Contractors, facing an increasing barrage of cyber intrusions by foreign entities, should protect themselves using traditional regulatory approaches but also new techniques such as blockchain and artificial intelligence, according to a new report from Deloitte.
As companies in the defense supply chain began following the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity regulations and the Department of Defense started to assess how adoption went, “we started to form our own ideas on what we see as emerging issues and solutions that [can] ... improve the cybersecurity posture against our enemies,” Jeff Lucy, managing director in cyber risk services practice at Deloitte, told Fifth Domain.
On the regulatory side, the report, titled “Third-party risk management: Cybersecurity in the Defense Industrial Base,” says prime contractors must comply with the defense regulations measuring their companies’ compliance with national cybersecurity standards. They should also create awareness among their subcontractors and smaller companies by providing training. Third, primes should create third party assessment programs for performing cybersecurity evaluations of their suppliers.
However, the paper also suggests non-regulatory approaches, including automating supply chain functions, integrating blockchain to boost cybersecurity and using artificial intelligence to gain real time visibility into the threat landscape.
Lucy noted that the Pentagon is beginning to take these regulations seriously and the problems aren’t going away.
“In 2019 we’ve seen that the DoD has started to move forward, start to take action to enforce their expectations around the DFARS requirements,” he said. “It’s clear now with the steps that we’re seeing with [Undersecretary of Defense for Acquisition and Sustainment] Ellen Lord getting the [Defense Contract Management Agency] on board to start auditing the suppliers processes for assessing their suppliers.”
Cyber intrusions into the supply chains of defense contractors have become more prevalent in recent years. In a recent example, the Chinese government was blamed for a series of hacks and while the information they stole was not technically classified, in aggregate, it was considered to be quite damaging to the U.S.
This year’s Department-wide annual report on Chinese military activity included a new section highlighting that China’s exfiltration of sensitive military information from the defense industrial base could allow it to gain a military advantage.
Ultimately, Lucy said the solution to the supply chain and cybersecurity for the defense industrial base is manageable.
“Most primes, from what I’ve seen with interactions with our customers, have put some level of the basic elements for a supplier assessment program in place already,” he said. “They’ve done some level of canvassing their suppliers, critical suppliers, taking a risk based approach to understand whether their suppliers are in adopting” standards.