NDIA POLICY POINTS CYBERSECURITY
Defense Firms Should Seize Cyber Initiative
American business is under attack. The recent confession by social media giant Facebook that hackers breached nearly 50 million of its users’ accounts, despite heavy investments in data and network security upgrades, reminds business and government observers of the significant cybersecurity risks menacing the private sector. In 2017 alone, U.S.-based organizations reported 1,579 data breaches, an increase of 44 percent from 2016.
The Trump administration’s National Cyber Strategy, released in September, provides insight into how the federal government intends to respond to deteriorating conditions in cyberspace. While most press coverage of the report focuses on its muscular rhetoric toward foreign cyber threats, reducing cyber risk in the private sector drives much of its agenda.
As a result, industry should expect more government interest in civilian cybersecurity, specifically in the form of tougher regulations on data and digital systems management, more stringent cybersecurity requirements for federal contractors, and preemptive security assessments and investigations.
The strategy balances its costly regulatory agenda with economic policies that positively incentivize industry compliance and technology development. As frontline targets during an era of escalating cyber crime, defense industry firms should proactively rethink business strategies and operations through the lens of the strategy to reduce risks and to take advantage of emerging opportunities.
The strategy’s agenda for reducing homeland cyber vulnerabilities directs government purchasing power toward incentivizing good corporate cyber hygiene. Echoing well-publicized administration concerns about cyber risk in the industrial base, it calls for leveraging the acquisition process to reduce federal supply chain risks by enforcing tougher cybersecurity requirements on contractors.
According to one agenda item, federal procurement officials would be authorized to ban vendors or products that fail supply chain risk assessments. As part of these assessments, officials will conduct stringent evaluations of defense contractors’ data and systems security plans and practices using security tests, sensor-based monitoring, active threat hunting and routine emergency response to cyber incidents. The administration also proposes expanding Committee on Foreign Investment in the United States and Federal Communications Commission authority to examine and deny strategic investments by foreign adversaries in U.S. technology companies.
These tough and punitive measures make sense in the short run because of the urgency of the current cyber threat environment. In the long run, however, they risk burdening companies with compliance costs that will disincentivize companies from participating in the federal marketplace or from adopting important cyber reforms altogether. These efforts to reduce homeland cyber vulnerabilities will require calibration to avoid endangering federal supply networks.
"Industry should expect more government interest in civilian cybersecurity..."
The National Cyber Strategy offsets the burden of tough compliance standards with positive economic policies to enhance U.S. competitiveness in cyberspace. It proposes a limited, but clear economic leadership role for the federal government in cybersecurity, characterized by continuous updating of performance standards and lowering of regulatory barriers to private cybersecurity innovation.
It pledges opposition to international “digital protectionism” schemes promulgated under the guise of cybersecurity, to support U.S. companies reliant on the safe, secure and free flow of digital trade and data across borders. Additionally, it endorses stronger intellectual property rights enforcement as an incentive for innovation. Finally, the strategy promotes more federal government involvement in expanding the national cybersecurity talent pipeline. The cultivation of an elite cyber workforce contributes both to winning the economic competition for cyberspace and securing it as a safe and open domain.
Instead of waiting for the federal government to lead, companies should seize the initiative and get ahead of the crowd in cybersecurity implementation. By waiting for the government’s mix of rules and incentives to moderate the costs of compliance, companies may increase their risk of falling behind pioneering competitors who offer clients more security or of becoming victims to bad cyber actors.
With cyber threats and regulation looming, the uncertain defense contracting environment offers businesses an opportunity to embrace innovation, to position themselves where demand will be tomorrow rather than standing pat where it is today. For example, even the tradition-bound Marine Corps has learned to benefit from innovative approaches to cybersecurity. Through its “Hacking the Marine Corps” competition held in September, the service learned of 150 vulnerabilities in its web platforms, according to the Fifth Domain website.
Defense firms should respond to the National Cyber Strategy by looking for efficient ways to adapt to and exploit the regulations and opportunities likely to emerge from implementation. It is a harbinger of policy changes that will alter the strategic environment of the defense industry. The administration’s forward-leaning approach to addressing civilian and industry cyber vulnerabilities will generate new compliance obligations and pressures.
However, savvy companies may see in the strategy a major windfall opportunity for firms to position their businesses ahead of the cyber compliance curve while the rest of the industry scrambles to catch up. Now is the time for defense contracting firms to revise their core business strategies and models in ways that project cybersecurity as a core value proposition.
Christopher Smith is a regulatory research associate at NDIA’s policy division. He can be reached at firstname.lastname@example.org.