Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Glaring security differences between civilian and defense networks were on full display at the nomination hearing for Lt. Gen. Stephen Lyons to take over as U.S. Transportation Command chief.
While the gap between civilian and defense cyber protections are often a major concern for TRANSCOM since it works with civilian companies to transport goods, this hearing was different because it called for real action that may be felt by companies doing business with the command.
“Having a minimum [cybersecurity] standard in contractual language is the first step we have to do in the future,” Lyons said before the Senate Armed Services Committee on June 26.
TRANSCOM already sets some cyber standards in its contracts, but current TRANSCOM chief Gen. Darren McDew said last year the standards were not as stringent as the command wanted and he feared pushing the companies too fast would drive them away.
Lyons said TRANSCOM has an excellent relationship with private industry, but some companies are better than others when it comes to upholding cybersecurity standards.
However, Lyons emphasized that the Defense Department is in a completely different domain than industry in the cybersecurity sense and needs more security than provided by the National Institute of Standards and Technology baseline required by law when working with government data.
Sen. Elizabeth Warren (D-Mass.) wasn’t sure just requiring companies to go above and beyond NIST requirements in contracts with TRANSCOM is enough.
Warren said the contract obligations should only be a first step.
“Then we have to enforce it. Given TRANSCOM’s disproportionate reliance on unclassified commercial networks these commercial partners need to understand there are going to be consequences for failing to implement strong cybersecurity standards. The logistics chain is just too important for cyber vulnerabilities to go unchecked,” Warren said.
Warren’s comments could be a possible harbinger for future defense authorization bill provisions for companies that want to work with the government.
Where things are
TRANSCOM is responsible for coordinating transportation for the military services around the globe. In order to do that, TRANSCOM capitalizes on a large number of civilian transport assets.
McDew explained commercial partners, who carry equipment by train, plane, ship and other modes of transportation, are not held to the same standards cybersecurity-wise as DoD assets.
“The Department of Homeland Security has responsibility for the commercial networks of the country; the Department of Defense defends the Department of Defense networks,” McDew told Federal News Radio in 2017. “Both do a very good job. The problem is I bridge both. The folks I work with and the folks I rely on are both in the dot-com and the dot-mil domains. There’s sometimes a difference in how those things are viewed. If DHS doesn’t fully share the fact that some of this commercial infrastructure is part of national security … then maybe they resource it slightly differently. So I’ve got to start to convince, particularly on the dot-com side, some of the CEOs that I work with that that’s not an IT issue, that’s a CEO issue because on my side it’s a commander issue.”
McDew explained a mom and pop trucking company might not have the same cyber defenses that the military can use. While that company doesn’t need everything the military uses, there needs to be a solution for improving business cybersecurity.
Last year, McDew called on Congress to create a national cybersecurity standard to set a “low water mark” for what the nation will endure. A cybersecurity standard would set minimum guidelines, best practices and standards companies must follow to work with the government or to do business in general.
Last year, TRANSCOM ran two exercises: One explored how TRANSCOM would operate if the U.S. was not able to operate fully in the sky or sea; the other was to see how TRANSCOM would run in a cyber-contested environment.
McDew said the war games showed how vulnerable TRANSCOM is because of its heavy reliance on commercial companies. Ninety percent of TRANSCOM’s ability to take troops to war uses private industry.