Pentagon Wants ‘Baked-In’ Security From Vendors

Deputy Under Secretary of Defense for Intelligence Kari Bingen testified before Congress on June 21. (Photo: C-SPAN)

With cybersecurity threats on the rise, most recently seen in a Chinese hack of a Navy contractor, the Department of Defense is taking new steps to ensure security, in part by putting more of the onus on contractors.

The Pentagon wants to bake security into its acquisition process, adding more security requirements to traditional contracting benchmarks like cost and completion schedules, Deputy Under Secretary of Defense for Intelligence Kari Bingen told Congress on June 21. “We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business,” Bingen said in testimony before the House Armed Services Committee.

Bingen and other DoD officials cited China’s consistent efforts to steal U.S. military technology, comparing it to physical encroachments such as China’s build-out of artificial islands in the South China Sea, which has become a major point of contention between Washington and Beijing. “It circumvents the autonomy of nations in a departure from a rules-based global order,” Under Secretary of Defense for Research and Engineering Michael Griffin told lawmakers, as reported by Defense News. “ It is adversarial behavior and its perpetrator must be treated as such.”

Most recently, hackers tied to the Chinese government infiltrated an unnamed contractor working with the Naval Undersea Warfare Center and made off with 614 gigabytes of data on a submarine-based supersonic anti-ship missile that could be in use by 2020, according to the Washington Post, which reported on the hack June 8.

That’s just the latest incident in what U.S. officials say is a long-running trend of Chinese espionage, which has included the theft of a lot of highly sensitive defense-related intellectual property, typically via hacks of contractors. China’s industrial espionage reportedly led to production of new stealth fighters that closely resemble the F-22 and F-35 fighter jets being produced for the U.S. military by Lockheed Martin. A Chinese citizen living in Canada pleaded guilty in 2016 to leading a group that stole secrets from Boeing and Lockheed (including information on the F-22 and F-35) for China.

Although the testimony focused on China, which is widely seen as the biggest threat to military intellectual property, it’s far from alone in targeting the U.S. military and industry. The Trump administration earlier this year indicted members of an Iranian hacker network for a large-scale campaign against U.S. government agencies, companies, and universities. North Korea has conducted extensive cyber operations, including the theft of 235 gigabytes of U.S. and South Korean military plans. And Russia, of course, operates across the hacking landscape conducting cyber attacks against the United States and its allies, from efforts to compromise military networks to posing as ISIS hackers to threaten military wives. The U.S. Treasury this month sanctioned five Russian companies and three individuals for working with Russia’s military and intelligence agencies on attacks targeting the United States.

Among the steps the Pentagon is taking, officials told the committee, is a new program called “Deliver Uncompromised,” intended to raise security’s profile among prospective vendors. DoD would work with industry on tighter security, even on a case-by-case basis, bringing in DoD’s own intelligence work and analysis to better understand the potential threats and keep them out of the supply chain.

Bingen and other officials acknowledged that adding security requirements to the acquisition process would be a two-way street, involving greater input from DoD as well as a willingness by industry to adapt to the new procedures.

Recent