With the passion of an evangelical, Deputy Defense Secretary Patrick Shanahan preached the Defense Department’s (DoD) “uncompromising” approach to cybersecurity last month at the AFCEA West conference in San Diego. And, his sermon included spreading the responsibility for cybersecurity to industry as a condition of winning contracts.
Shanahan said that the critical nature of cybersecurity–and its use of commercially-provided products and services–requires that DoD ensure the security of its partners. “We want the bar to be set so high, it will become the condition of doing business,” he said, according to media reports from his conference keynote, in which he discussed the National Defense Strategy released in January.
As part of his proposed policy, “instead of having a financial disclosure statement, we want you to sign a cyber disclosure statement that says, ‘Everybody you do business with is secure,’” he said. While acknowledging that it won’t happen overnight, he said, “we need to get to that level because your secrets, our secrets are exposed.”
Shanahan didn’t expound on how DoD and vendors would implement his plan, but this type approach is not without precedent. During his talk, for example, he mentioned his three decades at Boeing, where product safety and reliability were baked into the process.
“I think this analogy is very appropriate,” said Adam Bosnian, executive vice president of security company CyberArk. The kind of disclosure Shanahan talked about might be new in cybersecurity, but the Food and Drug Administration takes a similar tack in ensuring that products meet established standards before manufacturers can make claims about them. Underwriters Laboratories offers another example, confirming that electronic devices are safe before they can use the UL logo.
“Disclosures of this nature can communicate a higher level of assurance to customers, while forcing vendors to do ‘more than nothing,’” said Bosnian. While there is no guarantee of 100 percent security for anything, Shanahan “is starting a much-needed dialogue in the industry,” he continued. “This is a responsibility that the vendor community should embrace and can no longer kick down the road for someone else to deal with.”
DoD officials have often talked about the need for a “whole of government” and even “whole of nation” approach to cybersecurity, in light of its reliance on Internet-based operations and the extent–growing every day–of devices transmitting data through the department’s networks, which contributes to a growing attack surface. The potential vulnerabilities are compounded by persistent and increasingly sophisticated attacks by adversaries, both state-sponsored and from elsewhere. “We are particularly concerned as adversaries probe and even exploit systems used by government, law enforcement, military, intelligence, and critical infrastructure in the United States and abroad,” Navy Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, told Congress last year.
An important part of defense in cyberspace is cyber hygiene–best practices that ensure that every precaution is being taken. Congress last year ordered the National Institute of Standards and Technology to come up with voluntary cyber-hygiene guidelines. DoD wants to make sure that any best practices also apply to vendors working with the department.
Shanahan’s proposed policy could help ensure the security of products, not just as stand-alone units, but in how they work in conjunction with others, said CyberArk’s Bosnian, whose company has taken a similar approach with its C³ Alliance, in which more than 50 companies collaborate to identify vulnerabilities in products and build in protections before they hit the market. “This is where the DoD could have a major impact,” he said, “forcing the same level of cooperation amongst the vendors who want to work with the agency.”
While cybersecurity often seems like an impossible cross to bear, Shanahan’s shared responsibility and accountability model will find many converts. If DoD’s prepared to put its money with its hallelujahs, industry will likely say amen to that.