issue the Trump administration has outlined as a key danger for the defense department.
Eric Chewning, the head of the Pentagon’s industrial policy office, noted that that data breaches from defense contractors has been an issue for some time, noting “It’s not just on the classified space, but it’s also on the sensitive unclassified information as well that’s important to us.”
But Chewning is aware that just loading new requirements onto industry could turn off the kind of high-tech commercial firms the Pentagon needs to attract to stay on the cutting edge.
“As we’re thinking about the standards and rules, with industry’s input, we also have to keep in mind the commercial conversation we just had, which says, ‘Listen, we can’t also drive a whole bunch of cost into this system or a whole new set of compliance requirements that make folks not want to do business with us,’” he said.
“So we have to find the right balance. More broadly, you could see a convergence of both commercial and military requirements in terms of secured architectures helping to solve some of that equation, but we’ll see.”
However, creating a red team situation should not be something totally new for the defense industry. Fahey compared the situation to what the Pentagon has done with software and system engineering.
“If we can figure out how do we do a level of maturity on cybersecurity and do red teaming, how do we check you that you are compliant, it is sort of a construct that our industry understands,” Fahey said.