In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they wish to build better security to the military’s acquisitions process to raised protect the defense industry from Beijing’s tampering.
But it’s unclear whether or not the defense industry has bought in the nascent effort.
“It is not really sufficient to only consider cost, schedule and satisfaction when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers Thursday.
“We must establish security like a fourth pillar in defense acquisition as well as create incentives for industry to embrace security, not as being a cost burden, but as being a major element in their competitiveness for U.S. government business.”
The Washington Post reported June 8 that Chinese government hackers had compromised the computers of the Navy contractor, stealing massive levels of highly sensitive data in connection with undersea warfare, including secret promises to produce a supersonic anti-ship missile to use on U.S. submarines by 2020.
On Thursday, Bingen along with other Pentagon officials testified prior to House Armed Services Committee for the broader problem: China’s sweeping efforts to transfer U.S. military technology, which include targeted commercial investments, predatory trade practices and illegal intellectual property theft, all geared towards eroding America’s military edge.
“The Chinese theft of technology and intellectual property, through the exfiltration of the work of others is just not unlike the Chinese construction of islands to encroach upon the geographic domains of international waters the ones of other sovereign nations,” said Under Secretary of Defense for Research and Engineering Michael Griffin.
“It circumvents the autonomy of nations in a very departure from your rules-based global order. It is adversarial behavior and it is perpetrator must be treated as such.”
The officials highlighted a four-pronged effort in the Pentagon, including a new program called “Deliver Uncompromised,” to shield the parts utilized in American military hardware, as an illustration, microelectronics.
“We will need to have confidence that market is delivering capabilities, technologies and weapon systems which can be uncompromised by our adversaries, secure from cradle to grave,” Bingen said.
The panel’s ranking member, Rep. Adam Smith, D-Wash., ripped the administration for lacking an industrial-base policy and for the military’s cybersecurity efforts.
“We a briefing yesterday on the cyber breach, and yes it was shocking how disorganized, unprepared and, to be honest, utterly clueless the branch in the military was which it have been breached,” Smith said.
“Even in this time period, we still need not identified how to build a cyber policy to safeguard our assets. In particular, with the defense contractors, who we use, who store our data, but don’t have adequate protection. But even inside DoD, we don’t have a very clear, cohesive policy to put in place.”
He voiced support to get a proposal inside the Senate-passed defense policy bill that could expand the Committee on Foreign Investment inside the United States, tasked with reviewing foreign takeovers of U.S. companies for national security concerns. The measure has not been inside House bill; lawmakers work to reconcile both bills come early july.
As the Pentagon discussed its four-pronged strategy, lawmaker questions revealed possible friction points, for example the way to mandate stiffer security without burdening smaller military contractors. Bingen acknowledged the problem, but said the effort was too a new comer to have solved it.
Bingen did actually suggest that industrial security procedures are largely one-size-fits-all, what she called “checklist-based.” But the goal is perfect for the program to get “risk-based informed with the threat and also the department’s technology protection priorities”, though she acknowledged that could trigger pushback from some companies.
“They have become, according to DoD’s critical technologies list, starting these businesses to look more holistically,” she said. “Its probably going to get more uncomfortable for industry, but we need them like a partner to accomplish this if they’re going to become capable of deliver uncompromised.”
Under Secretary of Defense for Intelligence Joseph Kernan has directed the Defense Security Service to create a program to improve protect its “controlled unclassified data,” which “in aggregation is as damaging as being a breach of classified information,” Bingen said. That could cover both technical or personal data.
Asked about the breach reported by The Washington Post, House Armed Services Committee Chairman Mac Thornberry, R-Texas, told reporters afterward he was less focused on the single incident than the threat overall.
“The key factor I took faraway from this hearing had not been to look at anybody incident we learn about but to take a look in the broad pattern of activity. That’s the real concern for national security,” he explained.
“We’re not likely to pass a bill to solve all this, but good heavens we use a large amount of catching up to perform because we have not updated our laws to reflect modifications in world circumstances or even the alternation in technology, primarily cyber.”
During the hearing, Washington Democrat Rep. Rick Larsen, an affiliate in the sub-panel on emerging threats, offered a harsher assessment with the government’s response so far, particularly America’s contradictory and seemingly disorganized trade policies in Asia.
“On the controversy about ‘whole-of-government approach,’ I’m concerned you toss the phrase around like its candy in a parade,” Larsen said, adding ruefully: “If only we a National Security Council mechanism to create a whole-of-government approach that’s used by the White House, only then do we probably have one.”