Defense industrial base cyber program adds a key partner

The Department of Defense's initiative to spot threats targeting the defense contracting base will get a data infusion with the announcement that Symantec will be joining the Defense Industrial Base Cybersecurity Program.

The  voluntary public-private information-sharing program facilitates better situational awareness about IT security threats to unclassified contractor networks and information systems and provides participants with classified and unclassified information as well as best practices around information assurance.

The addition of Symantec, which already has a robust threat intelligence network in place, could help bolster the quality and sophistication of the information that flows through the program. Symantec claims data for its Global Intelligence Network is culled from 175 million protected endpoints and 123 million attack sensors that collect cyber threat telemetry vectors worldwide.

In order to qualify for the DOD program, a company must be a cleared contractor with the ability to view and handle classified information at the Secret level or higher. 

The program is just one of a growing number of tools addressing cybersecurity gaps in the defense contractor space. Military leaders have become increasingly concerned about the impact of compromised hardware or software on weapons and information systems, whether through bugs and other software vulnerabilities or sabotage in the technology supply chain. In both areas, contractors have come under increasing scrutiny as a potential avenue for nation-states to exploit.

Growing awareness of threats along with concerns that elements of the defense contracting base are weak links in the government's cybersecurity supply chain, has led DOD officials and policymakers in Congress to experiment with a range of potential solutions.

A Senate Armed Services Committee hearing on cybersecurity threats to the defense industrial base last month drew exasperated responses from a number of senators frustrated that the U.S. was seemingly prioritizing contractor profits and convenience over national security. Ranking member Joe Manchin (D-W.Va.) said, "We've got to be the stupidest people in the world to let this happen," and suggested that the committee and Congress may need to update federal contracting and procurement rules.

Recently, Secretary of the Navy Richard Spencer told the House Armed Services Committee that tightening up contractor security practices was one of the branch's top priorities in 2020. He urged lawmakers to pass legislation that would add a new assistant secretary for cybersecurity position that would focus on the defense industrial base.

Earlier this year, DOD CIO Dana Deasy floated the possibility that the department could move away from the current model of contractors self-certifying their compliance with National Institute of Standards and Technology cybersecurity guidelines and instead empower a third-party organization leveraging machine learning to examine and audit contractors' security posture.

This article was first posted to FCW, a sibling site to Defense Systems.