A politician-turned-defense official who is trying to shake up the acquisition bureaucracy in the U.S. Department of Defense told contractors they need to better prioritize security in order to do business with the Pentagon, and stifle foreign theft of defense secrets.
“This is a change of culture,” Katie Arrington, chief information security officer of the Pentagon’s acquisition policy office, said Wednesday. “It’s going to take time, it’s going to be painful, and it’s going to cost money.”
Arrington, who joined the Office of the Undersecretary of Defense for Acquisition and Sustainment in January, is spearheading the development of new cybersecurity standards for contractors. Last month, defense officials unveiled a draft of the guidelines, known as the Cybersecurity Maturity Model Certification.
The standards will require contractors of all sizes to have a baseline level of cybersecurity practices in order to, for example, prevent adversaries from exfiltrating their intellectual property. Companies holding more sensitive defense data will need to demonstrate more advanced security practices. An updated draft is coming next month, and defense agencies’ requests for information will start using the standards next year.
Arrington, at an event hosted by the Consortium for Information & Software Quality, warned contractors that if they fail to better secure their information, the consequences could be serious.
“If industry doesn’t think that they’re not going to start getting slapped on this, there’s another thing coming,” Arrington said, citing the government’s ability to fine companies for selling insecure products.
Pentagon officials for years have struggled to institute stronger security practices at contractors, where intellectual property is a high-value target for state-sponsored hackers. This past March, the Department of the Navy released a scathing assessment of the service’s approach to cybersecurity, lamenting that hackers have operated relatively unimpeded. A 2014 Senate report criticized the Transportation Command for being largely unaware that Chinese hackers had breached its contractors 20 times over the course of the year.
“As a small business, when an adversary gets into your network, they’re not just going to take your [controlled unclassified information], they’re going to take your IP, they’re going to take your [personally identifiable information], they’re going to take your payroll information,” Arrington said Wednesday. “They’re going to take it all.”
Later, during her speech, she instructed the audience to repeat the phrase, “We all are going to get breached.”
Cybersecurity practices in the defense industrial base are “not something that changes by the day,” Arrington said, citing years-long contracts and procurement policies. And the general lack of awareness among defense companies that they’ve been breached is still a problem, she acknowledged.
A former defense contractor with Booz Allen Hamilton, Arrington has dabbled in politics in recent years. She won a seat in the South Carolina House of Representatives in 2016 before losing a bid last year to represent the state in Congress. During her primary with fellow Republican Mark Sanford, she accused the former South Carolina governor of not showing enough support for President Donald Trump.