WASHINGTON: With the Pentagon increasingly anxious about how Chinese hackers constantly probe defense contractors’ networks, the massive Aerospace Industries Association is releasing an ambitious new cybersecurity plan for companies hoping to win government work.
The move comes as top officials warn the defense industry that cyber hygiene will increasingly become part of the Pentagon’s decision-making process in deciding what to buy from the private sector, and amid increasing concerns that inconsistent standards for cyber security across industry are putting everyone at risk.
AIA’s new (and voluntary) National Aerospace Standard on cybersecurity (NAS 9933) aims to build on existing government standards while adding some much-needed conformity across the massively complex and varied defense industrial base. According to documents to be released Thursday afternoon, the new standards will allow companies and the government to have a better idea how secure their potential partners are before going into business with them.
“With aggressive state and non-state cyber actors targeting the United States, it is essential that our industry work collectively to protect technology and information,” said AIA president Eric Fanning, a veteran of the Obama Pentagon. “We are committed to bringing our industry together in partnership with government to implement this and other meaningful measures that keep us and our nation safer from cyber threats.”
The group said that the rules and procedures will serve “as a companion to DOD’s current minimum standards” and build on 2015’s National Institute for Standards and Technology rules, which identify 110 benchmarks for cyber security.
But companies can still be awarded government contracts even if they don’t implement all of NIST’s 110 controls, which led AIA to recommend new performance levels that will be transparent to all involved.
Cybersecurity for contractors has become a top priority for the Pentagon. Tightening cyber standards is a key part of the DoD’s recent Defense Industrial Base report and acquisition reform in general. Pentagon officials often say they want cybersecurity to be a “fourth pillar” of the acquisition process, alongside cost, schedule, and performance.
Under secretary for acquisition Ellen Lord said earlier this year that she has been meeting regularly with the defense industry to talk about how cyber security will affect future acquisition decisions. She said she’s taken to bringing intelligence staffers along with her to meetings with industry to impress on them the dangers of poor cyber hygiene.
Calling it an ongoing “education process,” Lord warned, “there is an expectation that standards will be met within industry.”
“Up to this point in time there has really been self-reporting (of problems),” Lord said. “We are actually going to go in and ‘red team’ industry to see how robust their systems are. The reality of the world we live in means cyber security is going to become more and more of a discriminator.” In other words, Pentagon hackers may test your security by trying to get into your company’s network, and you can lose a contract for a weapons system if its cybersecurity can’t protect that system’s secrets — or potentially be barred from defense contracts altogether.
Pentagon comptroller David Norquist has also spoken frequently in recent months about how cyber issues have lead to some uncomfortable conversations with the defense industry. One of the biggest reasons the Pentagon failed its recent first-ever audit of its financial systems was due to problems with its IT architecture and the ways those systems interact with contractors. Speaking to reporters to unveil the audit, he revealed the Pentagon’s “single largest number” of failings was in its “IT security around our businesses.”
Norquist warned defense industry execs last month, “if you fielded one of those systems that is vulnerable to cyber intrusions, that is filled with errors in the way it is set up, we need to talk because you’re one of the reasons we’re not passing the audit, and we need you to fix it.”