A cybersecurity standard would set minimum guidelines, best practices and standards companies must follow to work with the government or to do business in general. The Defense Department follows the National Institute of Standards and Technology’s cyber framework as its standard.
Last year, TRANSCOM ran two exercises: One explored how TRANSCOM would operate if the U.S. was not able to operate fully in the sky or sea; the other was to see how TRANSCOM would run in a cyber-contested environment.
McDew said the war games showed how vulnerable TRANSCOM is because of its heavy reliance on commercial companies. Ninety percent of TRANSCOM’s ability to take troops to war uses private industry, McDew said during a Senate Armed Service Committee hearing April 10.
Now he is calling on Congress and the Defense Department to do something to shore up the gap.
“We put cyber standards in every one of our contracts,” McDew said. “They’re not as stringent as we want them to be, but we are trying to work with industry to bring them along. If we push them too fast and too hard without the help of Congress and a national standard, I’m not sure they’ll stick with us.”
TRANSCOM’s current contracts emphasize the government requirement to report intrusions. McDew said part of the problem is the priority the military puts on cybersecurity as compared to the companies they work with.
“In our headquarters cyber is commander’s business, but not everywhere across our country is cyber a CEO’s business,” McDew said.
TRANSCOM only recently received the authority to go out and actually inspect the cybersecurity of its contractors. The combatant command still has yet to exercise that power.
TRANSCOM does not have the ability use that power “at the pace that we’d probably like to, but we also require [companies] have someone check on their security as well,” McDew said. “The problem is I’m not sure everybody understands how problematic it is.”
Government-civilian divide in cybersecurity
TRANSCOM is performing cyber roundtables to keep industry abreast of issues and to emphasize at how high of a priority TRANSCOM needs the companies to put cyber. McDew said one issue with some companies is cybersecurity is such a low priority that chief information officers can’t even get an appointment to see the company board.
Senate Armed Services Ranking Member Jack Reed (D-R.I.) said the Senate Banking Committee is working on requiring companies that work with the government to have a cyber expert on their board.
It was not until recently that TRANSCOM realized how much of an issue the government-civilian cybersecurity divide caused.
About two years ago the command held three roundtables over 18 months with academia, business leaders and hackers to learn more about cyber threats. The command realized its commercial partners, who carry equipment by train, plane, ship and other modes of transportation, were not held to the same standards cybersecurity-wise as DoD assets.
“The folks I work with and the folks I rely on are both in the dot-com and the dot-mil domains,” McDew told Federal News Radio. “There’s sometimes a difference in how those things are viewed. If DHS doesn’t fully share the fact that some of this commercial infrastructure is part of national security … then maybe they resource it slightly differently. So I’ve got to start to convince particularly on the dot-com side that some of the CEOs that I work with that that’s not an IT issue, that’s a CEO issue because on my side it’s a commander issue.”
McDew brought up the example of a mom and pop trucking company that does not have the same cyber defenses that the military can use. While that company does not need everything the military uses, there needs to be a solution for improving business cybersecurity.