Pentagon lays out strategy to improve defense industrial base cybersecurity

The Pentagon on Thursday released its first ever cybersecurity strategy to better protect its massive industrial base from hackers.

"As our adversaries continuously seek information about U.S. capabilities, the Department, in coordination with the DIB [defense industrial base], must remain resilient against these attacks and succeed through teamwork to defend the Nation,” Deputy Defense Secretary Kathleen Hicks said in a statement accompanying the release of the Defense Industrial Base Cybersecurity Strategy.

The document will act as the roadmap to enhance the cybersecurity and resiliency of the supply chain, which is composed of hundreds of thousands of entities that contract directly with the Pentagon and its various components.

The strategy, which covers fiscal years 2024 through 2027, lays out four topline goals, such as improving best practices within the industrial base. Each goal, in turn, contains a subset of objectives, such as being able to recover from a cyberattack.

The department’s Cybersecurity Maturity Model certification program — its long-running bid to raise cybersecurity standards among contractors — is a component of the strategy to ensure compliance and resilience among vendors.

Defense officials have long worried about the digital vulnerabilities of firms that make up the department’s supply chain, which is considered critical infrastructure and has been rocked by several major breaches over the years. 

Perhaps the most infamous incidents occurred in 2009 when suspected Chinese hackers broke into one of the companies working on the F-35 Joint Strike Fighter, the most expensive weapons system in U.S. history, and stole design data.

The danger posed by malicious actors remains constant, according to David McKeown, the Pentagon’s deputy chief information officer for cybersecurity.

“In this day and age, especially in the United States of America, everybody should believe the power of the hacker,” he said during a press briefing. “It’s been proven out numerous times.”

He said officials are “still seeing intrusions taking place” which are tracked “pretty heavily.”

McKeown told reporters he doesn’t have a metric that says whether the number of breaches is up, down or level.

Such trends can vary “based on one product having a vulnerability that the bad guys find out about. There will be a feeding frenzy sometimes just because if you do not get to that thing and patch it quickly enough, they can hit multiple companies because they're constantly scanning for vulnerabilities and looking for a way in.”

He said officials would now work on fleshing out an implementation for the strategy the entities within the DIB can follow.