Many in U.S. industry — even some among key defense suppliers — do not grasp the extent to which our defense posture has suffered from unauthorized extraction of technical information. This is a persistent and evolving threat — and one where there is ample evidence that nation-state rivals and commercial competitors have “feasted” at our expense by employing network-directed cyberattacks to steal and then exploit valuable information.
The Department of Defense's Better Buying Power 3.0 states plainly that compromise of unclassified, controlled, technical information “can significantly degrade U.S. technological superiority by saving an adversary time and effort in developing similar capabilities or countermeasures.” Where contractor information systems host sensitive DoD technical information that is vulnerable to extraction, it is likely that company proprietary information and trade secrets are similarly exposed.
DoD has wielded its acquisition authority to obligate contractors to improve protection of technical information through the “Unclassified Controlled Technical Information” Defense Federal Acquisition Regulation Supplement, and more recently, by the “Network Penetration” DFARS, which includes National Institute of Standards and Technology's SP 800-171 — new safeguards specifically intended for commercial organizations.
Under the “Network Penetration” DFARS, new DoD contracts are subject to DFARS 252.204–7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”). This safeguarding clause imposes a direct and immediate security obligation on defense contractors. It states:
“The Contractor shall provide adequate security for all covered defense information [CDI] on all covered contractor information systems that support the performance of work under this contract.”
For contractor information systems, the safeguarding clause requires implementation, “at a minimum,” the security requirements of SP 800-171, and this must be done “as soon as practical, but not later than Dec. 31, 2017." Some in the defense industrial base were uncertain how to comply with the new DFARS requirements. They also needed time to assess the state of existing cyber measures and to implement improvements to satisfy the 109 controls stated in SP 800-171.
Flowdown of the safeguarding clause is required — “without alteration” — to subcontractors who receive or host CDI.
DoD’s largest contractors are likely to have in place already systems to protect CDI that meet or exceed the requirements of SP 800-171. As to medium-sized and smaller businesses, the risks increase. Adversaries recognize that valuable, technical information is accessible not just through "tier 1" contractors, where we can expect relatively good cyber measures, but also down the supply chain.
There is some anecdotal evidence that medium-sized companies are approaching the cyber obligations of the “Network Penetration” rules cautiously, and that smaller companies are doing little while they wait to see how compliance can be achieved affordably and without business disruption. Some companies may contemplate leaving the defense supply chain out of concern over the burdens and costs of the new cyber requirements. This is not in DoD’s interest — and could deprive higher tier contractors of essential and trusted specialty suppliers.
DoD needs to help solve this problem and should do so with the active cooperation of the larger primes. DoD may need to make funding available to assist its industrial base in compliance with new cyber protection demands. Added protection comes at a cost to those who implement it and thus at a price to DoD. At a more technical level, DoD needs to work with NIST to develop ways that authorize smaller businesses to employ third-party, cloud-based resources to handle the access, authentication and security requirements imposed when these companies receive CDI. And these developments need to be promoted to protect this information without costly obligations to reconfigure enterprisewide information systems.
The approach of NIST SP 800-171 focuses upon protecting information systems, but we might take a lesson from several of the notorious security breaches of recent years. Protection of the information system as if it were a castle with barriers (e.g., firewalls) has not worked well when massive amounts of information, once extracted, are unprotected and freely transferable. Technical measures are available to encrypt and otherwise control or deny access and rights to sensitive but unclassified information. Digital rights management provides a means to retain control over sensitive information even after initial transfer to an authorized recipient or in the event of a successful but unauthorized extraction. Future governmental cyber initiatives should encourage and, where necessary, enable the use of these methods.
Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C., office.