Contractors are giving away America's military edge
By BLOOMBERG Published: April 20, 2019
Note: This article has been corrected.
Editor's Note: The following editorial appears on Bloomberg Opinion.
In a connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it's astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches. And experts feel this is just the tip of the iceberg: The vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors responsible for breaches. If policy makers can contemplate jailing executives who lie about safeguarding personal data, then similarly harsh measures should be considered for those who put our national security at risk.
To be sure, the contractor breaches have rarely been the kind of top-secret thefts that generate headlines. Most have involved so-called sensitive materials, sometimes the intellectual property of contracting companies. But even small leaks can give hostile nations a leg up on countering the Pentagon's weapons of tomorrow.
The Defense Department has certainly tried to prevent such fiascos and get contractors to "deliver uncompromised." The department has periodically tightened minimum security standards for its contractors, and it is considering upping them again. The contractors argue that voluntary improvements would work better. But neither approach is likely to assure compliance across the board; the military-industrial base is simply too broad, with prime companies such as Lockheed Martin and Boeing assisted by numerous subcontractors.
Technically, companies whose security systems are repeatedly breached already can be fined or denied contracts. But Pentagon acquisitions officials have been loath to strip them of incentive to help the national defense. Thus in many cases the fines have been relatively painless, and when new contracts are awarded, past indiscretions have been more or less overlooked.
Three particularly worrisome recent incidents were the theft by China of highly sensitive information on naval projects left on an unclassified network, last year’s breach of private information on 30,000 Pentagon employees, and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton, the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”
These incidents show that things must change. The loss of sensitive materials - whether through gross negligence or intentional actions by rogue employees — should result in fines and other punishments, whether or not the data involved are highly classified. And prime contractors should be held more responsible for the mistakes and failures of their subcontractors.
Security breaches that compromise the U.S. military should result in loss of contracts, corporate fines and even criminal charges against managers and top company executives. The U.K.'s Official Secrets Act, which imposes criminal penalties on government contractors for lost secrets, is a good model. Contractors' top executives should be required to acknowledge in writing that they are responsible for keeping government data safe — similar to the way in which, under the Sarbanes-Oxley Act, senior managers of corporations take responsibility for the accuracy of financial reports.
While primary contractors seem to have been reliable in reporting breaches, they also need to be held more accountable if they fail to give the Pentagon at least a preliminary report, including how they intend to investigate and rectify the problem, in the currently allotted 72 hours. Above all, it's important that they commit to an accurate accounting of all data that has been compromised. And the Pentagon needs to see that stricter new compliance rules are met within months, not years.
Rewards as well as punishments could also help close gaps in contractor security. Companies that reliably protect their supply chains should get contracting preference and other incentives, perhaps bonuses built into contracts if no security breaches are reported before delivery. So too those that put in place more stringent control measures — such as intensive training of employees on avoiding phishing attacks, or re-vetting longtime employees who have high-level access.
As the U.S. enters a new era of great-power conflict, national cybersecurity has never been more vital. The Pentagon must ensure that its contractors protect America's technological advantage. It's the same as protecting the United States.
Correction: A previous version of this editorial included incorrect information on Booz Allen Hamilton. It has been updated to say that the exposure of 60,000 files on a publicly accessible server involved a subcontractor to Booz Allen Hamilton.