Lack of cooperation between contractors creates lasting vulnerabilities for DoD, official says
Competition among U.S. weapons makers keeps them from collaborating on cybersecurity problems, and it’s causing new and lasting vulnerabilities for the military, a senior U.S. official said Tuesday.
Col. Tim Brooks, the mission assurance division chief in the Department of Army Management Office, said a lack of dialogue between contractors is causing headaches as the military looks to harden its systems. Broadly speaking, most weapons systems often overlay multiple different hardware and software products that are not all made by the same company.
“With our weapons assessment program, there’s been a lot of time spent trying to break down organizational boundaries and to think about systems of systems,” Brooks said at the Security Through Innovation Summit presented by McAfee and produced by CyberScoop and FedScoop.
“That’s compounded by the fact that all these systems of systems are produced by subprime contractors and everyones got non-disclosure agreements and no one wants to disclose their secret sauce,” he said. “And I understand that. But if we don’t break down some of these barriers and we don’t get industry talking amongst themselves about how we could develop a common standard to ensure that information can flow from one side of an organization to another … then we’re never going to get better than our weakest link.”
He added, “we got to get better than that or we’re never going to beat our adversary.”
The Defense Department is supposed to complete vulnerability assessments for a total of 31 different major weapons programs before 2019, based on a requirement in the 2016 National Defense Authorization Act (NDAA).
But the issue of securing what are usually clunky weapons systems, which often run on outdated or custom operating systems, has been a well known challenge for decades. With the U.S. government becoming increasingly aware of specific cyberthreats aimed at this type of technology, the military is now leaning on the private sector to prioritize digital security during the development cycle.
“This lack of knowledge and the effects it can have throughout a program’s acquisition life cycle can increase the risk of undesirable cost and schedule outcomes,” a previous Government Accountability Office (GAO) report on weapons system acquisition notes.