Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
On page 6 of the Navy’s recent report about its cyber readiness, there is a jaw-dropping confession: “The systems the U.S. relies upon to mobilize, deploy and sustain forces have been extensively targeted by potential adversaries, and compromised to such extent that their reliability is questionable.”
Bill Evanina, director of the National Counterintelligence and Security Center in the Office of the Director of National Intelligence, wants that single sentence in the 80-page report to sink in for a second.
“The Navy’s report on their resilience and reliability is that watershed moment not only for the Department of Defense but for all agencies in the federal government, and I would even proffer in the private sector, to have an honest, internal look at their systems, their data, their capabilities and their protection mechanisms and where they have vulnerabilities and how the threats are manifested in their organizations,” Evanina said after speaking at the Intelligence and National Security Alliance (INSA) event on supply chain management in Arlington, Virginia, on April 1. “I think all agencies should take a hard look and say, ‘What can we do that is similar to this to look at our own processes and protection models?’”
The Navy report serves as a call to arms around the challenges every agency faces from systems under attack to attempts to steal information from its industrial base.
“The DON’s dependency upon the defense industrial base (DIB) presents another large and lucrative source of exploitation for those looking to diminish U.S. military advantage. Key DIB companies, primes, and their suppliers, have been breached and their IP stolen and exploited,” the report states. “These critical supply chains have been compromised in ways and to an extent yet to be fully understood.”
20 arrested and indicted
Evanina said the report is as transparent and honest, and depressing, analysis about the current state of an organization then anything he’s seen in a long time.
“I believe when you have a supply chain issue you have a cyber issue, and when you have a cyber issue, you have a supply chain issue,” Evanina said during the event. “If you look at last year, 2018, it was a horrific year for us with respect to arrests and indictments of insider threats in the private sector. Over 20 individuals and companies just from China alone were arrested or indicted by the DoJ. A lot of them were in the supply chain realm. What hurts us every day becomes numb, and my fear is with respect to supply chain, we cannot become numb.”
“I think the question I’d ask every federal employee and contractor to go back and ask your organization, ‘What are you doing to advise and inform your supply chain integrity? What are we doing as an organization to protect our supply chain integrity?” Evanina said. “Every single government employee and contractor has a role in this. This is not owned and operated by the chief information officer and the chief information security officer. We all, as government employees and contractors, own a piece of the stake of the supply chain integrity. We are all a part of this and that encompasses cyber, human resources and acquisition and the insider threat to penetrate our supply chain is everyone’s responsibility to help mitigate that from a defensive posture.”
Evanina said among the weakest links in the holistic approach that’s needed to better secure the supply chain is the acquisition workforce and procurement process.
“They are the least educated with respect to the counter intelligence and security threat. Their job is to acquire, procure and get things online as soon as possible. We have an obligation to advise and inform them on what those threats look like and provide them some tools to do some basic due diligence,” Evanina said. “We have set out some standards to talk about what those due diligence standards are. If you going to award a contract for a printer or a fax machine, just Google the company and make sure they exist. Let’s just make sure they are a legitimate company.”
A common core framework is needed
At the same time, Congress passed and President Donald Trump signed into law the Federal Acquisition Supply Chain Security Act (FASCSA) of 2018 creating a new governmentwide council to come up with ways to reduce federal procurement risks.
This council along with the Department of Homeland Security’s information and communications technology (ICT) supply chain task force is part of the growing effort by government and industry to try to tackle these growing threats.
Evanina said the Navy’s report highlights mistakes and shortcomings that have existed for decades across all agencies and industry, especially in the procurement of products.
“We have to get the lexicon and vernacular down to what the supply chain means. It means many things to many people depending on where you sit. We need to get common, core framework around that first, and then we need to take swift action,” Evanina said. “We can use that Navy report and other reports in the private sector to understand two things, how adversaries are vectoring in using the supply chain and what are the most risk based fundamental matrixes that we can use to protect against that.”
The other side of the acquisition supply chain risk coin is industry. Vendors need to assure agency customers that they are buying products from reputable and trustworthy suppliers.
To that end, the Defense Industrial Base Sector Coordinating Council (DIB SCC) announced Wednesday it is creating a supply chain cybersecurity industry task force. In a release, the DIB-SCC said the task force will identify, prioritize, oversee and drive adoption of implementable solutions to protect controlled unclassified information throughout the supply chain.
The DIB-SCC said the initial focus areas for the task force include advanced persistent threat (APT) tactics, enhancing oversight and accountability, driving implementation of changing approaches and establishing enduring partnerships across industry and with the Department of Defense.
Evanina said the DNI’s concerns about supply chain risk were so great that the forthcoming update to the National Counter Intelligence Strategy. He said the report, which goes to the president next month, will detail new pillars around critical infrastructure, supply chain, cybersecurity, economic security and foreign influence.
“The mitigation and understanding of those threats is no longer the government’s job. It’s a whole of country, whole of society job,” he said. “I’ll proffer it from the supply chain perspective. The supply chain is in the private sector. You heard the quote from the Navy’s report. That’s the DON, they don’t make anything they buy, it’s made in the private sector. Whether you are government, industry or support, understand the threats, the vulnerabilities and, the most important part, what are the consequences.”