Many in U.S. industry — even some among key defense suppliers — do not grasp the extent to which our defense posture has suffered from unauthorized extraction of technical information. This is a persistent and evolving threat — and one where there is ample evidence that nation-state rivals and commercial competitors have "feasted" at our expense by employing network-directed cyberattacks to steal and then exploit valuable information.
The Department of Defense's DoD’s "Better Buying Power 3.0" states plainly that compromise of unclassified, controlled, technical information "can significantly degrade U.S. technological superiority by saving an adversary time and effort in developing similar capabilities or countermeasures." Where contractor information systems host sensitive DoD technical information that is vulnerable to extraction, it is likely that company proprietary information and trade secrets are similarly exposed.
DoD has wielded its acquisition authority to obligate contractors to improve protection of technical information through the "Unclassified Controlled Technical Information" (UCTI) Defense Federal Acquisition Regulation Supplement, and more recently, by the "Network Penetration" DFARS, which includes National Institute of Standards and Technology's SP 800-171 — new safeguards specifically intended for commercial organizations. First in 2013, through the "Unclassified Controlled Technical Information" (UCTI) Defense Federal Acquisition Regulation Supplement, and more recently, in 2015, by the "Network Penetration" DFARS, DoD has wielded its acquisition authority to obligate contractors to improve protection of technical information. On Dec. 30, 2015, by an amendment to the "Network Penetration" Interim Rule, DoD decided to postpone, until Dec. 31, 2017, obligations to fully comply with the National Institute of Standards and Technology SP 800-171 — the new safeguards specifically intended for commercial organizations. This decision was regrettable, because the extraction threat is immediate and continuing, but necessary for practical reasons. Some in the defense industrial base were uncertain how to comply and many companies were surprised by and unprepared for the new DFARS requirements. They needed the time to assess the state of existing cyber measures and to implement improvements, as necessary to fill gaps and to satisfy the 109 controls stated in SP 800-171.
Under the "Network Penetration" DFARS, new DoD contracts are subject to DFARS 252.204–7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting"). This ‘Ssafeguarding" clause imposes a direct and immediate security obligation on defense contractors. It states:
"The Contractor shall provide adequate security for all covered defense information [CDI] on all covered contractor information systems that support the performance of work under this contract."
For contractor information systems, the "Ssafeguarding" clause requires implementation, "at a minimum," the security requirements of SP 800-171, and this must be done "as soon as practical, but not later than Dec.ember 31, 2017." Some in the defense industrial base were uncertain how to comply with and many companies were surprised by and unprepared for the new DFARS requirements. They also needed time to assess the state of existing cyber measures and to implement improvements, as necessary to fill gaps and to satisfy the 109 controls stated in SP 800-171.
Flowdown of the "Ssafeguarding" clause is required — "without alteration" — to subcontractors who receive or host CDI.
DoD’s largest contractors are likely to have in place already systems to protect CDI that meet or exceed the requirements of SP 800-171. As to medium-sized and smaller businesses, the risks increase. Adversaries recognize that valuable, technical information is accessible not just through at the "tier 1" contractors, where we can expect relatively good cyber measures, but also "down" the supply chain, where protection is less assured.
There is some anecdotal evidence that medium-sized companies are approaching the cyber obligations of the "Network Penetration" rules cautiously, and that smaller companies are doing little while they wait to see how compliance can be achieved affordably and without business disruption. Some companies may contemplate leaving the defense supply chain out of concern over the burdens and costs of the new cyber requirements. This is not in DoD's interest — and could deprive higher tier contractors of essential and trusted specialty suppliers.
DoD needs to help solve this problem and should do so with the active cooperation of the larger primes. DoD may need to make funding available to assist its industrial base in compliance with new cyber protection demands. Added protection comes at a cost to those who implement it and thus at a price to DoD. At a more technical level, DoD needs to work with NIST to develop ways that authorize smaller businesses to employ third-party, cloud-based resources to handle the access, authentication and security requirements imposed when these companies receive CDI. And these developments Ways need to be promoted to protect this information without costly obligations to reconfigure enterprise-wide information systems.
The approach of NIST SP 800-171 focuses upon protectingion of information systems, but as the means to protect the information hosted on those systems. Wwe might take a lesson from several of the notorious security breaches of recent years. Protection of the information system, as if it were a "citadel," or a "castle" with barriers (e.g., firewalls) constituting a veritable "moat," has not worked well when where massive amounts of information, once extracted from the information system, are unprotected and freely transferable. Technical measures are available to encrypt and otherwise control or, even deny, access and rights to sensitive but unclassified information. Digital rights management, as can be cloud-enabled or premises-based, provides a means to retain control over access to and use rights in sensitive information even after initial transfer to an intended and authorized recipient or and even in the event of a successful but unauthorized extraction. Future governmental cyber initiatives should encourage and, where necessary, enable the use of these methods.
(I'll return to the Internet of Things and cyber/physical threats in future Federal Times blogs.)
Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C., office.