[Senate Hearing 116-260]
[From the U.S. Government Publishing Office]
S. Hrg. 116-260
THE CYBERSECURITY RESPONSIBILITIES OF THE DEFENSE INDUSTRIAL BASE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY
of the
COMMITTEE ON ARMED SERVICES
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
MARCH 26, 2019
__________
Printed for the use of the Committee on Armed Services
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via http://www.govinfo.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
41-313 PDF WASHINGTON : 2020
COMMITTEE ON ARMED SERVICES
JAMES M. INHOFE, Oklahoma,
Chairman
ROGER F. WICKER, Mississippi JACK REED, Rhode Island
DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa MAZIE K. HIRONO, Hawaii
THOM TILLIS, North Carolina TIM KAINE, Virginia
DAN SULLIVAN, Alaska ANGUS S. KING, Jr., Maine
DAVID PERDUE, Georgia MARTIN HEINRICH, New Mexico
KEVIN CRAMER, North Dakota ELIZABETH WARREN, Massachusetts
MARTHA McSALLY, Arizona GARY C. PETERS, Michigan
RICK SCOTT, Florida JOE MANCHIN, West Virginia
MARSHA BLACKBURN, Tennessee TAMMY DUCKWORTH, Illinois
JOSH HAWLEY, Missouri DOUG JONES, Alabama
John Bonsell, Staff Director
Elizabeth L. King, Minority Staff
Director
Subcommittee on Cybersecurity
MIKE ROUNDS, South Dakota,
Chairman
ROGER F. WICKER, Mississippi JOE MANCHIN, West Virginia
DAVID PERDUE, Georgia KIRSTEN E. GILLIBRAND, New York
RICK SCOTT, Florida RICHARD BLUMENTHAL, Connecticut
MARSHA BLACKBURN, Tennessee MARTIN HEINRICH, New Mexico
(ii)
C O N T E N T S
March 26, 2019
Page
The Cybersecurity Responsibilities of the Defense Industrial Base 1
LaPlante, Honorable William A., Senior Vice President and General 3
Manager, Mitre National Security Sector.
Luddy, John, Vice President for National Security Policy, 8
Aerospace Industries Association.
Peters, Christopher, Chief Executive Officer, The Lucrum Group... 14
MacKay, Michael P., Chief Technology Officer, Progeny Systems 18
Corporation.
(iii)
THE CYBERSECURITY RESPONSIBILITIES OF THE DEFENSE INDUSTRIAL BASE
----------
TUESDAY, MARCH 26, 2019
United States Senate,
Subcommittee on Cybersecurity,
Committee on Armed Services,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:31 p.m. in
Room SR-232A, Russell Senate Office Building, Senator Mike
Rounds (chairman of the subcommittee) presiding.
Subcommittee Members present: Senators Rounds, Scott,
Manchin, and Gillibrand.
OPENING STATEMENT OF SENATOR MIKE ROUNDS
Senator Rounds. The Cybersecurity Subcommittee meets this
afternoon to discuss an issue of great concern to me and the
Department of Defense (DOD): the cybersecurity of the defense
industrial base (DIB).
Since the reporting of the breach of a contractor for the
Naval Undersea Warfare Center last June, the Department has
been shocked into action. The truth is, however, that
adversaries have been breaching our contractors for a much
longer time, stealing our design information and intellectual
property not by targeting the Department itself, but through
its vulnerable contractor base.
This espionage will never be stopped in its entirety, and
it is unlikely that it can be negotiated away or deterred. It
must, however, be made more difficult. The Department cannot
afford to continue leaking critical design secrets to China and
Russia effectively subsidizing their own defense developments.
It is incredibly clear that the status quo is not working.
So far, the Department's efforts in this space have been
disjointed and have mostly been a reemphasis of the current
policies.
The Navy has taken additional steps to start to audit its
contractors for compliance with their cybersecurity
requirements. This month, the Navy released its cybersecurity
readiness review, which includes several recommendations for
improved collaboration and communication between the Navy and
its contractors to mitigate cyber threats. I am encouraged that
the Secretary of the Navy has taken the first step to improving
their cybersecurity by completing this detailed review, and I
look forward to understanding how they plan to implement the
recommendations.
The Office of the Secretary of Defense has also
reemphasized the importance of the current National Institute
of Standards and Technology, or NIST, cybersecurity standard.
The Department has also stood up the Protecting Critical
Technologies Task Force headed by Major General Murphy. The
task force is taking a wide-reaching approach to the problem,
contemplating the policy, technological and operational changes
that could improve contractors' cybersecurity.
While I expect the Department will come up with measured
policies to make improvements in this area, I hope that it
takes seriously the concerns of the defense industrial base.
The Department cannot simply apply increasingly stringent
cybersecurity requirements on its contractors. Doing so without
subsidy or assistance is unlikely to particularly improve the
cybersecurity of the defense industrial base and will likely
drive the most innovative small businesses out of its supply
chain.
I am also somewhat apprehensive about an approach centered
on cybersecurity checklists. While there are benefits to the
NIST-based framework, I am concerned that approaches based on
compliance to that framework do little to help businesses meet
these standards, do not account for the particulars of the
threat, and do not help businesses prioritize investments or
personnel. Instead, these approaches establish baseline for
capability which may or may not form the basis for an effective
cybersecurity architecture.
I hope the Department can formulate policies that
prioritize the lowest-hanging fruit and emphasize the best
return on investment for contractors that often struggle within
thin margins.
I also hope that the Department's policies take a
considered approach to partitioning cybersecurity
responsibility among itself, its prime contractors, and their
subcontractors. No one entity can shoulder the entire burden of
this effort.
We have invited witnesses from the defense industrial base
to assess how the Department's policies and regulations have
affected their cybersecurity, which is a viewpoint that we
cannot afford to ignore in these conversations.
Today, we will hear from: the Honorable William A.
LaPlante, Senior Vice President and General Manager, MITRE
National Security Sector, heavily involved in the MITRE
strategy entitled ``Deliver Uncompromised;'' Mr. John Luddy,
Vice President for National Security Policy, Aerospace
Industries Association (AIA); Mr. Christopher Peters, Chief
Executive Officer of The Lucrum Group, heavily involved with
the National Defense Industrial Association's work on defense
industrial base cybersecurity; and Mr. Michael P. MacKay, Chief
Technology Officer, Progeny Systems Corporation, a small
defense contractor based in Manassas, Virginia. Thank you for
your willingness to testify today. I look forward to our
conversation this afternoon.
Senator Manchin?
STATEMENT OF SENATOR JOE MANCHIN III
Senator Manchin. Mr. Chairman, thank you so much.
I want to thank each and every one of you all for being our
witnesses today testifying on a critical national security
problem, namely the hemorrhaging of technology and know-how
from the U.S. industry and academia to adversaries, chiefly
China, which enables the rapid progression of their military
capabilities. I have had the opportunity of both serving on the
Armed Services Committee and the Intelligence Committee. So I
know exactly where you all hopefully will be coming from.
We know that China is using cyber hacking and coercing
technology transfers from U.S. companies to acquire U.S.
intellectual property, which undermines our economy and
ultimately erodes national security because it remains easier
for cyber hackers to penetrate networks than for defenders to
stop them. There are no simple solutions to these problems.
But I am encouraged to see Congress, DOD, and the private
sector finally addressing the fundamental issues that we all
face.
One of these pressing issues is the imperative of improving
security in the smaller defense industrial base companies.
These companies are vital components of our supply chains and
sources of our innovation. But many of these small companies
currently lack the resources and expertise to defend themselves
and the DOD data and technology that they hold against national
state attacks.
We must find ways to correct this situation. Our witnesses
today--you all come from and you represent or you have studied
these industrial base partners who are threatened every day
with cyber attacks from our principal adversaries. So I look
forward to your insights and advice on how we correct this.
Thank you, Mr. Chairman.
Senator Rounds. Thanks, Senator Manchin.
Let us just begin with opening statements, if you would
like, and Dr. LaPlante, I will start with you.
STATEMENT OF HONORABLE WILLIAM A. LaPLANTE, SENIOR VICE
PRESIDENT AND GENERAL MANAGER, MITRE
NATIONAL SECURITY SECTOR
Dr. LaPlante. Yes, thank you, Chairman Rounds. Thank you,
Ranking Member Manchin. Thank you, Senator Scott and the other
members of this committee.
Of course, having this hearing and your opening statements
both identified the challenge on the threat side, but also
making sure that every solution we put in will not be actually
worse than the problem we are trying to solve. So you
understand that.
As you said, I am Senior Vice President (VP) at MITRE. We
are a not-for-profit that operates seven Federally Funded
Research and Development Centers (FFRDCs), one for the DOD and
the Intelligence Community (IC), but another one, importantly,
is the standards of cybersecurity for NIST. So I have a few
things to say about that.
Before that, I was the Secretary of the Air Force for
Acquisition.
As you all know, just like our warfighters are under attack
or threatened under attack, we now pretty well know that our
defense industrial base has been under attack for 10-15 years.
Most of us who have worked in the industrial base have known
this. It has been a while. For a while, we could not talk much
about it, which has been part of the problem.
And, yes, we still have an education issue, as I think some
of my colleagues are going to say.
It is not just the loss of Intellectual Property (IP). We
have all had this experience. My experience while Assistant
Secretary I think was at the Dubai air show walking over to the
China part of the air show and looking at the J-31 and saying
other than that second engine, that is the F-35, and then going
over and getting the brochure for what was a dead-on copy of
the MQ-9, which is our Reaper unmanned aerial vehicle.
Now, am I saying the insides are the same and they operate
the same? No, maybe not, but they will get there. So, yes, it
is real.
But it is not just the IP. It is also how we train. It is
our manuals. People in my business--we write lots of stuff. We
write lots of technical memos. A lot of that stuff has not been
classified. So you can understand how we train. You can
understand tactics, techniques and procedures, Concept of
Operations (CONOPs). So it is all together.
Now, does that mean that they are going to be just as good
as us by having it? Not necessarily so, but it sure helps. It
sure helps them.
So this is about our technological superiority.
Now, inclusion is needed. At the same time we are saying
all this, of course, we do not want to scare away our friends
in industry. We want the small businesses. We want the
innovative firms. We get that.
So this is complex, but we can solve it. We have to
educate.
Now, the Department gets knocked for this a lot, and I
think we have all kept pressure on the Department. I have been
on the other side of this boat too. But they have done a bit.
You referred to the Navy. The Navy has been really active over
the last year and a half partially out of real reason. I would
also say that putting the standard out there, 800-171, is not a
panacea. You are exactly right, Mr. Chairman. Compliance by
itself is limited in what it can do. It can do things. What we
used to call it on the Defense Science Board (DSB) is that it
can raise cyber hygiene. That is good. It is like the broken
window theory of crime. It does make the neighborhood a little
better, but it is not going to solve it because you have an
adversary. It is not just quality that you are trying to build
a better airplane. You have an adversary.
But it has over 100 controls. We still have multiple
standards.
But here is what we are missing, and we are all trying to
work this. The insurance industry is going in this direction.
The Deliver Uncompromised paper you referenced was trying to go
there, trying to figure out how to monetize, how to turn
security of cyber into something real that you can actually
measure as an outcome. Compliance is an input. It is not an
output. You really want to know if I did this, what percentage
more secure am I. I can measure costs. If I have a radar, I can
measure its performance. I can measure its schedule. I may not
like the schedule, but I can measure it. I do not know how to
measure cybersecurity. We have got to figure that out. Once we
figure that out--and the insurance business is going there
because that is what they are in--where we can start putting
real objective metrics against this, then we will get there. So
I am actually optimistic. In the next couple years, I think we
will get there as a community. That is where we need to go.
So there are other things we can do. We need a threat
sharing center, not unlike the NCTC, the National
Counterterrorism Center, where you got Federal Bureau of
Investigation (FBI) sitting next to intel, sitting next to
industry that can rapidly see what is happening. A company gets
bought overnight. It was good. Now it is bad. We got to get
that information out. Oh, by the way, the people that you got
to get the information to do not have clearances. So we got to
figure that out. But we got to go into a much more of an active
model like that.
There is experimentation going on, great ideas, of bringing
secure cloud environments and making them available to the
industrial base so they can develop inside a secure cloud. It
is already being done in parts of the government right now.
That is a great idea.
There are other ideas we will talk about later.
Again, thank you for having the hearing. I look forward to
your questions.
[The prepared statement of Dr. LaPlante follows:]
Prepared Statement by Dr. William LaPlante
Chairman Rounds, Ranking Member Manchin, and distinguished Members
of the Subcommittee on Cybersecurity, thank you for the opportunity to
testify before you today on matters relating to the cybersecurity of
America's defense industrial base. This is a critically important issue
and one about which I very much appreciate being asked to offer some
thoughts.
For those who don't know MITRE, we are a not-for-profit corporation
that operates seven federally-funded research and development centers,
or FFRDCs, for eight primary government sponsors. The largest of the
FFRDCs we operate, the National Security Engineering Center, is
sponsored by the Department of Defense. We also operate the National
Cybersecurity FFRDC on behalf of the National Cybersecurity Center of
Excellence, which is a component of the National Institute of Standards
and Technology, or NIST. Of MITRE's roughly 8,500 employees, some 1,000
are cybersecurity experts who support a very broad range of work on
behalf of federal requirements. Our vantage point, which gives us the
benefit of being able to look across multiple agencies at a wide array
of threat vectors and challenges, is critical to our understanding of
this problem set and greatly informs the advice we are able to provide
to our sponsors.
If I may, I would like to take a moment to congratulate the
leadership of this Committee for having the foresight to establish this
panel in the 115th Congress and for continuing it into the current
Congress. There is no question but that the cyber domain is a critical
warfighting domain today. This is unequivocally true, as you are all
aware, for those who wear the uniform of our military and who are
charged with defending against hostile cyber operations directed
against our forces literally every day. But it is no less true for the
thousands of companies that make up the nation's defense industrial
base--companies that support our national security through the delivery
of vital goods and services under contract to the Department of Defense
and its components, and without whose support our forces would be all
but ineffective. The men and women of our defense industrial base do
not wear the uniform, but they are no less a target in this age of
cyber warfare.
Indeed, as the Members of this Committee well know, both from the
near endless stream of media reporting we all see and the information
you receive from both the Department and the many companies that
comprise the managed cybersecurity services industry, our defense
industrial base has been and remains under siege from hostile actors.
The loss of intellectual property in recent years has been enormous,
and it has allowed our adversaries to rapidly and dramatically advance
the state of their warfighting and enabling technologies by leveraging
our substantial investments in research and development. Our
technological edge--which along with the quality of our men and women
who serve, and the strength of our alliances with key partners, has for
decades given us a vital advantage--has in many areas been compromised.
While even the largest defense contractors have been victimized by
the predatory cyber operations of our adversaries, the problem has been
most acutely realized at the lower tiers of the defense industrial
base, typically comprised of small- to medium-sized companies. These
companies often serve as the sub-contractors and sub-sub-contractors to
the primes. In many instances, they are start-ups or just barely
removed from such status. They are often where some of the greatest
innovations occur--the kinds of innovation that are, rightly, being
pursued by the Department for integration into our most advanced
warfighting capabilities.
As the 2018 National Defense Strategy (NDS) noted,'' the
Department's technological advantage depends on a healthy and secure
national security innovation base.'' It also observed that the
Department must streamline processes so more ``small-scale vendors''
can provide the Joint Force with those cutting-edge technologies needed
to maintain our military advantage. I believe we can, and in fact we
must, do both of these things--maintain a secure innovation base, and
yet not overly burden smaller companies with such onerous and costly
compliance mandates that it drives them away from doing business with
DOD.
The fact of the matter is, this is an extraordinarily difficult
problem set. Many have decried the insufficiency of efforts to protect
the defense industrial base, blame for which often falls on the
Department of Defense. I have heard many who have suggested that the
Department ``hasn't done enough'' to address this major challenge.
From my perspective, I think the Department has actually done quite
a lot. Most recently, it has adopted the NIST 800-171 standards for
cybersecurity and integrated related requirements into the Defense
Federal Acquisition Regulation Supplement (DFARS), with additional work
underway on revisions to these standards. One of the questions that the
Subcommittee posed in inviting me to testify today asked about my
thoughts on the potential need for contractors to meet security
standards beyond the NIST 800-171. The 800-171 specifies that defense
contractors handling controlled unclassified information execute over a
hundred separate controls on their systems. Achieving full compliance
requires implementing all of the controls or equivalents. I will tell
you that MITRE, with some 1,000 of what I would consider some of the
world's best experts on cybersecurity, had an enormous challenge
meeting the requirements of the 800-171. For companies that are much
smaller than MITRE, with far fewer resources and far less cybersecurity
expertise available, one can only imagine that additional requirements
beyond the 800-171 will be incredibly burdensome. Complicating this is
the fact that while DOD requires compliance with 800-171, other federal
agencies utilize a different security standard. So if a contractor
wants to do business with both DOD and, say, the Department of Homeland
Security, it has to either operate under two different sets of
requirements, or ratchet controls up to the highest instance.
I would further make the observation that there is no measure or
target for outcomes associated with implementation of the 800-171
standard--for instance, was less data lost? While standards may have
the potential to improve performance above a baseline level, they
quickly lag behind evolving operating environments and emerging
technologies. Most importantly, they quickly become the target of our
adversaries, who familiarize themselves with our standards and look for
seams they can compromise. We cannot lose sight of the fact that this
threat is extremely dynamic.
My point in highlighting this is to caution against an urge to levy
even more security standards on contractors beyond those already being
contemplated in the update of the 800-171 when the Committee sits down
to draft this year's authorization bill. The danger is that you will
either put contractors in a situation in which they will continue their
efforts to support DOD but will ignore these requirements, or they will
simply reject the idea of doing business with the Department or the
Tier 1 contractors because the burdens are too great.
On this score, I would suggest there is a real need to encourage
the contractor community to consider implementing threat-informed
defenses. Clearly, there are basic security standards--essentially,
compliance-oriented requirements--that need to be met. But there is no
substitute for understanding the nature of the threat vectors most
commonly used by our adversaries--their specific tactics, techniques,
and procedures, or TTPs--and using that awareness to inform where
network defenses need to be beefed up to thwart the most likely or
consequential cyber threats. MITRE has done a considerable amount of
work in this area, and we make our ATT&CK framework--basically, an
encyclopedia of adversary cyber TTPs that can assist security
practitioners to best determine how to position their defenses, and
where to invest limited resources to get the biggest bang for the
buck--available at no cost, in keeping with MITRE's service in the
public interest.
With that said, let me offer some thoughts about some areas in
which there might be some useful progress in this area, recognizing
that there is no silver bullet and that none of these is going to be a
panacea.
Critical to a successful path forward, I believe, is the need to
bend the cost curve on cybersecurity. We need to find ways to make
cybersecurity architectures less expensive for the defense industrial
base to implement.
For example, I think there could be some value in encouraging DOD
to work with the National Institute of Standards and Technology to
recognize the defense industrial base as a key industry vertical. Such
recognition would result in the development of practice guides and
reference architectures tailored to the requirements of this community
of interest. Again, I am not going to tell you this is a panacea. But
such products could be used by some contractors--probably some of the
medium-sized ones, at least--to model enhanced security postures.
Clearly, there will be some who will find themselves unable to leverage
such products or who have specialized requirements that may not be met
by them. But NIST has generated other guidance--for example for use by
the health care and energy sectors--that have certainly had utility.
Another option that has been discussed--and was among the questions
posed by the Subcommittee in its invitation--relates to making the
kinds of Continuous Diagnostic and Mitigation (CDM) products that the
``Dot Gov'' agencies are required by DHS to employ, also available to
the defense industrial base. CDM is essentially a suite of commercial
products that help federal agencies understand the details of their
networks and systems and better monitor activities occurring on them.
These tools can aid in identifying the inventory of connected devices
on a network and help identify patching deficiencies or other security
problems. Again, I would say there could be value in such an offering,
but this, too, is no silver bullet. Performing timely patching and
assuring basic network and system hygiene are a necessity, but this
approach alone is insufficient to assure security. In today's computing
environments, there is too often just no way to have full knowledge of
what's on a network or a perfect ability to patch. A vulnerability scan
one day may reveal a range of unknowns that may differ just a few days
later. So again, not an end-all, be-all, by any means, but one
potential set of tools that could help.
One concept that I think has particular promise, which Under
Secretary of Defense for Acquisition and Sustainment Ellen Lord in fact
has advocated exploring, is the idea of one or more cloud environments,
operated under auspices of DOD, that would be specifically tailored to
the needs of the defense industrial base. Such DOD-sponsored cloud
offerings would be fully compliant with the latest 800-171 or successor
security standards, potentially relieving the contractor community of
many of the burdens of managing their own architecture and security
requirements. Such an infrastructure would allow the contractor
community to access compute, storage, managed security, software
development, and other services from one or more DOD-sponsored service
providers. There are a lot of unanswered questions about this approach,
not the least of which relates to the ultimate cost a contractor would
have to bear to leverage these services. Presumably there are economies
of scale that would be realized in such an instantiation that could be
passed on to contractors. Moreover, if more than one such offering were
made available, such an arrangement could generate additional
competitive pressures that could help drive costs down. Certainly,
there are other important questions that would need to be asked--for
instance, would such an arrangement also address back office
requirements like finance, human resources, and the like? What about
specialized capabilities, like the computing requirements associated
with, say, a laser cutting machine? Another important question: What
would compel or incentivize contractors to avail themselves of such an
offering? My own view on this is that an award from the government
would be contingent on contractors--including any lower tier sub-
contractors who wish to be involved--meeting all specified security
requirements.
One additional thing I would emphasize here is the need for the
Committee to look beyond just cybersecurity to also consider the
broader challenges associated with the nation's supply chain. I realize
this may extend the discussion beyond the writ of this Subcommittee.
MITRE has developed a strategy we have called ``Deliver
Uncompromised,'' designed to help DOD address the broader question of
critical dependencies and other weaknesses in our supply chain. There
are many aspects to this strategy, but one important recommendation
calls for the formation of a whole of government National Supply Chain
Intelligence Center (NSIC) to aggregate all-source data, both
classified and unclassified, to share with at-risk operators and
industry partners. The NSIC would operate as a shared national resource
to develop and operate technologies for threat detection, artificial
intelligence, and data analytics, enabling analysts to ``connect the
dots'' among disparate data from a multitude of sources. While not
nearly as large, it would be modeled on the National Counterterrorism
Center, and would be populated with representatives from the
intelligence, program, and systems engineering communities and have a
broad range of authorities. It would serve as the center of excellence
for supply chain strategic warning and risk assessment, including
responsibility, for example, for determining the provenance of software
destined for DOD, which often includes elements that originated
overseas.
Today, threat warnings to industry--if they occur at all--are too
slow and cumbersome, leaving the majority of companies in the
innovation base uninformed and exposed. Methods must be established to
share threat information and recommendations with companies that are
not cleared contractors. It is difficult to translate from classified
threat data into unclassified warning, but this is a responsibility
that should be assigned to the NSIC.
With that, let me conclude by thanking the Subcommittee once again
for offering me the opportunity to testify today. I will be pleased to
respond to your questions.
Senator Rounds. Thank you, Dr. LaPlante.
Mr. Luddy?
STATEMENT OF JOHN LUDDY, VICE PRESIDENT FOR NATIONAL SECURITY
POLICY, AEROSPACE INDUSTRIES ASSOCIATION
Mr. Luddy. Chairman Rounds, Ranking Member Manchin, Senator
Scott, members of the subcommittee, thank you for your efforts
to highlight the importance of a secure supply chain and for
inviting me to contribute to today's discussion.
The Aerospace Industries Association represents nearly 340
manufacturers, suppliers, and service providers across every
sector and tier of the aerospace and defense industry. Our 2.4
million people are the backbone of the American economy and are
crucial partners in protecting our national security.
Our industry is fully committed to partnering with the U.S.
Government to stay ahead of cyber threats and ensure resilience
throughout the industrial base. AIA has just issued a report
called ``What's Next for Aerospace and Defense: A Vision for
2050.'' The report paints a picture of the technologies and
innovations that experts in our industry believe will be
driving the way we move, connect, explore, and defend our
interests 30 years from now. The future we envision is
exciting, and it depends entirely on robust and reliable
cybersecurity. So we share concerns raised by senior Department
of Defense leaders about the cybersecurity of U.S. military
systems and of our entire acquisition process.
I also want to emphasize that we at AIA are pleased with
the level and quality of dialogue we are having on this topic
with DOD. Cybersecurity is discussed prominently at quarterly
meetings of our chief executive officers (CEOs) with Under
Secretary of Defense for Acquisition and Sustainment Ellen Lord
and her senior staff. I also convene quarterly engagements with
Vice Admiral David Lewis, Director of the Defense Contract
Management Agency, and other DOD officials. We held the fourth
of these meetings last week and have now institutionalized them
as a forum to iron out the specifics of cybersecurity policy
and implementation.
This afternoon, I will focus on three areas: first, on the
way DOD defines the information that contractors must protect;
second, on the need for cybersecurity policy to be clear,
consistent, adaptive, and scalable, both across DOD and with
industry; and finally, I will highlight AIA's National
Aerospace Standard 9933, ``Critical Security Controls for
Effective Capability in Cyber Defense,'' which we are now
seeking to improve and bring into wider industry use in
collaboration with DOD.
My first point is fundamental: the initial step in gauging
appropriate cybersecurity is understanding what information
needs to be secured. Obviously, classified information is
clearly marked and handled through separate and secure
channels. But DOD and industry also handle an enormous amount
of controlled unclassified information, or CUI, some of which
is further designated as covered defense information, or CDI.
This CDI is the focus of our ongoing shared cybersecurity
efforts.
In August of 2015, DOD implemented a Defense Federal
Acquisition Regulation Supplement (DFARS) cybersecurity clause
that significantly increased the range of information that
could be defined as CDI and thus needing protection to nearly
everything that a major defense contractor uses to perform
contracts for DOD. As a result, as specific DOD customers, the
Army or Air Force, for example, determine and identify which
unclassified information must be protected on contractor
networks and in communications between the DOD and the industry
supply chain, there has been a tendency to overprotect mundane
or basic information with complicated marking requirements.
There are over 100 categories of CUI in the National Archives
Records and Administration CUI registry, and the guide to
marking CUI is 41 pages long. DOD and industry must work
cooperatively to identify the unclassified information that is
truly important to our national security interests. The current
definition of CDI must be refined so that our limited resources
can be applied to the most sensitive elements of our
unclassified information. With limited resources, if we try to
protect everything that is currently considered CDI, we may
under-protect the really important things.
My second concern stems from the absence of a unified DOD
approach to cybersecurity policy, which has led to different
customers within DOD adding requirements beyond the current
baseline requirement embodied in NIST Special Publication 800-
171. This too often occurs without any engagement with industry
regarding the feasibility and costs associated with enhanced
agency-specific measures. This lack of uniformity complicates
the landscape and adds significant ambiguity as companies are
expected to comply with a burgeoning list of service-unique
requirements, resulting in segmented infrastructure, limited
visibility, and duplication of resources within contractor
networks.
Further, industry strongly believes that the customary
regulatory process should be followed for these new
requirements, with industry feedback leading to a more
coordinated and informed rule instead of the ad hoc service-by-
service approach that is occurring now.
It is not practical, affordable, or safe for the government
and industry to implement service-unique cybersecurity
requirements and evaluation criteria because our adversaries
will exploit the gaps this creates. We must have a unified
approach to apply mass and strength to our solutions. Recently,
to align the efforts of several DOD organizations, Under
Secretary Lord issued two memos directing Vice Admiral Lewis to
perform specific actions for contracts overseen by Defense
Contract Management Agency (DCMA). We commend Ms. Lord for her
efforts to bring clarity and urgency to DOD cybersecurity
efforts. Her memoranda raise complex and important legal and
policy issues, however, and it is essential that these be
carefully and collaboratively assessed if we are to promote our
shared objective of enhanced cybersecurity for DOD programs and
the defense industrial base.
I will close by discussing AIA's most recent tangible
response to the cybersecurity challenge. In an effort to
advance industry's partnership with the DOD, late last year AIA
released National Aerospace Standard (NAS) 9933 to provide a
better way for our companies to assess their vulnerability to
the dynamic cyber threats we face daily. I provided a copy of
the paper describing the standard to the subcommittee. It was
developed to address two realities facing our industry.
First, while we support having standards and reporting
breaches, we have maintained that the DOD's implementation of
NIST 800-171 constitutes a static solution to a dynamic
problem. Adversaries are constantly evolving their tactics and
consequently there are no silver bullets or one-time solutions
that will address the challenges we face.
Second, the dynamic nature of cybersecurity today makes it
extremely difficult for small to mid-sized suppliers to create
self-sustaining security programs capable of managing the risk
posed by advancing adversaries.
To set a viable cybersecurity baseline for the aerospace
and defense industry, AIA developed NAS9933, which is built
upon the Exostar Cyber Security Questionnaire and information
published by the Center for Internet Security. The standard
contains five capability levels. Instead of a one-size-fits-all
checklist for compliance, this format establishes capability
level 3 as a minimum performance level, with levels 4 and 5 as
higher-level objectives.
Let me briefly illustrate the different levels.
A company that achieves capability level 3 has a solid
performing cybersecurity risk management program and strong
technical network protections in place to protect critical
information, which make it harder for an adversary to penetrate
the company's systems. This company has demonstrated that it
understands the nature of advanced threats and is taking steps
to address these threats.
At level 4, a company can detect, protect against, and
respond to advanced threats, for example, by using virtual
machines and air-gapped systems to isolate and run
applications.
A company at level 5 has optimized network protection based
on the changing nature of the threat, for example, by requiring
multi-factor authentication for accounts that have access to
sensitive data or systems.
We intend for NAS9933 to establish the cybersecurity
baseline in the aerospace and defense industry and to support
government leaders' efforts to align with industry and move
beyond minimal compliance toward greater risk- or threat-based
security. As with all standards, NAS9933 is a starting point,
and we look forward to developing it further to best aid our
industry partners.
To be clear, our standard is designed to serve as a
maturity model of best practices for helping companies improve
their cybersecurity programs. It is not intended to replace or
supersede the government's mandated controls, nor should it be
used as an evaluation tool to score companies and assign
ratings. As I have stated, enduring DOD and industry
partnerships need to be established and leveraged to
continually evolve our collective approach to this problem. The
DOD and industry bring unique perspectives, experiences, and
equities to the table to address these challenges. Only by
working together will we be successful.
Senator Rounds. Mr. Luddy, I am going to have to ask you to
wrap it up.
Mr. Luddy. Yes, sir.
In closing, AIA recognizes the national economic security
threats from cybersecurity vulnerabilities and shares DOD's
commitment to strengthening our cyber defenses. This issue is
simply too important to be handled in a piecemeal approach
without an enterprise-wide coordinated strategy. We also need
more clarity on definitions so everyone knows what to protect
and how. As we continue to work with DOD, Congress, and other
stakeholders to address this threat, I hope that we can
continue to progress toward a more unified approach across the
Department, while also providing DOD contractors the
opportunity to provide inputs on proposed approaches and
facilitate the most effective, efficient allocation of
resources to accomplish the common goal of greater
cybersecurity.
Again, thank you for the opportunity to meet today and
discuss these issues, and I look forward to your questions.
[The prepared statement of Mr. Luddy follows:]
Prepared Statement by John Luddy
Chairman Rounds, Ranking Member Manchin, and Members of the
Subcommittee:
Thank you for your efforts to highlight the importance of a secure
supply chain and for inviting me to contribute to today's discussion.
The Aerospace Industries Association (AIA) represents nearly 340
manufacturers, suppliers, and service providers across every sector and
tier of the aerospace and defense industry; our 2.4 million people are
the backbone of the American economy, and crucial partners in
protecting our national security.
Our industry is fully committed to partnering with the U.S.
Government to stay ahead of cyber threats and ensure resilience
throughout our industrial base. AIA has just issued a report called
``What's Next for Aerospace and Defense: A Vision for 2050.'' The
report paints a picture of the technologies and innovations that
experts in our industry believe will be driving the way we move,
connect, explore, and defend our interests thirty years from now. The
future we envision is exciting--and it depends entirely on robust and
reliable cybersecurity. So we share concerns raised by senior
Department of Defense leaders about the cybersecurity of U.S. military
systems, and of our entire acquisition process.
I also want to emphasize that we at AIA are pleased with the level
and quality of dialogue we are having with DOD on cybersecurity and
other matters. Cybersecurity is a prominent topic at quarterly meetings
of our CEOs with Under Secretary of Defense for Acquisition and
Sustainment, Ellen Lord and her senior staff. I also convene quarterly
engagements with Vice Admiral David Lewis, Director of the Defense
Contract Management Agency (DCMA), and other DOD officials; we held the
fourth of these meetings last week and have now institutionalized them
as a forum to iron out the specifics of cybersecurity policy and
implementation.
This afternoon, I will focus on three areas: first, on the way DOD
defines the information that contractors must protect; second, on the
need for cybersecurity policy to be clear, consistent, adaptive, and
scalable--both across DOD and with industry; and finally, I'll
highlight AIA's National Aerospace Standard 9933, ``Critical Security
Controls for Effective Capability in Cyber Defense,'' which we are now
working to improve and bring into wider industry use in collaboration
with DOD.
defining what needs to be protected
My first point is fundamental: the initial step in gauging
appropriate cybersecurity is understanding what information needs to be
secured. Obviously, classified information is clearly marked, and
handled through separate and secure channels. But DOD and industry also
handle an enormous amount of Controlled Unclassified Information, or
CUI, some of which is further designated as Covered Defense
Information, or CDI. This CDI is the focus of our ongoing shared
cybersecurity efforts.
In August 2015, DOD implemented Defense Federal Acquisition
Regulation Supplement (DFARS) cybersecurity clause 252.204-7012,
``Safeguarding Covered Defense Information and Cyber Incident
Reporting.'' This clause defines CDI as:
`` . . . unclassified controlled technical information or other
information, as described in the Controlled Unclassified
Information (CUI) Registry, as maintained by the National
Archives and Records Administration, that requires safeguarding
or dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies, and is----
(1) Marked or otherwise identified in the contract, task
order, or delivery order and provided to the contractor by or
on behalf of DOD in support of the performance of the contract;
or
(2) Collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the
performance of the contract.
With this rule, DOD significantly increased the range of
information that could be defined as CDI--and thus needing protection--
to nearly everything that a major defense contractor uses to perform
contracts for DOD. As a result, as specific DOD customers--the Army or
Air Force, for example--determine and identify which unclassified
information must be protected on contractor networks and in
communications between the DOD and the industry supply chain, there has
been a tendency to over-protect mundane or basic information with
complicated marking requirements--there are over 100 categories of CUI
in the National Archives Records and Administration (NARA) CUI
Registry, and the guide to marking CUI is 41 pages long. DOD and
industry must work cooperatively to identify the unclassified
information that is truly important to our national security interests.
The current definition of CDI must be refined so that our limited
resources can be applied to the most sensitive elements of our
unclassified information. If we drive resources to protect everything
currently considered CDI, we will protect nothing.
clear dod policy
My second concern stems from the absence of a unified DOD approach
to cybersecurity policy, which has led to different customers within
DOD adding requirements beyond the Defense Federal Acquisition
Supplement (DFARS) requirement for contract compliance, the National
Institute for Standards and Technology (NIST) Special Publication 800-
171, ``Protecting Controlled Unclassified Information in Nonfederal
Systems and Organizations.'' This too often occurs without any
engagement with industry regarding the feasibility and costs associated
with enhanced, agency-specific measures. This lack of uniformity
complicates the landscape and adds significant ambiguity as companies
are expected to comply with a burgeoning list of service-unique
requirements, resulting in segmented infrastructure, limited visibility
and duplication of resources within contractor networks. Further,
industry strongly believes that the customary regulatory process should
be followed for these new requirements, with industry feedback leading
to a more coordinated and informed rule, instead of the ad hoc,
Service-by-Service approach that is occurring now.
It is not practical, affordable or safe for the government and
industry to implement Service-by-Service cybersecurity requirements and
evaluation criteria because our adversaries will exploit the gaps this
creates. We must have a unified approach to apply mass and strength to
our solutions. Recently, to align the efforts of several DOD
organizations, Under Secretary Lord issued two memos directing Vice
Admiral Lewis to perform specific actions for contracts overseen by
DCMA. We commend Ms. Lord for her efforts to bring clarity and urgency
to DOD cybersecurity efforts. Her memoranda raise complex and important
legal and policy issues, however, and it is essential that these be
carefully and collaboratively assessed if we are to promote our shared
objective of enhanced cybersecurity for DOD programs and the Defense
Industrial Base. Accordingly, we have asked to engage with her staff to
discuss ways to effectively and efficiently achieve these goals.
national aerospace standard 9933
I will close by discussing AIA's most recent, tangible response to
the cybersecurity challenge. In an effort to advance industry's
partnership with the DOD, late last year AIA released National
Aerospace Standard 9933, ``Critical Security Controls for Effective
Capability in Cyber Defense,'' to provide a better way for our
companies to assess their vulnerability to the dynamic cyber threats
they face daily. It was developed to address two realities facing our
industry.
First, while we support having standards and reporting breaches, we
have maintained that the DOD's implementation of NIST SP 800-171
constitutes a static solution to a dynamic problem. Adversaries are
constantly evolving their tactics and consequently there are no silver
bullets and/or one-time solutions that will address the challenges we
face. Second, the dynamic nature of cyber security today makes it
extremely difficult for small to mid-size suppliers to create self-
sustaining cyber security programs capable of managing the risk posed
by advanced adversaries.
There is strong precedent for using this standards-based approach.
AIA's National Aerospace Standards (NAS) program began in 1941.
Standards reduce cost, increase safety, provide commonality, are
recognized throughout industry, and are used by private, public,
corporate, and government entities. National Aerospace Standards are
voluntary and developed through a consensus-based process by the
aerospace industry. Subject matter experts from AIA member companies
participate in committees and working groups to develop and maintain
the NAS library, which currently contains over 1,400 active standards.
To set a viable cybersecurity baseline for the aerospace and
defense industry, AIA developed NAS9933, which is built upon the
Exostar Cyber Security Questionnaire and information published by the
Center for Internet Security (CIS). \1\ The standard contains five
capability levels. Instead of a one-size-fits-all checklist for
compliance, this format establishes Capability Level 3 as a minimum
performance level, with Levels 4 and 5 as higher-level objectives.
---------------------------------------------------------------------------
\1\ Exostar is a cloud-platform company initially founded via a
partnership with the major defense prime contractors and offers cloud-
based secure business collaboration solutions.
---------------------------------------------------------------------------
To illustrate: a company that achieves Capability Level 3 has a
solid performing cybersecurity risk management program and strong
technical network protections in place to protect critical information,
which make it harder for an adversary to penetrate the company's
systems; the company has demonstrated they understand the nature of
advanced threats and are taking steps to address these threats. At
Level 4, a company can detect, protect against, and respond to advanced
threats--for example, by using virtual machines and air-gapped systems
to isolate and run applications; a company at Level 5 has optimized
network protection based on the changing nature of the threat--for
example, by requiring multi-factor authentication for accounts that
have access to sensitive data or systems.
We intend for NAS9933 to establish the cybersecurity baseline in
the aerospace and defense industry, and to support government leaders'
efforts to align with industry and move beyond minimal compliance
toward greater risk- or threat-based security. As with all standards,
there is always room for improvement. We view NAS9933 as just a
starting point and look forward to developing it further to best aid
our industry partners.
To be clear, our standard is designed to serve as a maturity model
of best practices for helping companies improve their cybersecurity
programs. It is not intended to replace or supersede the government's
mandated controls, nor should it be used as an evaluation tool to score
companies and assign ratings. As I have stated, enduring DOD and
industry partnerships need to be established and leveraged to
continually evolve our collective approach to this problem. The DOD and
industry bring unique perspectives, experiences and equities to the
table to address these challenges--only by working together will we be
successful.
We have reason to believe that the Department of Defense supports
our approach. Since we published NAS9933 last fall, several DOD leaders
have praised the work and have begun to work with us to use it as the
baseline for an enhanced standard for both industry and DOD
cybersecurity activity. We welcome this next step and look forward to
working together to improve protections across the cybersecurity
domain.
AIA recognizes the national and economic security threats from
cybersecurity vulnerabilities and shares DOD's commitment to
strengthening our cyber defenses. This issue is simply too important to
be handled in a piecemeal approach without an enterprise wide
coordinated strategy. We also need more clarity on definitions, so
everyone knows what to protect and how. As we continue to work with
DOD, Congress and other stakeholders to address this threat I hope that
we can continue to progress towards a more unified approach across the
Department while also providing DOD contractors the opportunity to
provide inputs on proposed approaches and facilitate the most
effective, efficient allocation of resources to accomplish the common
goal of greater cybersecurity.
Again, thank you for the opportunity to meet today and discuss
these issues of vital importance to our nation's warfighters and
industry. I look forward to your questions.
Senator Rounds. Thank you, Mr. Luddy.
Mr. Peters?
STATEMENT OF CHRISTOPHER PETERS, CHIEF EXECUTIVE OFFICER, THE
LUCRUM GROUP
Mr. Peters. Chairman Rounds, Ranking Member Manchin,
Senator Scott, Senator Gillibrand, members of the committee, I
appreciate the opportunity to be here today.
Over the last 2 years, I visited more than 200 small to
medium-sized manufacturers, or SMMs, in the defense industrial
base through work on various DOD-funded projects. I helped
develop and analyze cybersecurity surveys that reached hundreds
more. I have also been involved in the National Defense
Industrial Association projects that looked at cybersecurity in
the DOD supply chains.
Before I talk about the findings from some of that
research, I want to provide an important distinction between
information technology, or IT, and operations technology, or
OT.
IT consists of business applications and equipment, such as
financial resource planning or enterprise resource planning
software. OT includes industrial control systems and software
that run machinery on the shop or plant floor.
IT typically uses modern operating systems and applications
that are regularly patched and maintained. OT systems often
consist of custom applications running on old operating
systems, including Windows NT and even disk operating systems
(DOS). They cannot be easily patched or upgraded, as they may
impact production.
In short, the cybersecurity vulnerabilities are
considerably greater in OT than in IT. They are easily
exploited portals to steal or alter information or even shut
down production. One example is Lubrizol where hackers stole
intellectual property through the industrial control systems
and caused significant financial damage. Another example is a
German steel mill where hackers got access to the industrial
control systems and prevented the blast furnace from shutting
down, causing significant physical damage.
The distinction between IT and OT is important because it
represents a significant risk to the industrial base.
So through my work, there are three key findings I would
like to highlight.
Number one, the defense industrial base is at considerable
risk. My written testimony has quantitative data that
demonstrate the lack of awareness and understanding of the
DFARS requirements and implementation of the NIST 800-171.
The research shows that SMMs have a poor understanding of
cybersecurity in general. They often do not understand the
threats much less what to do about them.
This overall lack of awareness and preparedness should be
alarming. Large manufacturers typically have very robust
security measures for both their business and operating
systems. That makes the less knowledgeable and poorly defended
SMMs in the supply chain a greater target for cyber attacks
particularly since they often handle much of the technical data
sent from those larger contractors. Whether the attack is to
steal intellectual property, introduce defects into weapon
systems, or to shut down entire operations, the SMMs are prime
targets.
Finding number two is that SMMs have been quitting defense
work because of the new cybersecurity requirements. Rather than
recognizing that these cybersecurity precautions are something
that they should take regardless, they perceive the new DFARS
requirements as just one more burden that the DOD is imposing.
Finding number three, manufacturers are increasingly
frustrated by uneven enforcement. The lack of established
metrics against which to measure the level of compliance is
viewed by many manufacturers as a weakness that other suppliers
will exploit. That perception of inequality or lack of fairness
is often a barrier to adoption of costly cybersecurity
practices and solutions.
I will highlight three of the recommendations from my
written testimony.
Recommendation number one, increase the emphasis on
resilience to withstand attacks. One of the most important
aspects of this situation is that the threat vectors are always
changing, and attacks will happen. Yet, there has been very
little discussion about resiliency. SMMs need help
understanding how to design resilient OT systems, detect when
an attack does occur, and then respond and recover.
Recommendation number two is fuel the rapid development of
OT cybersecurity solutions. The DOD should explore innovative
means, such as grand challenges, to quickly raise awareness and
spur development of OT-specific cybersecurity solutions.
Recommendation number three is develop a means to measure
and certify cybersecurity compliance, similar to what you heard
before. Manufacturers have to have confidence that their
investments in cybersecurity are going to meet DOD
requirements. Large manufacturers also need a means to quickly
and cost effectively assess the cybersecurity readiness of each
manufacturer in their supply chains. That requires the
establishment of meaningful metrics that can be readily
certified, whether by a customer, the government, or an
independent third party.
In summary, the defense industrial base risks are great and
much work is needed to mitigate these risks, particularly for
industrial control systems. The SMMs do not have the resources
to tackle these issues on their own. They need help if we are
to rely on their capabilities.
Thank you for your time, and I welcome your questions.
[The prepared statement of Mr. Peters follows:]
Prepared Statement by Christopher Peters
introduction
Chairman Rounds, Ranking Member Manchin and distinguished members
of the subcommittee. Over the past two years, I visited more than 200
small- to medium-sized manufacturers (SMMs) in the Defense Industrial
Base (DIB) through work on various DOD-funded projects. I helped
develop and analyze surveys that reached out to hundreds more. One of
the primary topics in my research was manufacturing cybersecurity in
the defense industrial base. Through my involvement with the National
Defense Industrial Association (NDIA), I was a senior advisor to the
Cybersecurity for Advanced Manufacturing Joint Working Group,
consisting of participants from industry, the Pentagon and other
government agencies. I am also a co-author on the NDIA paper,
``Implementing Cybersecurity in DOD Supply Chains.'' \1\
---------------------------------------------------------------------------
\1\ NDIA, ``Implementing Cybersecurity in DOD Supply Chains,'' July
2018. http://www.ndia. org/ - / media / sites / ndia / divisions /
manufacturing / documents / cybersecurity - in - dod-supply-
chains.ashx?la=en
---------------------------------------------------------------------------
background
Before I discuss some of the key findings from that research, I'd
like to make an important distinction between information technology
(IT) and operations technology (OT). IT consists of business
applications and equipment, such as financial systems or enterprise
resource planning software. OT includes industrial control systems and
software that run machinery on the shop or plant floor.
The priorities for protection of IT are confidentiality, integrity
and availability. The priorities for OT are reversed, with availability
being the most important. As an example, it's not uncommon to find
plant floor computers with the password taped to the machine so that if
there is a production problem, someone can log in and quickly correct
the issue.
IT typically uses modern operating systems and applications that
are regularly patched and maintained. OT systems often consist of
custom applications running on old operating systems, such as Windows
NT or DOS. These systems cannot be easily patched or upgraded, as it
may negatively impact production. Anti-virus software and firewalls
cannot easily be added to OT environments, as they also may impact
production.
In short, cybersecurity vulnerabilities are considerably greater in
OT than in IT. These are easily exploited portals to steal or alter
information or even shut down production. One example of an OT breech
is Lubrizol, where hackers stole intellectual property through the
industrial control systems, causing significant financial damage.
Another example is a German steel mill, where hackers took over the
production control systems and caused significant physical damage.
This distinction between IT and OT is important, because it means
the cybersecurity threats to the DIB are even greater than most
realize.
key findings
Through my work, there are three key findings that I would like to
present to this committee.
#1 The defense industrial base is at considerable risk
Most of the SMMs surveyed rate the importance of cybersecurity on
the plant floor a lower priority than IT and intellectual property,
even though OT represents the greatest risk. Sixty percent of the
respondents to the NDIA survey have not read the DFARS documentation,
and 46 percent of those who did said that they found it difficult to
understand. Forty-five percent of the respondents had not read the NIST
800-171 publication, and only 40 percent of those who did felt that the
document was clear and easy to understand.
What the research found was that SMMs have a poor understanding of
cybersecurity in general. They often don't understand the threats, much
less what action should be taken. The educational information that does
exist, such as the 170-page document titled ``NIST MEP Cybersecurity
Self-assessment Handbook for Assessing NIST SP 800-171 Security
Requirements in Response to DFARS Cybersecurity Requirements,'' is
confusing and not written for SMMs, which often have little technical
support.
For companies that do understand the threats and want to act, the
lack of viable solutions that do not negatively impact operations is a
barrier to adoption. We found those companies that did begin adopting
cybersecurity solutions tend to underestimate the cost of
implementation by as much as a factor of 10.
The overall lack of awareness and preparedness by the SMMs in the
DIB should be alarming for a variety of reasons. The large
manufacturers in the DIB typically have very robust security measures
for both their business and operations systems. That makes the less
knowledgeable and poorly defended SMMs a greater target for
cyberattacks, particularly since they often handle much of the
technical data sent from the larger contractors. Whether the attack is
to steal intellectual property, introduce defects into military
products or shut down entire operations, the SMMs are prime targets.
#2 Manufacturers are quitting defense work
SMMs have quit defense work because of the new DFARS cybersecurity
requirements. Rather than recognizing that these cybersecurity
precautions are something they should take regardless, they perceive
the new DFARS requirements as just one more burden the DOD is imposing.
There are several factors that contribute to this situation. One is
that the SMMs were not educated on the cyberattack threats and
potential impact on their businesses, whether commercial or defense.
Our findings have shown that there is an uneven awareness of
cybersecurity risks and prevention, particularly for operations
technologies.
Compounding the challenges facing manufacturers is that the DFARS
requirements were written largely for IT systems, and many of the
controls cannot be easily implemented in manufacturing environments
without causing harm.
Finally, SMMs leaving the DIB cited a lack of clarity by the DOD on
requirements, timing and enforcement. That lack of clarity is
exacerbated by the confusing messages from many consultants, some even
offering to help SMMs become ``DFARS Certified.'' There is no such
thing as ``DFARS Certified.'' Many of these consultants have gouged the
SMMs.
#3 Manufacturers are increasingly frustrated by uneven enforcement
Manufacturers are increasingly frustrated by uneven enforcement of
the DFARS cybersecurity regulations. Some companies have incurred
significant overhead expense to become DFARS compliant, while
competitors that have not acted or have simply lied about compliance
are still winning DOD business.
The lack of established metrics against which to measure the level
of compliance is viewed by many manufacturers as a weakness that other
suppliers will exploit. That perception of inequality or a lack of
fairness is often a barrier to adoption of costly cybersecurity
practices and solutions.
recommendations
#1 Better educate the SMMs
Awareness is the first step in driving adoption, yet most SMMs in
the DIB have not been made aware of the cybersecurity threats to their
businesses. A coordinated government campaign should be targeted to the
SMMs to raise awareness of the threats and the steps necessary to
protect their businesses. Much like the ``Loose Lips Sink Ships''
campaigns of World War II, awareness campaigns are a cost-effective
means to quickly spur the desired action throughout the entire U.S
industrial base.
#2 Address the unique needs of operations technology
A key recommendation in the NDIA ``Cybersecurity for Advanced
Manufacturing'' white paper is ``Work with DOD stakeholders in
cybersecurity policy, acquisition policy, sustainment policy, and
procurement policy to ensure manufacturing requirements are adequately
addressed in policy documents and implementation reviews; and develop
separate guidance to protect OT networks where needed.'' \2\
---------------------------------------------------------------------------
\2\ NDIA, ``Cybersecurity for Manufacturing Networks,'' October
2017. P12 https://www. ndia. org/-/media/sites/ndia/divisions/working-
groups/cfam/ndia-cfam-2017-white-paper-20171023. ashx?la=en
---------------------------------------------------------------------------
#3 Increase emphasis on resilience to withstand attacks
One of the most important yet overlooked aspects of this situation
is that threat vectors are always changing and attacks will happen, yet
there has been very little discussion about resiliency. SMMs need help
in understanding how to design resilient OT systems, detect when an
attack does occur and then respond and recover.
#4 Aggregate disparate manufacturing cybersecurity activities
There are currently at least four organizations just within the
Office of the Secretary of Defense addressing cybersecurity for
industrial control systems. The NDIA ``Cybersecurity for Advanced
Manufacturing'' paper recommends that the DOD ``Establish, and
adequately fund, a new program for Manufacturing Cybersecurity
Capabilities in the Industrial Base, with a DASD-level Champion and
participation from the DHS.'' A concerted government message and effort
are needed to achieve the desired results.
#5 Fuel the rapid development of OT cybersecurity solutions
The DOD should explore innovative means, such as grand challenges,
to quickly raise awareness and spur development of OT cybersecurity
solutions. Such solutions should be designed to not only prevent
attacks, but detect them as well.
#6 Develop a means to measure and certify cybersecurity compliance
Manufacturers in the DIB must have confidence that their
investments in cybersecurity meet DOD requirements. Large manufacturers
also need a means to quickly and cost-effectively assess the
cybersecurity readiness of each manufacturer in the supply chain. This
requires the establishment of meaningful metrics that can be readily
certified, whether by a customer, government agency or an independent
third party.
summary
In summary, the DIB risks are greater than many realize, and much
work is needed to mitigate those risks, particularly for industrial
control systems. The SMMs do not have the resources to tackle these
issues on their own--they need help if we are to rely on their
capabilities. Consider the following scenario.
An adversary wants to disable production of weapon system parts
or components. DOD procurement data are publicly available and
provide a blueprint of the SMMs to target. By gaining access
through the industrial control systems at manufacturers
producing those parts, an adversary could plant undetected
malware that can disable the manufacturing equipment at a
predetermined time or when signaled. The adversary can then
disable tens, hundreds or even thousands of manufacturers on
command. Or, perhaps they just target two critical suppliers of
missile components. Such an event could have a profound impact
on the ability to produce and support any or all weapon
systems. This is not just a scenario for the future--it may
have already happened.
Senator Rounds. Thank you, Mr. Peters.
Mr. MacKay?
STATEMENT OF MICHAEL P. MacKAY, CHIEF TECHNOLOGY OFFICER,
PROGENY SYSTEMS CORPORATION
Mr. MacKay. Chairman Rounds, Ranking Member Manchin, and
members of the subcommittee, I would like to thank you for
inviting me to testify this afternoon.
Progeny Systems is a privately held defense contractor
headquartered in Virginia that has just under 500 employees.
Progeny is in the category of small large government contractor
or perhaps large small government contractor and is a
significant target for cyber attacks due to the highly
classified nature of our work, as well as the number and types
of our contracts. We know that attempts have been made to
penetrate our network defenses, and we are fully dedicated to
the implementation of the government's recommended policies,
procedures, and controls as detailed in 800-171.
As the Chief Technology Officer of our company, I can tell
you that cyber defense is a top corporate priority. It is a
priority because of the responsibility we have to our
customers, and we fully understand that as a small company, our
very survival is at stake. We are not a large prime contractor
that is, as they say, too big to fail and too big to punish and
that our first breach could be the last one.
Most importantly, though, cyber defense is a priority in my
company because all of our employees understand as Americans
the threat that adversaries pose. Our overriding goal as a
company is providing our warfighters with a competitive
advantage no matter the battlespace. We cannot let our nation's
adversaries steal technology that diminishes this advantage,
and we have invested heavily in equipment, tools, and manpower
to ensure that the NIST specifications are not only met but
exceeded.
Thus far, we have only been reviewed by one program office,
Team Sub from the Department of the Navy, for compliance with
the NIST requirements. We do not, however, have only one
program office as a customer. We work for dozens of programs,
each of which may have a slightly different interpretation of
the NIST requirements. Smaller companies will find it
impossible to be rated favorably if they are pursuing two or
more differing interpretations of the controls and what is to
be considered adequate or complete.
As the committee considers this issue, I would strongly
urge you to have one standard interpretation of the NIST
requirements. In other words, set the bar high but set it once
and hold everyone accountable to that single standard so that
we are spared not only the additional cost, but also the need
to adjudicate between differing and potentially conflicting
direction.
We view the NIST requirements as essentially putting locks
on the doors and windows of your house and installing a
security system. It is the baseline. It is what you would
normally do. These measures are effective in keeping people out
of your house who should not be there and letting you know if
someone tries to break in. It is a starting point. They are
useless, however, if you open the door to a stranger who wants
to rob you. And this is where the private sector really needs a
lot of help in the human factors area.
We need to raise awareness and to train our own personnel
to think of good cybersecurity hygiene as a natural part of
their daily work lives. For technology developers who crave
connectivity and collaboration, this is a huge paradigm shift.
This is especially the case with the younger technology
developers who, unlike us, grew up online and are more
susceptible to phishing attacks and the other attacks that come
directly from the Web.
The guidance provided to date to us has been to seek out
peers and share lessons learned. Although we are doing this and
it is quite effective, we need to be more effectively
confronting the threat. The Department of Defense must take a
leadership role, and we need evidence-based best practices,
curriculum, and effective training materials to educate our
employees to help us train our employees. Cyber defense
requires both tools and training to accomplish the mission.
As a small company with limited resources, we feel there is
merit to adapting the requirements based on each contractor's
situation, size, and budget included. However, we must protect
the technology according to its importance and find ways to
help that industry partner, small or large, to protect it.
Often the smaller companies like my own who have limited
resources also have significant innovations. So we can have the
best of both situations if we help those innovators continue to
safely protect and pursue their work.
Now, a major tenet of our development community is that no
one has all the answers. That is a Team Sub tenet. Progeny
Systems received help from the Navy in the form of a 2-day
exercise with industry experts in a mock audit of our
practices, and it was not just going through the checklist. It
was the practical application reviewing our compliance. And the
event was eye-opening and invaluable. A standardized,
consistent, and regular consultation with experts and red teams
like this would probably be the single most beneficial approach
that could be offered by DOD to its contractors.
We wholeheartedly agree that providing approved products to
the community by the government based on a best of breed
selection would be an excellent way to help the community,
especially in the case of small businesses if the companies
find themselves unable to acquire or develop the right controls
themselves.
In closing, I would like to thank the subcommittee once
again for having the privilege to testify before you today, and
I would be happy to answer any questions you might have.
[The prepared statement of Mr. MacKay follows:]
Prepared Statement by Michael MacKay
introduction
Chairman Rounds, Ranking Member Manchin, and Members of the
Subcommittee, I would like to thank you for inviting me to testify this
afternoon. My name is Mike MacKay and I am the Chief Technology Officer
of Progeny Systems Corporation.
Progeny Systems is a privately held defense contractor
headquartered in Virginia that has just under 500 employees. Progeny
Systems is in the category of ``small large Government contractor'' and
is a significant target for cyberattacks, due to both the highly
classified nature of our work and the number and types of our
contracts. We know that attempts have been made to penetrate our
network defenses and we are fully dedicated to the implementation of
the Government's recommended policies, procedures, and controls as
detailed in the NIST Special Publication 800-171 (NIST).
As the Chief Technology Officer of our company I can tell you that
cyber defense is a top corporate priority. It is a priority because of
the responsibility we have to our customers, and we fully understand
that, as a small company, our very survival is at stake. We are not a
large prime contractor that is ``too big to fail and too big to
punish'' and that the first breach could be the last one.
Most importantly, cyber defense is a priority because all of our
employees understand as Americans the threat our adversaries pose. Our
overriding goal as a company is providing our warfighters with a
competitive advantage no matter the battlespace. We cannot let our
nation's adversaries steal technology that diminishes this advantage,
and we have invested heavily in equipment, tools, and manpower to
ensure that the NIST specifications are not only met but exceeded.
one standard
Thus far, we have been reviewed by only one program office for
compliance with NIST's requirements. We do not, however, have only one
program office as a customer. We work for dozens of programs who each
may have a slightly different interpretation of the NIST's
requirements. Smaller companies will find it impossible to be rated
favorably if they are pursuing two or more different interpretations of
the controls and what is to be considered adequate or complete. As the
Committee considers this issue, I would strongly urge you to have one
standard interpretation of NIST's requirements. Set the bar high, but
set it once and hold everyone accountable to that single standard, so
that we are not only spared the additional cost, but also spared the
need to adjudicate between differing and potentially conflicting
direction.
importance of human factors
We view the NIST requirements as essentially putting locks on your
doors and windows and installing a security system. These measures are
effective in keeping people out of your house and letting you know if
someone tries to break in. They are useless, however, if you open the
door to a stranger who wants to rob you. This where private sector
defense contractors need the most help--in the human factors.
We need to raise awareness and to train our personnel to think of
good cyber security hygiene as a natural part of their daily work
lives. For technology developers who crave connectivity and
collaboration, this is a huge paradigm shift. This is especially the
case with younger technology developers who, unlike us, grew up online
and are more susceptible to Phishing attacks.
The guidance provided to date for training has been to seek out
peers and share lessons learned. Although we are doing this, we need to
more effectively confronting this threat. The Department of Defense
must take a leadership role, and we need evidence based best practices,
curriculum, and effective training materials to educate our employees.
Cyber defense requires both tools and training to accomplish the
mission.
adapting cybersecurity requirements based on contractor size and
ability to pay
As a smaller company with limited resources, we feel that there is
merit to adapting the Cybersecurity requirements based on each
contractor's particular situation, size and budget included. However,
we must protect the technology according to its importance, and find
ways to help that industry partner, small or large, to protect it.
Often, the smaller companies, who have limited resources, are also
those with significant innovations. We can have the best of both
situations if we help those innovators continue to safely pursue their
work.
offer cybersecurity expertise and red-teaming to contractors
A major tenet of our development community is that ``No one has all
the answers''. Progeny Systems received help from one of our Program
Offices, in the form of a two day exercise with industry experts in a
``mock audit'' of our practices in January of this year, to review our
status for 800-171 compliance, and the event was eye-opening and
invaluable. A standardized, consistent, and regular consultation with
experts and Red Teams would probably be the single most beneficial
approach that could be offered by the DOD to its contractors.
provide ``off-the-shelf'' architectures and products
We wholeheartedly agree that providing ``approved'' products to the
community by the Government, based on a ``best of breed'' selection
process will be an excellent way to help the community protect
themselves, especially if, as in the case of smaller companies, there
are resource issues with acquiring or developing the correct controls
and protections themselves.
closing
I want to thank the Subcommittee once again for having the
privilege to testify before you today and would be happy to answer any
questions that you might have.
Senator Rounds. Thank you, gentlemen. I most certainly
appreciated all of your comments.
Normally our tradition here is that we will work our way
around the committee, and we will try to stick to 5 minutes
within our assigned times. I will begin my questioning at this
time.
Gentlemen, section 1644 of last year's NDAA, National
Defense Authorization Act, required the Secretary to promote
the transfer of appropriate technology, threat information, and
cybersecurity techniques developed in the Department of Defense
to small manufacturers and universities and then to establish a
cyber counseling certification program and to develop a regime
of voluntary self-assessments.
I would like to know if each of you--number one, are aware
of the program. Second of all, how could this program be
strengthened if you are aware of it? And finally, how should
this program be expanded and shaped if it is successful? Dr.
LaPlante, would you like to begin?
Dr. LaPlante. Yes, I have heard of the program. I think it
is a great idea.
I think the central thesis here is we really have education
to do. It is a lot about education. A lot of us believe the
best ideas will come from the small businesses once they
understand it.
As an example of what is happening right now, there is
something called an adversarial, for lack of a better word,
attack vector. It is not unlike a criminal casing out your
house. There is a series of things that an adversary in cyber
does to look at you, to do reconnaissance, then to penetrate,
get in, and then do whatever they are going to do, either put
something in there, do damage, or take something. Believe it or
not, there are about 150 steps that people have outlined of how
this is done, and it changes about every week.
What MITRE has done--and other companies have done the same
thing--is we made those steps publicly available. So if you
want to know how to prevent the guy from getting in your
network, this is how he does it. This is what the criminal does
next, then that. Oh, now if you plug this, he is going to go
over here. And what is good about that is that you start
getting the defenders to be very sophisticated.
People say, well, gee, publishing that is bad. People will
learn how to do cyber. Well, the people doing it on cyber know
how to do it. Our rule of thumb in making it an open source, if
it is an open source already and published about a threat
vector, we will publish it. So there are things like that that
if you go to the programs, Senator, that you described and we
can get people to understand this is how the threat thinks,
then you can do things that makes his job hard.
Senator Rounds. Mr. MacKay, same question.
Mr. MacKay. I completely agree with the doctor's comments.
The first thing that I want point out is that we are in a
situation where you are not paranoid if somebody is actually
out to get you. We need to start thinking about the fact that
we should be paranoid. We should be paranoid in a constructive
way.
We have been on the receiving end of a great deal of this
kind of information, some of which has been provided in a
classified setting, and the more information that can be
sanitized out of that kind of a report and put into a format
that can be published company-wide as open source, as
completely open to our employees so they understand the
techniques and the methods, the better for us because we cannot
get classified meetings put together that easily or that
quickly.
Senator Rounds. Thank you.
Mr. Peters?
Mr. Peters. I am not aware of that program directly, and
none of the suppliers that I have talked to have ever mentioned
that program. If an element of that program is to promote
education, disseminate information to the defense industrial
base, that is certainly a positive thing.
My one recommendation would be that it needs to be done
directly to the small to medium-sized, not just through the
Original Equipment Manufacturers (OEMs) or prime contractors.
Senator Rounds. Thank you.
Mr. Luddy?
Mr. Luddy. I am not familiar with that program by name
either, Senator, but I do know that Under Secretary Lord has
taken a pretty aggressive look at how, together with the large
primes, we can work to support the middle and lower tiers of
the industrial supply chain to be secure. We recognized this
early on when the NIST standard was initially promulgated that
while the big companies were essentially almost entirely
compliant immediately, that the middle and lower tiers were
going to have a more challenging time. Now, to a large extent,
our prime contractors work very hard with their supply chains
to do that.
One of the good ideas I think that the Department is
looking at is the prospect of actually providing people and
cloud-based capability to the middle and lower tier companies
to help them understand the threats and meet the requirements
of security that are out there. So we support that very much.
Senator Rounds. Great. Well, I think the Achilles heel in
this whole process is that we want to use lots of different
subcontractors. In many cases, some of our most innovative
contractors are those subcontractors that are small. We do not
want to lose their capabilities and what they have to offer.
And yet, we have to have a program in place that allows them to
assure us of the best types of protections that we can possibly
get with regard to cybersecurity so that there is a standard of
acceptance and a standard of capability that is there
regardless of the size, and how we go about getting there is
part of our challenge today.
Senator Manchin?
Senator Manchin. Thank you, Mr. Chairman.
Maybe you can break this down for me. Basically most of the
contracts that go from DOD are given to larger contractors.
Correct? So the smaller subcontractor, no matter how great its
idea, innovation, or creation may be, very seldom ever directly
gets a contract from DOD.
Mr. MacKay. If I could offer a differing perspective,
Senator. Progeny Systems is a prime contractor to the Navy for
a number of very important programs, including the
cybersecurity controls for the submarine.
Senator Manchin. So you have a direct contract.
Mr. MacKay. We have a direct contract.
Senator Manchin. So I would say you have to meet certain
security guidelines and have people that have received security
clearances. Right?
Mr. MacKay. Yes, sir.
Senator Manchin. Are you having problems getting your
clearances?
Mr. MacKay. No, sir, we are not.
Senator Manchin. I understand there is a backlog of
security clearances.
Mr. MacKay. There is.
Our biggest effort, though, is we have to do the same
controls and we have to be just as careful as the large
companies on a small company budget.
Senator Manchin. Well, I am saying that everyone should
meet the same standards you are meeting. I do not understand
why we let the small contractors get by just because they are
small. I do not know why we do not hold the larger contractors,
who are responsible for the contract, accountable to make sure
the subcontractors they are hiring have protections.
Mr. MacKay. Yes, sir.
Dr. LaPlante. In my experience, Senator, when I was an
acquisition executive, the knowledge a lot of the primes had of
their detailed supply chain was very mixed, surprisingly so.
And some of that is on the Government.
Senator Manchin. Was very what now?
Dr. LaPlante. Surprisingly uneven, even knowledgeable of
who is a sub to whom and what contracts they have.
Senator Manchin. Who hires the subs?
Dr. LaPlante. Usually the prime.
Senator Manchin. The prime is hiring people. They do not
know who they are?
Dr. LaPlante. No. The primes hire people who they know, but
sometimes when you look at the contract between the prime and
the subs--the Government may not have access to it--you find
out the contract may not have the requirements in it for
quality or something else.
Senator Manchin. Is that the way that the contracts are
written?
Dr. LaPlante. They can be. They can be. It depends on the
contract.
Senator Manchin. So basically a contract from the Navy or
Air Force----
Dr. LaPlante. No. What I am talking about--I am sorry,
Senator. This is a contract between a prime and a
subcontractor, not between the Navy and the prime.
Senator Manchin. No. I am saying, first of all, if I put
out criteria that I want every contractor to meet if they bid
and they were successful, I do not care who does the work. They
have to meet this criteria.
Dr. LaPlante. You absolutely could do that.
Senator Manchin. But we are not doing that now.
Dr. LaPlante. I am saying it is uneven. But I defer to my
colleagues. But I was surprised at how uneven the----
Senator Manchin. Just trying to get a handle on this.
Okay, go ahead, Mr. Peters.
Mr. Peters. Senator, so there are two challenges. First of
all, there are a lot of companies that I know of, small machine
shops, that have multimillion dollar contracts directly with
the government that are not cleared, but they are producing
things that help keep airplanes flying and tanks----
Senator Manchin. Are those all confidential?
Mr. Peters. No. They are still critical. You still have
critical----
Senator Manchin. Yes, but I mean, everybody knows what the
part is and who is making it.
Mr. Peters. Right.
But the issue with the contractors--one of the challenges
is that if I have got a supply chain--there are 23 different
contractors that make the primary shaft for the Chinook
helicopter. 23 and that is just for the primary shaft.
Senator Manchin. Just the shaft.
Mr. Peters. So the problem is that the prime contractor
knows who its immediate supplier is. They do not know who is
beyond them, third, fourth, fifth tier and so on. You have
flow-down requirements.
Senator Manchin. Why would they not?
Mr. Peters. Because the contractors, especially the prime
contractors, consider that to be their private information. If
I let you know who my contractors are and who my supply chain
is----
Senator Manchin. That is the person you will bid against
the next time.
Mr. Peters. Exactly.
Senator Manchin. I really do not care.
Mr. Peters. I agree.
Dr. LaPlante. Your points are well taken. We are just
describing how it is.
Senator Manchin. We can change that.
Dr. LaPlante. You can change it. That is right.
Senator Manchin. We are all on committees that can change
contracts.
Dr. LaPlante. That is right. But the knowledge of the
primes, to the point, of the sub to the sub to the sub is
uneven.
Senator Manchin. That is awful. That is absolutely
unbelievable.
Mr. Luddy, do you have anything to add?
Mr. Luddy. I was just going to add, Senator, that I believe
the legal concept here is of contract privity. And a contractor
has privity with its immediate subcontractors, but not with
that subcontractor's subcontractor.
Senator Manchin. Somebody has to be held accountable.
Mr. Luddy. These are the kinds of things that I think we
are trying to work through, and DOD is trying to work through.
Senator Manchin. Would you all be objectionable if we wrote
the standard of how contracts are left to the prime?
Mr. Luddy. I think we are concerned about anything that
will inhibit good information sharing about the----
Senator Manchin. Right now, there is no information
sharing. If you are a prime, you do not know who the subprime
is or the subprime to the subprime.
Dr. LaPlante. Senator, I think what you are getting at is
the following, and I think this would help tremendously.
Holding more accountability to their supply chain and knowledge
for the primes, however we do it and dealing with the legal
issues, that would be greatly helpful.
Senator Manchin. It is mind-boggling.
The private sector does not work this way. Does it? The
private sector does not work this way that I know of. I have
been in business a long time. I have never seen private
contracts working this way. Someone is held accountable and
responsible all the way from the top to the bottom. Right here
you can pass the buck all day long.
You take a shot at this.
[Laughter.]
Senator Rounds. Okay. Let me offer an alternative. If
anybody who was providing anything to a contractor or a
subcontractor or, for that matter, anything down the line, was
simply identified as being responsible to a certain standard or
who was subject to audit so that it was not necessarily
knowledgeable to the other subcontractors or other contractors
that this was their supply chain, but rather that they were a
licensee to perhaps the Department of Defense to where there
was a standard that they had to meet, would something like that
be an alternative so that you had an entire base of perhaps
thousands of subcontractors who had met a particular criterion
that would then be allowed to be within the chain? Is something
like that available, or has that been tried to the best of your
knowledgeable?
Mr. Luddy. Senator, one of the objectives of our standard
is to try to have within industry a self-regulating effort to
set levels of cybersecurity so that a prime will know going
from one subcontractor to another that these companies have met
levels of security. In the case of the NIST standard now, which
requires system security plans and programs to remediate any
security flaws, those can be audited. That presents a resource
problem for the Department of Defense, which has a limited
number of resources and people to apply to auditing, but that
is a possibility.
We are concerned about the prospect of the system security
plans (SSPs) and Plans of Action and Milestones (POA&Ms), as
they are called, being automatically provided or provided just
on a widespread basis because they contain, frankly, sensitive
information about a company's economic viability, security
viability, and so forth. They can have real implications in the
business sense for what our companies need.
Obviously, there is always the option of an audit, but it
is a resource challenge for the Department.
Dr. LaPlante. Mr. Chairman, I would add to what my
colleague said this following concept. Once you have such a
list that you described, then it is really important to have
this active like a counterterrorism center to watch the list,
watch what changes. We found in similar things some of the
worst problems happened when overnight somebody on the list
that had been approved gets bought by somebody else. So you got
to be very active in watching it, but it could work.
Senator Rounds. Mr. MacKay, I have a question for you. You
are a small contractor.
Mr. MacKay. Yes, sir.
Senator Rounds. Yet, clearly you have been successful. Do
you employ other subcontractors?
Mr. MacKay. Yes, we do.
Senator Rounds. Can you describe for us the process that
you have to work through in order to qualify them so that,
within your own guidelines, you are comfortable that they have
met certain standards?
Mr. MacKay. Yes, Senator. When we have a particular
contract to satisfy, we consider industry partners. One of our
approaches is to have specially selected industry partners that
we work with almost exclusively so that we have better control
over their own security practices. And rather than relying on
their resources and their infrastructure for things like
security controls, we bring them into our IT infrastructure and
our project infrastructure so that they are using our controls
when they do development on our projects. So we try to
encapsulate their work into our way of doing the NIST controls
and keeping things safe.
But to the points of the other gentlemen, we have machine
shops that we hand off work to. And, you know, Junior Smith has
a laptop that he has used on his lathe since forever and you
got to try to explain to him that he has got to be more
careful. So what we have to do is flow down help to those
people so that we give them information in a form that cannot
be or is more difficult to be compromised. I think that is a
model that we can pursue.
We are a contractor, subcontractor of Lockheed Martin, and
Lockheed Martin assesses us the same way that we assess the
people that work for us. So the flow-down is critically
important, and each step of the management process has to take
ownership. But the guy at the top who has the prime contract
has to take on the responsibility of seeing things all the way
down to the bottom, and they have to ask the hard questions.
Senator Rounds. I think that is the part that Senator
Manchin was bringing up: how far down is that, because as you
have indicated, you go down to, even in this case where you
have a subcontractor, who may very well be using a separate
subcontractor themselves, who is simply machining a particular
part--they will have competencies and capabilities that are at
least at risk with regard to that particular product that they
are supplying to your subcontractor.
Mr. MacKay. Exactly. Yes, it is a very difficult problem,
and we have spent countless hours worrying about this issue
because it gets very complicated very quickly. If I hand a
document over to somebody to create a part, then I have to ask
them how they are going to be managing that document and who
they are going to give it to. They could lie to me. They could
say, yes, we are going to do this and at the last minute, hand
it off to somebody who came at a lower bid and not tell me. We
have to find a way to go back to them and say, so you just
delivered this part. Look me in the eye and tell me that you
did not change our approach. We can cancel the contract. We can
fire them. But to be absolutely sure they did not----
Senator Rounds. By then, it is too late because that has
been entered into the supply chain.
Mr. MacKay. Yes. So it is a very difficult problem. I think
we have to do as much as we can to take responsibility for what
we can see and the contracts that we let, and we should be held
responsible absolutely when things go wrong. We go to the
limits I think of what we can reasonably do in the execution of
our contracts. But it is not going to be infallible.
Senator Rounds. Thank you.
Senator Manchin, your turn.
Senator Manchin. It is probably best that I do not say a
whole lot.
Just call the Chinese and ask them how they did it. It is
pretty easy. This is not hard to follow right now. I think a
blind person can follow this. We wonder why we have been hacked
so much, why they have copied everything. You all just
explained it. There are no checks and balances. It looks like
to me that we are protecting a business model more than we are
the security of our country. That is it in a nutshell I think.
You are afraid somebody else is going to come and get somebody
else, and if they do, they will go around that person to get
them directly and take them out of this chain. I see that.
I mean, I used to write RFP's all the time. An RFP is an
RFP, request for proposal, and here is how it is going to be
done. If you do not do it, you are not in compliance. You will
be held liable, be sued out the ying-yang because you broke it.
Do you sign RFPs?
Mr. MacKay. Yes.
Senator Manchin. And you agree to the terms of the RFP?
Mr. MacKay. Yes, we do, Senator.
Senator Manchin. Do you have people sign RFPs to you?
Mr. MacKay. Yes, absolutely.
Senator Manchin. Have you ever gone after someone legally?
Mr. MacKay. To my knowledge, we have not, but the T in my
title does not usually give me insight into the business side
of----
Senator Manchin. I would say there would be different types
of categories. The Defense Department is going to be required
to do some things that are not top secret, and some things that
we have are top secret and we hold primes responsible in
different ways because of what we are working on. But I would
think everybody in that food chain is going to be held to the
highest standard, but you are telling me it does not work that
way as it goes down the food chain. Correct?
Mr. MacKay. Well, Senator, I think that we hold everybody
to the highest standard that we physically can control because
we know what we know, and if somebody decides to go around our
back and go to a different supplier--they go to China for a
part or they go somewhere else that compromises the
information--and they lie to us, we have to be able to have a
way to find out that they have done that. That is a difficult
proposition.
Senator Manchin. If they have to make all their software
and everything applicable to your RFP, they got to turn
everything over. It should not be too hard to track it.
Mr. MacKay. That would be great.
Senator Manchin. Tell me what you need. Just tell us. That
is why you are here. We are here to fix it and you are here to
tell us what is broken.
Mr. Luddy. Senator, I would say two things in response to
the very legitimate concern you are raising.
One is that there should be a threshold security that
everybody needs to meet. I think our standard is an effort to
do that. The DOD made an initial effort to do that with 800-
171. And both of those efforts are going to continue and I
think strengthen. We all have that objective.
Another thing that I alluded to in my testimony is that
right now there is perhaps an over-sharing of information
across programs. Somebody working on a bolt does not
necessarily need the same level of information from the
government as somebody working on a guidance system or a
navigation system, for example, to oversimplify it. So the
Department I know is looking at that. I think that would be a
welcome way to deal with it.
So I think the more that we can control and define the
kinds of information that get transferred, the smaller bucket
of the problem we will have.
Dr. LaPlante. Senator, just a couple, two points really
quick.
One is an idea that sometimes comes up--and it is not
perfect--is there are some programs where we just do not reveal
the suppliers. Period. When I was Assistant Secretary, we
ordered the bomber for the Air Force. At the press conference,
they said who is building the engines. We said we are not
telling you. Now, of course, we do not think the Chinese will
at some point figure that out. But there is something about
protecting things that you would not think would be protected.
So that is one point.
The second point is where you are going. I will draw an
analogy. When I was Assistant Secretary, when I had a
frustrating problem in a program, a missile, and it was
failing, we would find out it was not the prime. It was a sub
to a sub of the prime. Well, I still held the prime
accountable. I do not think there should be any difference with
this.
Senator Rounds. But by then, it is too late. Is it not?
Dr. LaPlante. Oh, it is. But it is well known that the
prime knows that if the inertial measurement unit (IMU) on the
missiles failing was made by a mom and pop shop, that is in
their incentive contract for the prime. So why is it not the
same for cyber? That is the question.
Mr. Peters. So, Senator, there are two points I would make.
This situation is much worse than many people realize.
One is that--you are absolutely right--the flow-down
requirements, while they do flow down, as you get to the
smaller to medium-sized manufacturers, they do not always take
the time to read them, to conform to them. I have been through
flow-down requirements that still have Y2K provisions and anti-
segregation provisions in them. So it gets very confusing. They
get very long. It is hard to do.
The other challenge we have is that the DOD makes all
information, contractual and transactional information, public,
90 days delayed, but it is still public through several
databases. There are companies that aggregate all of this data
and actually sell it in 37 different countries. So all that
data is out there. I can find the suppliers that make parts and
pieces for any aircraft, any ship, any land vehicle. It
essentially provides a blueprint of if you want to go after a
certain weapon system, whether to get information and steal it
or to----
Senator Manchin. Do they give you an email account on it
too?
Mr. Peters. Pardon me?
Senator Manchin. Email accounts on that too so you can go
right to it easily to hack?
Mr. Peters. Maybe not quite that level, but they do have
the contract information through SAM, System for Award
Management, for all of the contract----
Senator Manchin. Let me just bring up something, if I can,
real quickly.
You all are here because you understand the system much
better than we do. We know something is wrong. China could not
have the success they have had in such a rapid amount if it had
not been for us. We all know that, and we know what they do on
a daily basis. We know what Russia is doing. We know what all
these countries are doing. If you have been on Intel and you
have been on Armed Services, you are going to get the flow.
Nobody is willing to step to the plate and fix it. You are
shaking your head thinking we have got to be the stupidest
people in the world to let this happen. And that is what we are
saying. We do not want you to jeopardize your business, your
contracts, or anything. But somebody has got to come and we
have got to put a stop to it.
Senator Rounds. Let me follow up. It would appear to me
that within the Department of Defense, not only do we need a
consistency from one department to the other, but there has to
be a way of communicating so that the challenges that you face
and the challenges that we are learning about as we move
through and that we are now trying to publicly share with a
committee meeting like this in the open--and as you know, most
of our Cyber Subcommittee meetings are in a classified setting
because we do not talk about this. We decided intentionally to
do this one in the public so that we could draw attention to
how serious this was and to also suggest something else, and
that is that you need to have a way in which you can
communicate with the Department of Defense.
Today, as you work your way through this process, clearly
this is not something that you have not thought about before.
Clearly it is something that you are aware of and you had
concerns about or you would not be here.
When you look at these things, is there a way today in the
system for you to share with the individuals that you contract
through the Department of Defense, through the different
branches and so forth, different offices, procurement offices--
is there a way for you to share and express and participate in
trying to improve the acquisition process? Is there a process
there right now that you are aware of?
Mr. Peters. So, Senator, again, I spend most of my time
with small to medium-sized manufacturers in the defense
industrial base. When I let them know, though, I was going to
be testifying, I was overwhelmed with issues they wanted me to
raise, and I got a list this long. I had to really boil it
down.
The challenge is that there are some venues to do that.
However, what we find is that most of the manufacturers (I
focus on manufacturing) are reluctant to say anything, whether
it is directly through the DOD, through procurement technical
assistance centers, or any of the different kinds of venues
they have, because they are afraid of reprisal. I have a number
of horror stories of reprisal from the DOD because somebody
spoke up, they raised their voice.
So unless there were some way for you to gather this
information anonymously--and that is one of the reasons I get a
lot of this insight. When I do my research, I promise the
subjects anonymity. They spill the beans. But unless there were
some way for you to do that, either through a university that
was doing this research or through some independent third
party, I think you are always going to have this fear of
reprisal.
Senator Rounds. You know, the National Aeronautics and
Space Administration (NASA) actually has a program for pilots
who, when they see something that is unsafe within the system,
can fill out a form. Basically even if they messed up on a
federal aviation regulation or if they have done something, as
long as they fill that form out and advise through NASA that
there is a safety issue involved in a particular place, whether
it is going into a particular airport, working under a
particular type of airspace, or whatever--when they fill that
out and send it in, this is what is used to actually make the
entire system work better long term. What you are saying is
that really does not exist right now within the defense
acquisition system. But perhaps something along that line may
be----
Dr. LaPlante. Yes, Mr. Chairman. I think there is also a
program very much like you described called Aviation Safety
Information Analysis and Sharing (ASIAS) with the Federal
Aviation Administration (FAA), that the airlines have gotten
together and they have agreed to have a safe sharing
environment by pilots. There is something to that.
I draw the analogy. When you have an air incident in the
Air Force, they first get the root cause, and the people that
are talked to, complete immunity. You say whatever you want.
They do not do the punishment thing. They want to get the
facts. You separate that later if you say we need to do some
discipline, do that later with a different group. But it is to
foster that environment that you are talking about.
Senator Rounds. One other item that comes to mind as I
listened to the discussion here. The thought that there would
be reprisals coming back through DOD for a subcontractor or a
business entity to report something which would be a threat to
national defense is of real concern. While we are not naive
enough to think that that may not be occurring, it seems to me
that some of that has to do with the culture within the
different organizations.
I would call to mind most recently the Department of the
Navy just put out their current cyber analysis, and they were,
in my opinion, very straightforward, and they went into some
detail about their own challenges. In a way, it was like going
to confession. But they did more than that. They actually
recognized that they are an information operation. They may
have a goal of getting 355 ships, and it is not the fact that
our near-peer competitors are stealing our ships. They are
stealing our information. If we are going to protect our ships
with all sorts of systems, what is it that we are doing to
protect our information, which clearly is just as valuable, if
not more valuable? I think that openness on the part of the
Department of the Navy is something that may very well suggest
the changes needed within the culture not just of the Navy but
elsewhere within DOD as well.
I am seeing heads nodding, but I would love to have your
thoughts that perhaps that is part of the discussion that we
need to participate in.
Mr. MacKay. Senator, I can contribute that our experiences
with the Navy, and in particular Team Sub, has been that they
have grabbed this problem by the horns. I think there would be
repercussions if we did not report issues that we are seeing in
cyber defense and in the way that they are conducting their
activities and looking at the problem. They are pushing us.
They are teaching us. They have really taken the forefront.
But I think the discussion across the board here shows how
it depends on each Department of Defense and each program
office even, and you do not have a consistent approach across
the board. Something that pushes down from the top that sets
policy and sets the approach would be very valuable. I would
offer the Department of the Navy as a good example of how it
should be done because we have had nothing but encouragement
and help from our Department of Defense partners.
Dr. LaPlante. I would also say there is a part of the
Navy--and this is a culture thing--the submarine Navy. They
have a culture maybe because they are nuclear trained to get
the facts. Do not just look to shoot somebody. There is a
famous admiral who ran Strategic Systems Programs (SSP), which
is the submarine ballistic missile part of the navy. Malley's
Rules. Rule number one is tell bad news fast. It never gets
better with age. You got to have that in the culture. And I
think you are seeing some of those glimpses. We should get that
out there more on this topic.
Now, at the same time, you want to hold people accountable.
So you have to reconcile how you do both at the same time. It
can be done.
Mr. Luddy. I think Dr. LaPlante is highlighting something
really important. This does raise a tension, though, between
the very important information sharing about threats, breaches,
methods of addressing threats that we are trying to promote
within industry and between industry and DOD, on the one hand,
and the well-intentioned prospect of making levels of
cybersecurity a matter of differentiating in contract and
source selection. I understand where that comes from, and there
is something to be said for it. But we just have to balance
that with anything that will cause companies, for reasons of
competitive advantage or disadvantage, to not share the details
or specifics about a problem that they are facing across the
companies. Right now, I think certainly at the higher levels,
our companies do a good job of exchanging information and
collaborating on how best to meet the threat. We do not want to
put anything out there that discourages that.
Senator Rounds. Thank you.
Joe, anything else?
Senator Manchin. No.
Senator Rounds. Gentlemen, first of all, your full
statement is a part of the record. We most certainly appreciate
your participation here today. I am sure that we are going to
be doing something along this line once again. But I would like
to, once again, on behalf of the subcommittee, thank you all
for your participation and your frankness. I think this goes a
long ways towards informing the subcommittee and then the
committee of some ideas or some processes that can be explored
with regard to improving not just the culture but the overall
process for addressing the issues of cybersecurity within the
Department of Defense.
With that, Senator Manchin, anything?
Senator Manchin. No. Thank you.
Senator Rounds. Very good. We will call this subcommittee
to a close. Thank you.
[Whereupon, at 3:36 p.m., the committee adjourned.]