VIEWPOINT DEFENSE DEPARTMENT
Supply Chain Must Deliver Uncompromised Systems
Warfare is no longer limited to either the physical or digital theater. Instead, adversaries ranging from script kiddies to nation-state sponsored advanced persistent threats have evolved to simultaneously launch asymmetric attack campaigns along digital, kinetic and hybrid vectors to undermine democracy, challenge moral values, alter public perceptions, compromise critical infrastructure, steal valuable intellectual property and exfiltrate sensitive information.
These malicious campaigns are achieved predominately through the exploitation of existing vulnerabilities in vendor supplied hardware systems and software applications that were not developed with security at each stage of the developmental lifecycle, or that were not adequately penetration tested before release.
This failure to secure the supply chain is perhaps one of the greatest national security threats facing the nation today. The public and private sectors can no longer afford to support negligent vendors that fail to develop their offerings with layered inherent security before release. The “deploy now, patch later” culture of the vendor market shifts risk and liability onto buyers and results in significant resource waste and harm to organizations and average consumers alike.
Past attempts to adopt security-by-design have been hobbled by the opportunity loss resulting from the rush-to-market created by this ubiquitous culture. Leadership is needed to impose an incentive or penalty enough to incite a shift in vendor behavior. The “deliver uncompromised” proposal under consideration by the Pentagon offers short-term, mid-range and long-term courses of action designed to improve national security by enhancing supply chain security in the defense industrial base.
“Deliver uncompromised” places emphasis on the security of systems, data, communications, supply chain and information in general, regardless of medium or vehicle. In effect, contract deliverables must be provided in a state that is uncompromised by hacking, the inappropriate sharing of data, or contamination of the data throughout the entirety of the product lifecycle.
“Deliver uncompromised” establishes security as a fourth pillar in defense acquisition and incentivizes the defense industrial base to embrace security as a major factor in their competitiveness for U.S. government business rather than as a cost burden. Market leaders, whose every decision is emulated by lower-tier firms, depend on public sector contracts. Consequently, if adopted, “deliver uncompromised” will empower the Pentagon to leverage powerful market forces to incentivize comprehensive and lasting security reform within leading vendor operations, which will have a cascading effect on lower-tier firms which exist within the defense acquisition ecosystem.
So what is “deliver uncompromised?” It is a strategy proposed by the nonprofit MITRE Corp. to improve cyber and supply chain security of the Defense Department and intelligence community through suggested courses of action that quantify risk, dismantle intra- and inter-government information silos, and prioritize threat mitigation.
The proposal suggests that to protect national security and to improve the cybersecurity and resiliency of critical infrastructure systems, defense contracts should be awarded based on security assessments in addition to cost, performance and schedule. The initiative integrates foundational concepts of risk management and security-by-design into the acquisition process. The strategy ensures mission resilience by instituting a deliberate, inherent elevation of integrated risk management from concept through the retirement of a project within the department and its contracting base. And it directly addresses its need to secure that innovation from compromise.
Delivering uncompromised software systems is not hard, said Rob Roy, an Institute for Critical Infrastructure Technology fellow and chief technology officer at Micro Focus Government Solutions.
“There are many ways to accomplish this goal. It requires an established and well documented process, effective policy, tools and training. What makes it difficult is when providers are told how to do it, rather than specifying an objective outcome,” Roy said.
MITRE’s proposal suggests 15 courses of action that range from increased security and cyber-hygiene awareness to elevating security as a deterministic metric in the acquisition process to advocating for litigation reform and liability protections to increasing supply chain security at the national level.
By adopting “deliver uncompromised,” the Defense Department will send a clear message to its suppliers that including security-by-design and operational continuity measures in vendor solutions are expected in future products; else, contracts, deals and business will be ceded to firms that are willing to adapt to the realities of the evolving threat landscape and include inherent security at each layer of their product lifecycle. By adopting the strategy, the department will define, shape and standardize the responsible conduct of its suppliers.
Since many market leaders and innovators rely on public sector contracts, the potential impact of the campaign derives from the significant influence that the Defense Department and intelligence community have over market leaders in the defense industrial base.
Incentivizing proactive action through rewards has proven as ineffective as threatening punishments. “Deliver uncompromised” proffers a realistic compromise. MITRE’s proposal prevents prime and subcontractors who are not compliant with security standards from winning acquisition contracts in the first place. With “deliver uncompromised,” the department is in effect forcing contractors to elevate cybersecurity to a requirement of doing business versus a cost of doing business.
Further, because contractors are responsible for any subcontractors it utilizes, the onus of assessing the security of each subcontractor falls onto contractors because their ability to conduct business with the department is at stake.
While “deliver uncompromised” is designed to impact the defense industrial base, it may also be the spark that will change supply chain practices across multiple critical infrastructure sectors.
Practically speaking, the defense industrial base is so massive that requirements for higher standards will certainly impact organizations who have a foot in multiple sectors.
It is almost inconceivable to imagine that once an organization is forced to improve its cyber hygiene and development practices for its defense clients, it would not extend those practices to clients in other sectors. Furthermore, the fact that the largest buyer on the planet is articulating, vocally and through its checkbook, that the pervasive culture of “deploy now, patch later” is unacceptable and will no longer be tolerated will no doubt have a ripple effect that will inspire other sector leaders to follow suit accordingly.
Change is inevitable, but stakeholders can accelerate improved security. The foundational change promised by “deliver uncompromised” is on the horizon, whether or not the specific tenets of the proposal are adopted. The concept has been considered for over a decade and has recently been a recurring mantra in the national security community. Executives are beginning to expect supply chain security from their suppliers.
Responsible buyers can help accelerate adoption of the proposal in part or whole by demanding layered security according to NIST SP 800-160 throughout the development lifecycle from their suppliers. Firms can also internally improve their security by quantifying risk through comprehensive and iterative assessments and by clearly defining security-relevant roles, responsibilities and expectations of their stakeholders.
Meanwhile, vendors can ensure that their internal operations and offerings are at least compliant with industry standard frameworks such as NIST SP 800-53, NIST SP 800-160 and NIST SP 800-171, upon which “deliver uncompromised” frameworks and legislation are likely to be based. By helping to promote the adoption of “deliver uncompromised” initiatives, compliant vendors will actually increase their market shares by imposing a significant penalty on any noncompliant competitors.
Finally, its adoption ultimately depends on the funding and support of the legislative community.
“For years, legislators have analyzed the problem and asked for numerous reports on the problem. We have analyzed the problem for over 10 years. It’s time to turn the findings into a funded program that can build, maintain and retire uncompromised systems,” said Roy. Voters, advocacy groups, publications, legislators and other stakeholders can greatly increase the chance the United States can leverage “deliver uncompromised” to improve national security and protect critical infrastructure by helping to raise awareness and support for the proposal.
Adoption of the concept is needed because the current market favors lackadaisical security. A pervasive culture of software insecurity has normalized due to developers’ focus on speed-to-market versus product security.
Incentives to develop products that are inherently secure are not powerful enough to curb negative behaviors. In fact, firms are often rewarded with lucrative contracts and exclusive deals for rapidly developing and deploying flawed solutions driven by the demands of the buyer.
The “deliver uncompromised” initiative imposes security requirements and financial disincentives sufficient to deter the release of known flawed hardware and software. By linking Defense Department acquisition decisions to inherent security, the Pentagon can inspire a pervasive culture of security consciousness among vendors in the defense industrial base who will no longer view security as simply a cost of doing business.
A product’s inability to be compromised by persistent digital threats will become a market differentiator that distinguishes dependable and innovative vendors from faux experts and unreliable third parties. In the long term, “deliver uncompromised” has the potential to improve supply chain security practices in other sectors who can learn from the recommendations gleaned from the original MITRE report and how it is being implemented throughout the defense industrial base.
Parham Eftekhari is executive director and Drew Spaniel is lead researcher of the Institute for Critical Infrastructure Technology. This essay contains content and thoughts from the ICIT research brief entitled, “Deliver Uncompromised: Pentagon Leadership Can Improve Supply Chain Security Across the Nation.”