Military demanding contractors keep up pace on cybersecurity
By KIMBERLY PIERCEALL | The Virginian-Pilot (Tribune News Service) | Published: March 17, 2017
The “loose lips” of yesterday could just as easily be “compromised computers” today.
Starting Jan. 1, all military contractors must assure the government that they’ve taken steps to protect sensitive information from cyber attackers. If it turns out they didn’t, the contractors can wave goodbye to lucrative contracts in the future.
“If it’s your livelihood, it goes away,” said Rob Hegedus, CEO of Sera-Brynn, a Suffolk-based cybersecurity auditing firm that’s been working with clients to prepare them for the new rules.
Military spending in Norfolk, Virginia Beach, Portsmouth, Newport News and Hampton amounted to $16.8 billion in fiscal year 2015, nearly as much as in all of Fairfax County, according to the Office of Economic Adjustment. Among the larger beneficiaries were Huntington Ingalls, awarded $6.5 billion worth of contracts, followed by Booz Allen Hamilton ($1.3 billion), General Dynamics ($1.1 billion) and Atlantic Diving Supply ($1.1 billion).
From the largest contractors to the smallest, all have just nine months left to get up to speed on cybersecurity if they haven’t already. And if they have, some critics bet they’ve spent a lot to do so.
The regulations, in the works since 2013 and in a final form since October 2016, apply to protecting covered defense information – or unclassified “controlled technical information.” It’s essentially any information requiring safeguards or controls on its dissemination. That doesn’t include classified information, which has its own rules, or anything that would normally be available without restrictions.
Before now, there was no contractual language affirming a company had protections in place or, if there were, it wasn’t uniform. So if an attack happened, and sensitive information was lost, pinpointing liability was difficult.
The new regulations have teeth, said Heather Engel, Sera-Brynn’s risk management vice president.
The firm’s D.C.-based law partner Pepper Hamilton LLP notes there’s potential for breach of contract claims or an outright end to a contract, which could affect a contractor’s rating going forward.
The new rules also apply to the ever-expanding cache of connected devices, the internet of things.
Like anything else on a network, “you have to manage them,” Engel said. And companies need to recognize what’s normal in order to tell what isn’t. If a security camera suddenly starts throwing out tons of bytes of info, that’s abnormal, she said.
That’s not to say if a contractor falls victim to a cyberattack that the military won’t have any sympathy.
It’s impossible to keep the bad guys out entirely, Hegedus said. And the military doesn’t expect them to. The Department of Defense is simply expecting the businesses they work with to do what they can based on a uniform standard.
So far, the regulations are just for defense contractors, but Sera-Brynn expects the standards to likely be adopted across the federal government. Some $50.5 billion worth of federal contracts were awarded to Virginia-based contractors in the last fiscal year, according to USAspending.gov.
Some believe the rules mostly will be an expensive cost for contractors.
“It’s just this unending march of cybersecurity overreach,” said Scott Phillpott, director of Hampton Roads-based Cyber Protection Resources, who estimates it could cost companies $500 to $1,000 per employee, per month, to follow the regulations. He called it a tax that wasn’t well thought out that treats a giant defense contractor the same as a low-level subcontractor.
“There’s a difference between Boeing and Bill’s Gardening as far as cybersecurity requirements,” he said.
Having some minimum standard is fine, but he criticized the proposed regulations, saying they were “written by cyber geeks,” who have a self-interest in whether a person might need more cybersecurity than necessary.
“When you go to a cybersecurity expert and ask, ‘Do I need more cyber security?’ they’re always going to say, ‘Yes,’ ” he said. “The people who don’t know cyber are going to spend a lot more to comply.”
Uniform standards or not, much of cybersecurity comes down to human gullibility.
It’s been 17 years since recipients of emails with the alluring subject line “I love you” couldn’t resist opening it and clicking on the attached text file, quickly spreading a virus of the same name to all of their contacts, and their contacts’ contacts until it wormed through much of the business world.
“Here we are in 2017, and we’re still clicking on things that we shouldn’t,” said Pat Byrne, a retired Navy officer now with Hampton-based Threat Tec. which trains other agencies how to fend off cyberattacks. “We can’t fix people.”
But the regulations do include training requirements.
Much of protecting yourself from cyber threats is common sense: Watch what you click or ensure your less-than-secure internet-connected devices don’t connect to a secure network. When logging into accounts, enabling two-factor authentication is an easy defense, he said.
As for the new regulations, Byrne doesn’t think they’re all that difficult to follow:
“Is it enough? It’s probably never enough.”
©2017 The Virginian-Pilot (Norfolk, Va.)
Visit The Virginian-Pilot (Norfolk, Va.) at pilotonline.com
Distributed by Tribune Content Agency, LLC.