Cost Isn’t Everything. Pentagon Should Judge Contractors on Cybersecurity, Report Says
Security would be ‘fourth pillar’ in weapons purchase decisions
The Pentagon should take into account the cybersecurity capabilities of defense contractors in addition to cost and performance measures when awarding contracts, a U.S. government-funded think tank recommended in a report published Monday.
Through its buying process, the Pentagon “can influence and shape the conduct of its suppliers,” the Mitre Corp. said in a report titled “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.”
The Defense Department “can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments,” the report said.
The Pentagon must consider new measures because the very nature of war is changing, the Mitre report said. Adversaries no longer have to engage the United States in direct conflict using weapons but can respond to American military strikes “through blended operations that take place through supply chain, cyber domain, and human elements,” the report noted.
The report recommends that security be made a “primary metric” in Pentagon weapons purchase and sustainment decisions and that the Defense Department increase awareness of risks associated with its supply chains. It also calls for a National Supply Chain Intelligence Center that would include officials from the FBI, Homeland Security, the Pentagon and intelligence agencies to track risks and advise agencies.
When choosing current or new contractors, in addition to considering cost, performance and schedule, the Pentagon must also make security a so-called “fourth pillar,” the report said. Contractors should be continuously monitored and assessed for the degree of risk they pose, the report said.
In addition to measuring a contractor’s ongoing performance on a contract, an independent, federally-funded research agency could develop a risk rating similar to credit ratings done by agencies like Moody’s, the report said. Mitre is a federally-funded research and development center.
The Pentagon did not respond to an email seeking comment on the report.
The report and its recommendations come as U.S. intelligence officials have become increasingly alarmed at potential cybersecurity risks that may be embedded in vast computer networks and systems that power government agencies as well as weapon systems. Last year the Trump administration banned federal agencies from using a popular anti-virus software made by Kaspersky Labs, which was alleged to have close ties with Russian intelligence services.
U.S. officials also have been concerned about the security of the large number of electronic components made around the world that find their way into televisions and computers, as well as more sophisticated parts that go into making weapons.
The Pentagon has banned ZTE phones and digital devices because the company has close ties with the Chinese government. A broader sanction against ZTE for violating U.S. prohibition against doing business with Iran has been loosened after Chinese President Xi Jinping made an appeal to Trump.
At a hearing last month, DHS officials told lawmakers that Congress needed to pass new legislation to ensure that information technology products and services bought by various agencies are free from threats posed by foreign-made components.
In June, the White House sent Congress a legislative proposal that’s the basis of a bipartisan bill by Sens. Claire McCaskill and James Lankford. The measure would create a federal acquisition security council that would assess threats and vulnerabilities posed by foreign-made components of electronic and digital products.
The new measure would extend to all federal agencies authorities already available to the Department of Defense that allow procurement officers to ban specific components and parts from being included in products and services being bought by the federal government. The Pentagon has the authority under Sec. 806 of the National Defense Authorization Act of 2011.
Watch: Trump Praises McSally, Criticizes the Media at NDAA Signing Event
[jwp-video n=”1″]