Published by The Lawfare Institute
in Cooperation With
The U.S. defense industrial base (DIB) has been a critical partner in ensuring that the United States has enjoyed unrivaled military and economic prowess since World War II. However, over the past decade, malicious cyber actors targeting the DIB have increased in both sophistication and frequency, posing significant threats to the ability of American military forces to maintain a strategic advantage. In the face of such a pervasive and asymmetric threat, it has been acknowledged that the United States government is ill equipped to provide for the cybersecurity of the DIB. To win both in cyberspace and on the battlefield, the federal government needs to leverage the significant resources of the private sector more effectively.
In the immediate post-Cold War period, the United States stood alone as the dominant global superpower. In the past two decades, however, the People’s Republic of China has engaged in a campaign of aggressive technology modernization through increasingly brazen illicit means, enabling a sprint to near parity. Hacking, intellectual property theft, and predatory investments have allowed China to bypass many phases of research and development to bring advanced military technologies to the People’s Liberation Army. Despite the Department of Defense’s strategy to maintain military superiority, the United States is ultimately waging a government-centric campaign against an adversary that leverages the resources of its entire population and industrial base. In defending critical military technology, the Defense Department needs to do the same.
In 2021, Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, testified before Congress that the compromises of SolarWinds and Microsoft Exchange servers were “the clarion call for us to look at this differently.” Nakasone went on to explain that the challenge the federal government faces when addressing cyber threats to domestic networks is “not that we can’t connect the dots—we can’t see all the dots.” As Third Way pointed out last year in its report, Congress must foster and institutionalize relationships between the federal government and the private sector, to “provide partners additional resources to prepare for, respond to, investigate, and recover from cyber incidents.”
Made up of over 300,000 companies supporting U.S. warfighters worldwide, the DIB is increasingly a target for malicious cyber actors. Exploitation of the defense supply chain places U.S. forces in jeopardy by allowing adversaries to rapidly field advanced weapons systems based on U.S. technology, irreparably degrading the United States’ military superiority. For companies in the DIB, theft of technology can cause both reputational harm and economic loss as competitors that benefit from stolen information undercut U.S. companies through the sale of cheaper derivative technologies on the open market. However, intelligence oversight, the constitutional right to privacy, and “privity of contract” largely restrict the government’s ability to observe malicious activity occurring on domestic networks—much less defend against it.
The federal government presently addresses the security of DIB networks through the establishment of cybersecurity standards and contractual mandates that DIB partners adhere to those standards. In other words, the government defers responsibility for network security to the individual network owners. Sera-Brynn—a global leader in cybersecurity compliance—wrote in its 2020 annual report that not a single company it had assessed in 2019 was 100 percent compliant with the government standards. Stated plainly, relying on the current Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Technology (NIST) cybersecurity standards alone has proved insufficient to create the bulwark necessary to defend against the onslaught from malicious cyber actors.
The Cyberspace Solarium Commission noted that “[t]here is much that the U.S. government can do to improve its defenses and reduce the risk of a significant attack, but it is clear that government action alone is not enough.” Echoing the commission, Executive Order 14028 on “Improving the Nation’s Cybersecurity” sought to address this issue through mandatory threat information sharing among federal agencies. Recent legislation requiring covered entities to report cyber incidents within 72 hours has been another attempt to gain insight into the problem. But if the compromises of SolarWinds and Microsoft Exchange and the ransomware blitz of the past year have taught us anything, it is that more than mere collaboration is needed—fundamental structural change is needed to rapidly identify large-scale threat activity and take coordinated action to thwart it.
As U.S. Cyber Command’s deputy staff judge advocate noted recently, “If the United States is to defeat these cyber threats, traditional notions regarding the division between criminal and national security matters must be reevaluated.” To efficiently combat threats to the DIB from nation-state adversaries and criminal actors, the Defense Department requires timely, bidirectional sharing of actionable cyber threat information through structured partnerships with the domestic cybersecurity industry.
The U.S. is the largest cybersecurity services market in the world, yet cybersecurity vendors servicing the DIB have not been leveraged at scale to support U.S. national security. “Congress has increasingly introduced cyber-related legislation to address the cyber threat,” Third Way reported, “but most Congressional action on cybersecurity occurs in the annual National Defense Authorization Act.” To effectively tap into the domestic cybersecurity ecosystem, Congress should enact legislation through the National Defense Authorization Act to modify the DFARS to establish a marketplace of accredited cybersecurity vendors that DIB companies would be contractually required to use.
There would be myriad benefits to such a marketplace:
Certification. The federal government could establish a set of heightened certification standards that would serve as a baseline for DIB cybersecurity. These could include standards for managed security service providers (MSSPs), managed detection and response (MDR), endpoint detection and response (EDR), firewall solutions, and insider threat detection, among many others. This would allow for a standardized process by which the government conducts risk management assessments for cybersecurity companies and would ensure that each vendor has the requisite experience and capability to secure sensitive defense information and technology. This would also enable the government to conduct background checks and certifications of all cybersecurity vendors charged with protecting DIB networks. Such a marketplace would allow the government to establish and maintain a list of “best in class” cybersecurity providers authorized to secure DIB networks.
Threat Information Sharing. Each new or renewed contract between the DIB and the Defense Department would stipulate that the selected cybersecurity vendor enters into an agreement with the federal government for an uninhibited bidirectional exchange of threat information. For DIB companies, this would obviate their contractual requirement to self-report cybersecurity breaches and would improve the overall security of their networks—better securing both their federal and their commercial information. For cybersecurity vendors, this would place them on a select list of cybersecurity companies that receive specialized alerts and reports of cyber threat intelligence directly from the federal government. The alerts and threat intelligence could include signatures or indicators of compromise derived from sensors deployed across the Defense Department information network, analysis from across the interagency, or identified behavioral traits of malicious cyber actors, among many others. For the government, this would enable real-time data flow from the DIB to allow for the identification of large-scale threats and vulnerabilities, as well as minute targeting of individual companies—all without the need for the Defense Department to purchase and manage over a quarter million government-installed test access points (TAPs) and network sensors. By screening data through cybersecurity vendors under contract with the DIB companies, this model provides the government a cost-effective way to resolve its inability to “see the dots” without impinging on DIB companies’ right to privacy.
Improved Cybersecurity Nationwide. As the saying goes, “a rising tide lifts all ships.” Cybersecurity vendors, from the largest providers of network solutions to the smallest endpoint detection companies, would compete for the opportunity to be on a discrete list of authorized vendors required to be patronized by over 300,000 DIB companies. By implementing a high threshold for certification, the government would be able to set the bar for cybersecurity across the country. Vendors within the marketplace would be able to use threat information exclusively shared with them by the government to update their definitions, improve their monitoring capabilities, and direct their threat-hunting teams—benefiting their DIB and non-DIB customers alike. Cybersecurity vendors that are not part of the marketplace would be required either to organically improve their offerings to compete or to seek certification with the Defense Department. In either case, the nation’s overall cybersecurity would improve.
Cybersecurity Maturity Model Certification. Accreditation for these vendors could include the ability not only to provide cybersecurity for networks and endpoints, but also to satisfy many of the requirements DIB entities need to meet under the Cybersecurity Maturity Model Certification (CMMC) 2.0. This added benefit would provide a vehicle through which DIB companies could meet the CMMC accreditation and third-party assessment requirements, thereby obviating the need to expend additional resources. Estimated CMMC implementation and assessment costs range from a few thousand dollars to hundreds of thousands of dollars for large companies. These costs could be built into the requirement for utilizing a cybersecurity vendor from the marketplace.
Early Protection of Critical Technologies. The establishment of such a marketplace also affords the federal government an avenue through which it could protect critical technologies early in the development process to ensure adequate security processes throughout the lifespan of technology development. For example, the federal government could subsidize the provision of network security for companies such as non-DIB universities and research centers developing certain critical technologies to ensure they are not compromised while still in the research and development phases.
Grow the Small Business Vendor Base. A significant barrier to entry for any small business seeking to provide services to the federal government is the substantial requirements. The Office of the Undersecretary of Defense for Acquisition and Sustainment found in its State of Competition within the Defense Industrial Base report that “[s]mall business participation in defense procurements as prime and subcontractors is vital to the defense mission, competition, and the health of the DIB.” To increase small business participation in the defense ecosystem, the government could offer subsidized cybersecurity from a certified vendor. This would serve as both an economic incentive and a means to streamline other processes, such as the Federal Risk and Authorization Management Program.
Malicious cyber actors continuously target the DIB to enable large-scale theft of Defense Department critical technologies. This not only puts national security in jeopardy, but it also harms the business interests of the DIB. Because the nation’s adversaries have no misgivings about using their government assets to engage in corporate espionage, the theft of critical technology from the DIB directly benefits foreign corporations by slashing their research and development costs and timelines. By establishing a marketplace through which cybersecurity vendors servicing the DIB can share cyber threat information, the federal government can gain better insight into cyber threats and better provide for the collective national defense. Congress has created such specialized marketplaces before, such as in the financial sector with the Federal Deposit Insurance Corporation (FDIC). It is time to recognize that the DIB and cybersecurity are equally as important.
The views and opinions expressed in this paper and/or its images are those of the authors alone and do not reflect the official policy or position of the U.S. Department of Defense, U.S. Cyber Command, or any agency of the U.S. government. Any appearance of Department of Defense visual information or reference to its entities herein does not imply or constitute Department of Defense endorsement of this authored work, means of delivery, publication, transmission, or broadcast.