Experts and members of the defense industrial base shared the challenges they face in maintaining a strong cyber posture and a secure supply chain with the Senate Armed Services Cybersecurity Subcommittee on Tuesday, alarming the senators listening to their challenges.
Panelists shared varied concerns, from the high costs of implementing different cybersecurity requirements from different branches of the Department of Defense (DoD), and even the fear of retribution for reporting cybersecurity issues. The panel also emphasized the need for greater help beyond the NIST Cybersecurity Framework, and referred to it as a starting point.
However, the sticking point of the hearing was the supply chain, and the challenges for prime contractors in keeping account of their subcontractors.
“In my experience, when I was Acquisition Executive, is that the knowledge that a lot of the primes had of their detailed supply chain was very mixed, and surprisingly so,” said William LaPlante, general manager of MITRE’s National Security Sector and former assistant secretary for acquisition at the Air Force.
“One of the challenges is…I’ve got 23 contractors that make the primary shaft for the Chinook helicopter, and that’s just for the primary shaft. The problem is that the prime contractor know who their immediate supplier is, but they don’t know who is beyond them,” said Christopher Peters, CEO of the Lucrum Group. “If I let you know who my contractors are, and who my supply chain is, …”
“That’s the first person you’ll bid against them next time,” replied Sen. Joe Manchin, D-W.Va. “But I don’t care.”
The senators present at the hearing, Mike Rounds, R-S.D., and Manchin, responded strongly to this challenge.
“We can change that–we’re on the committees that can change the contracts,” said Manchin. “That is absolutely unbelievable.”
Rounds floated the idea of adding a standard for contractors to signify their compliance and strong cybersecurity posture, a concept that is already underway at some industry groups. He also raised concern at the potential for reprisals from within DoD.
“The thought that there would be reprisals coming back through DoD for a subcontractor or business entity, for a report on something which would be a threat to national defense, is a real concern,” said Rounds.
“It looks like to me that we’re protecting a business model more than we are the security of our country,” said Manchin.