Inside Cybersecurity

June 25, 2024

Daily News

Defense Dept. struggles to balance supply-chain security concerns, commercial innovation push

By Justin Doubleday / May 7, 2019

The Pentagon has moved in recent years to better secure key technologies and data from potential adversaries like China, but those efforts are increasingly coming into conflict with the Defense Department's attempts to work with commercial businesses.

The issue has garnered international media attention as U.S. officials attempt to convince countries around the world that Chinese telecommunications giant Huawei's relationship with the Chinese Communist Party poses too great a risk to allow the company to build the next-generation “5G” wireless network.

But the issue is far broader and deeper than the 5G conflict currently dominating headlines. The Defense Department has launched a sweeping task force on supply-chain cybersecurity, while Congress in recent years has moved to ban some foreign suppliers like Huawei from government networks and enacted broad reforms around foreign involvement in U.S. technological developments.

At the same time, DOD has prioritized working more broadly with the commercial technology sector. The imperative is driven by the Pentagon's belief that commercial companies are driving the state-of-the-art in artificial intelligence and other cutting-edge technologies DOD officials say are crucial to the future of warfare.

The tension is highlighted in a summary of the 2018 National Defense Strategy.

“The fact that many technological developments will come from the commercial sector means that state competitors and non-state actors will also have access to them, a fact that risks eroding the conventional overmatch to which our nation has grown accustomed,” the document states.

“Maintaining the department’s technological advantage will require changes to industry culture, investment sources, and protection across the National Security Innovation Base.”

Now, the commercial technology industry is raising concerns that the government's efforts to clamp down on supply chain security will be too heavy-handed and restrict the innovation DOD claims to prize.

In a March 6 letter to the congressional defense committees, BSA/The Software Alliance, an industry group, warns against “some efforts to advocate for solutions to technology development that would seek to deny foreign adversaries influence by adopting indiscriminate prohibitions against the acquisition or integration of software components developed in certain foreign nations or by certain foreign nationals.”

Such policies could “undermine the department’s ability to harness innovative software products, including many open source products, fundamentally undermining DOD’s technological edge,” the letter says.

BSA advocates for enterprise software providers and counts Apple, IBM and Microsoft among its members. The group is concerned about “protectionist” policies that indiscriminately ban foreign involvement in U.S. technologies and potentially result in retaliatory measures overseas, according to Tommy Ross, BSA's senior director for policy.

“I think the question that we want to put before the Defense Department and before the U.S. government more broadly is, how can we craft policies to protect U.S. government systems and protect U.S. citizens, that we're equally comfortable being applied to our businesses and our citizens overseas?” Ross said in an interview.

He said the group is particularly concerned about “software provenance” discussions and potential moves to broadly ban software developed in China and Russia.

“I think there are people, including policymakers in China, that have the exact same concerns about U.S. products, that believe that the NSA is sitting on every box that comes out of U.S. technology providers,” he said. “Our approach to thinking about supply chain security is that if we go down that road, it will lead to nobody being able to sell products in anybody else's markets.”

Some of the concern stems from provisions in the fiscal 2019 National Defense Authorization Act requiring contractors to disclose “foreign obligations” to their work, such as software and source code development. Furthermore, the law made permanent DOD's authority to ban companies they deem too risky from defense procurements.

In an October letter to DOD's acquisition directorate, the IT Alliance for Public Sector raised potential concerns about the implementation of the new provisions. ITAPS counts Apple, Amazon, Google, Microsoft and a range of other commercial technology companies among its members.

“These provisions pose grave consequences for the department’s mission, and, specifically, the ability to inform and support the warfighter, if they are implemented in a fashion that does not effectively balance the need for security with the desire to inject innovation into the national security mission,” ITAPS wrote. “We look forward to working with you to find the proper balance.”

An overly broad interpretation of the “foreign obligations” section could “create substantial liabilities for companies in the industrial base that do business with the department,” the letter continues.

“We strongly believe that instead of prohibiting software that may have a connection to China or other U.S. cyber adversaries, the department should focus on adopting effective mitigation strategies that address risks which can originate from foreign spying or sabotage to insider threat,” ITAPS wrote.

'Protecting critical technology'

Under the Obama administration, the Pentagon attempted to make inroads with the commercial sector by establishing DOD outposts in places like Silicon Valley and Austin, TX. The department has also embraced some acquisition reforms, like the use of “other transaction agreements,” to make it easier for technology start-ups to work with the government.

Those efforts have continued and even accelerated under the Trump administration, but concerns about Chinese intrusions into U.S. supply chains have assumed greater importance as well.

“The National Defense Strategy, National Military Strategy, National Security Strategy, they all turn on the United States' ability to out-innovate our adversaries,” Carrie Wibben, deputy director of the Defense Security Service, said during a March event at Georgetown University.

“Missing is a comparable strategy to secure that innovation,” she added. “I don't think that exists.”

In October, the Pentagon established a department-wide “Protecting Critical Technology” task force after then-Defense Secretary Jim Mattis wrote in a memo, “the loss of classified and controlled unclassified information is putting the department's investments at risk and eroding the lethality and survivability of our forces.”

Among the issues the task force is studying is contractor cybersecurity. The Pentagon has wrestled with how to ensure companies in various tiers across its vast supply chain are protecting sensitive DOD data on their networks with the required security controls.

But the push to implement better supply-chain security measures is often at odds with parallel attempts to deregulate acquisition for the sake of commercial innovation, according to Angela Styles, government contracts lawyer at the Washington, DC offices of law firm Akin Gump.

For instance, since other transaction agreements aren't subject to the Federal Acquisition Regulation, the agreements aren't required to contain numerous regulations, like cost accounting standards, that might otherwise deter small businesses and technology start-ups from working with the department.

But it also means “other transaction authorities” don't include DOD's standard cybersecurity requirements, Styles pointed out. “I just see the train wreck coming,” she said in an interview. “I worry that in the interest of getting the technology we need, that we’re not putting the protections in place.”

DOD uses OTA contracting for prototype research and production projects.

Pentagon officials have admitted even the contracts that include the cyber requirements only require contractors to self-attest they comply with the standards. But DOD and its major prime contractors fear losing critical suppliers if they are more strict about compliance.

“A lot of the innovation at DOD comes from small companies,” Pentagon acquisition chief Ellen Lord said during a March event at the Atlantic Council. “Often when we go to small companies and try to make sure they're cyber hardened, we can either put them out of business because it costs so much or have them deselect from doing business with us.”

Acquisition's fourth pillar?

While the Pentagon does not yet have an overarching strategy for securing its innovation, “the conversation is happening now at the highest levels,” according to Wibben from DSS. She said one idea that has picked up momentum inside the department is making security the “fourth pillar” in acquisition, alongside cost, schedule and performance.

“That is a major change in terms of how the department has historically conducted the business of acquisition,” Wibben said.

The “fourth pillar” proposal was part of a MITRE Corp. report titled, “Deliver Uncompromised” and released in August. The report was commissioned by the Pentagon and suggested multiple ways for DOD to respond to foreign adversaries' exploitation of supply chain vulnerabilities.

“The historical emphasis on 'cost, schedule, and performance' is a fundamental driver for actions of DOD as well as the [Defense Industrial Base],” the report states. “The DOD requirements process has not put security and integrity on an equal footing, with the result that the costs of assurance work against the usual program metrics.”

The report's ideas, which include 15 separate courses of action and go well beyond the “fourth pillar” idea, are serving as a guide of sorts for DOD to achieve “uncompromised” capabilities, William Stephens, director for counterintelligence at DSS, said during an April 24 event hosted by the Center for Strategic and International Studies in Washington.

“We would have it specifically as a goal, we would require and tell the program managers -- or at the beginning of any sort of activity -- 'The objective here is to deliver this thing uncompromised,'” Stephens said.

Commercial technology industry is coalescing around some ideas in the MITRE report. For instance, Ross from BSA/The Software Alliance said the group endorses the idea that security should have a high priority throughout a system's development life cycle.

“That is a foundational principle for our members, that security be built in from the beginning,” Ross said. “Using secure development lifecycle approaches is a best practice within the industry.”

However, Ross said BSA opposes efforts to use liability as a security tool. The MITRE report suggests DOD could “establish minimum 'standards of due care' such that gross negligence could expose contractors to civil liability or limit their eligibility for future contracts or subcontracts absent satisfactory corrective measures.”

The idea has gained traction in some corners of DOD, as Stephens discussed the proposal during his CSIS address within the context of a hypothetical cyber attack on a contractor resulting in a loss of sensitive information.

“If they were operating at the appropriate state of care, then in fact they would achieve safe harbor and they would not be exposed to litigation,” Stephens said. “If they were negligent or grossly negligent, then they would be exposed to litigation and the Americans would get back some of the money they invested in that capability.”

Ross criticized the idea for making “lawyers more central to the conversation than developers.”

“It can become a compliance exercise that can get in the way of of innovations, both in terms of software functionality, but also in terms of software security,” he added.

The “protecting critical technology” task force established by Mattis last fall is expected to lead implementation of any ideas in the MITRE report adopted by Pentagon officials. The group is directed by Air Force Maj. Gen. Thomas Murphy and overseen by acting Deputy Defense Secretary David Norquist.

The task force has not yet made any of its deliberations or recommendations public. A senior defense official told Inside Defense the group is in the process of putting together an implementation plan.

Despite the issues raised by industry, Stephens said the greater challenge is getting DOD and the broader federal government organized to pursue the goals of “deliver uncompromised.”

“If we ask and we incentivize American industry, they deliver,” he said. “But if we put the burden on them without changing the incentives, they react according to where their cheese is.” -- Justin Doubleday (