Pentagon Could Impose New Cyber Regulations on Industry

By Vivienne Machi
Deputy Defense Secretary Patrick Shanahan speaks at the 2018 WEST conference in San Diego, California.

Photo: Defense Dept.

SAN DIEGO — The Defense Department may take larger steps to ensure industry partners and their suppliers practice proper cyber hygiene as it looks to better secure its information and data assets, Deputy Defense Secretary Patrick Shanahan said Feb. 6.

“We want the bar to be set so high, it will become the condition of doing business” with the Pentagon, he said at the annual WEST Conference co-hosted by the Armed Forces Communications and Electronics Association and U.S. Naval Institute in San Diego.

He emphasized that the level of cyber vulnerability within the defense community is significant, and hinted that parameters could be put in place to ensure companies were doing their part to keep critical information safe.

“You can imagine if tomorrow  … instead of having a financial disclosure statement, we want you to sign a cyber disclosure statement that says, ‘Everybody you do business with is secure,’” he said. “I don’t think you’d sign that tomorrow, but … we need to get to that level because your secrets, our secrets are exposed.” He did not elaborate on how specifically the Pentagon aims to achieve that level of security.

Shanahan assumed the role of deputy defense secretary in July 2017 after spending over three decades at Boeing, most recently serving as the senior vice president for supply chain and operations. Speaking to reporters after his speech, he noted that cyber hygiene standards were “just a condition of employment at the company.”

“In terms of protecting our data and protecting their information, there should be this standard,” he added. He referenced his college-aged son and noted, “I don’t call him up and ask him if he’s brushed his teeth.”

Product integrity and safety were “the first order of business” at Boeing, he added. “When I think of things like safety, cyber falls into that category … as being one of those things that should be uncompromising.”

It may not be easy to change the culture to be more stringent about cyber hygiene, but the U.S. workforce once also engaged in lengthy debates about smoking, he noted.

“We need to have the same intolerance on cyber,” he added.

The Defense Department has continued to prioritize cybersecurity efforts inside and outside its facilities as it warns of the potential threat of an attack from a near-peer adversary, as well as the dangers posed by everyday electronics usage. The 2018 National Defense Strategy, which was released in January, stated that the Pentagon will prioritize investments “in cyber defense, resilience and the continued integration of cyber capabilities into the full spectrum of military operations.”

Shanahan’s comments follow recent reports that U.S. military installations could be traced via a heat map released by Strava, a fitness tracker app that uses a device’s GPS to follow where and when a user exercises. Potential adversaries could possibly employ that data to track how personnel move across installations or how frequently, inviting security concerns.

In the past six months, Defense Secretary Jim Mattis has launched a review of how technology is used across the services, including the use of cell phones at the Pentagon. Department Chief Spokesperson Dana White said in a media briefing Feb. 1 that operational security was Mattis’ priority in taking a closer look at the potential threat posed by electronic devices.

“This recent incident [with Strava] and others has allowed him to take a bigger look at, ‘What are we doing and how are we doing it?’” she said. The Pentagon has not reached a consensus on policies going forward, she noted.

White noted that U.S. military bases have already been targeted.

“Information is power and our adversaries have used information to plan attacks against us,” she said.

Topics: Cyber, Defense Department, DOD Leadership

Comments (2)

Re: Pentagon Could Impose New Cyber Regulations on Industry

Well,we already have DFARS NIST SP 800-171 in place, so instead of adding even more regulations, let's focus on DoD contractors becoming 100% compliant with DFARS, then building on DFARS.

Grant at 10:56 AM
Re: Pentagon Could Impose New Cyber Regulations on Industry

I'm happy you are compliant, but your comment seems to be an advertisement for Flank. Just curious if you would allow an audit as I can't believe anyone is truly 100% compliant at this point.

Steve Watson at 2:01 PM
Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.