The views expressed by contributors are their own and not the view of The Hill

How legislators can prevent Ukraine-level cyberattacks


Before Russia physically invaded Ukraine, it fired something of a warning shot. Cyberattacks targeting Ukraine’s Ministry of Defense and banks were attributed to the Russians and put the world on notice that cyber warfare can quickly escalate.

The attacks put the spotlight on how ill-suited the United States is to deal with an onslaught of cyberattacks to areas like critical infrastructure or the Defense Industrial Base (DIB), which are all the commercial defense contractors that make up the supply chains to support the warfighters.

{mosads}According to a recent audit of military information performed by the Department of Defense (DOD) Inspector General, “Without a framework for assessing cybersecurity requirements for existing contractors, the cybersecurity issues identified in this report could remain undetected on DOD contractor networks and systems, increasing the risk of malicious actors targeting vulnerable contractor networks and systems and stealing information related to the development and advancement of DOD technologies.”

Lawmakers have done most of the hard work already. The standards have been defined and made into law. 

Enforcement is the missing piece.

With a few pen strokes, legislators could incentivize contractors within the DIB to meet their compliance standards so that the U.S. is in a better position to withstand potential cyberattacks. Simply enforcing the existing requirements for defense contractors would spark a transformation in cybersecurity for an enormous part of the U.S. economy.

Enforcing mandatory minimum levels of cybersecurity for federal contractors who win government contracts is a rational quid pro quo.

Resistance to long-standing requirements

The National Defense Industrial Association (NDIA), a member organization representing contractors in the DIB, wrote a letter to lawmakers last June citing the cost of cybersecurity controls being unreasonably high for small businesses to handle. The letter ignored that the law mandating roughly 85 percent of the required controls, DFARS Clause 252.204-7012, was implemented way back in 2017 and has largely been ignored by the DIB. 

Three months later, NDIA joined two other large industry associations, Professional Services Council (PSC) and Information Technology Industry Council (ITI), in a joint letter that again bemoaned the cost of compliance and cited concerns about individual requirements. 

Lobbying against a regulation that has been standing for nearly five years presents a worrisome issue that is now a matter of national security: Industry trade associations are excited about the revenue of defense contractors, but don’t want to pay for the cybersecurity that goes with them.

RELATED OP-EDS FROM THE HILL

This is like arguing with a police officer during a traffic stop about whether the stop sign you just ran through should really be there. The time for debate has long since passed — and trying to resist now is just an egregious dereliction of cybersecurity at a time where the threat landscape is more dangerous than ever.

It doesn’t take too much of a leap of faith to make the connection between non-compliance and a breach when you see the scale of sensitive information being stolen from the nation’s supply chain. For a tangible example of how quickly a supply chain can be disrupted, look no further than the world’s largest automaker, Toyota, which recently halted production after an attack on a supplier of plastic parts and electronic components. Now imagine how many suppliers contribute to the manufacturing process of an aircraft like the F-35 and the potential for supply chain disruption.

Fast-tracked impact

World events are outpacing policy. Even when SolarWinds was hacked in 2020, another attack that was linked to the Russians, no meaningful response came despite the president of Microsoft calling it the “largest and most sophisticated attack the world has ever seen.”

We need a legislative moment to galvanize the DIB to action and unify the country at a time when it isn’t positioned well to withstand large-scale cyberattacks.

{mossecondads}We already know what needs to be done: By enforcing the cybersecurity minimums that industry trade organizations have resisted, the U.S. can gain advantages by the time a large-scale nation-state attack strikes home.

The solution needs to come quickly, and we have seen that the United States government, divided as it may be, can move quickly when necessary. The FDA fast-tracking treatments for COVID-19 and fast-moving results to aid Ukraine as it combats the Russian invasion are two recent examples. For the sake of our national security let’s make the cybersecurity of our defense industrial base the shining example of what the government can do when compelled to act. 

With a few signatures we can address vulnerabilities that the DOD, FBI, CISA and every other authority on the subject agree leave us vulnerable to attack. Lawmakers should incentivize the DIB to meet existing cybersecurity standards and elevate the government to the defensive position we’ve long needed. 

Eric Noonan is CEO of CyberSheath.