A More Cyber-Conscious Supply Chain Management
The Army is strengthening its cybersecurity posture through a system of systems look.
It goes without saying that technology plays a key role in military operations. The concern nowadays, however, is if technology is appropriately hardened from a cybersecurity standpoint. For the Army, this means taking a close look at supply chain management, according to one Army leader.
The government has to be a savvy consumer amid a risky cybersecurity atmosphere. And companies need to be able to back up the products that they are offering the government, Col. Bryan Stephens, USA, director, Cyber Focal, Army System of Systems Engineering and Integration, told SIGNAL Magazine in a recent interview.
Col. Stephens, who also appeared as panel chair of the AFCEA Aberdeen’s third annual C4ISR Cyber Panel event on Wednesday, explained to the group that the service is currently examining its existing major weapon systems for any cyber vulnerabilities. At the same time, it is calling on the industry to be sure of the cybersecurity posture of products that are meant to defend the homeland. He emphasized the need for improved supply chain risk management.
“Cybersecurity is impacting all facets of the area [of supply chain risk management], from chip production to physical interdiction of products, to software code injection, to weaknesses in knowledge,” Col. Stephens said. “All of these things are shaping the supply chain and have input to the supply chain, and that is before we even receive [a product]. There is a whole risk associated with managing a product line after that, sustaining it and delivering software updates. It means ensuring that the system delivered at the end was what we intended to deliver at the beginning.”
He warned that companies who are investing time, energy, money and resources to build relationships with the government “need to do their homework and make sure that they have built a product and relationship that they are very comfortable with and are confident in, that they own it and that the code is secure. They need to understand the business relationships that went in to build it.”
Col. Stephens added, “I’m basically saying don’t use Kaspersky.” He was referring to the cybersecurity risks to the U.S. government presented by the use of Kaspersky Lab products. Last September, the Department of Homeland Security banned federal agencies from using information security products and services supplied either directly or indirectly from the Moscow, Russia-based company, given the security risks of the company’s software, which could be exploited by malicious cyber actors. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems, directly implicates U.S. national security,” DHS announced at the time
As such, Col. Stephens called on the industry to make sure that they are bringing cybersecurity-viable commercial products for homeland defense. He stressed that those companies coming forward need to be ready and able to stand behind their products and services from a cybersecurity stand point.
“Kaspersky has gone to the court system to try to resolve this,” he said. “But the reality of it is that minimally it is a short-term big pain that the industry would have to work with, and no one is a winner in it.”
In addition, the Army has been focusing on finding cybersecurity vulnerabilities in weapons that they already have. As dictated by the National Defense Authorization Act for fiscal year 2016, the Department of Defense has to evaluate all major weapon systems for any vulnerabilities by the end of 2019. The Army is in the process of examining the cyber posture of 24 major weapon systems.
Col. Stephens reports that the Army started with the most difficult evaluations first, and that they were taking a “systems of systems” perspective. “The Army’s approach has never been about a weapon system,” he explained. “We didn’t just go, okay, the Apache, let’s take a look at the Apache. We understand that it is a system of systems approach. There are lots of accouterments and touch points and other things in the supply process, and those weapons work with other systems and receive and export data to other systems.
To the colonel, the process has created a sense of urgency and renewed attention on cyber vulnerabilities. “The Army is out executing the requirements that Congress laid upon us,” he stated. “We have a process that we go through and we’ve learned a lot along the way. We’ve certainly identified some vulnerabilities, but more importantly, we’ve reinforced knowledge of the vulnerabilities.” He added that having the weapon operators involved in the cyber vulnerability vetting process was crucial.
The Army is currently evaluating a lot of the command, control, communications, computers intelligence, surveillance and reconnaissance (C4ISR) systems, Col. Stephens shared. Some of these systems were considered in the Army’s network integration evaluation (NIE) process already. “What we have done to date with these C4ISR systems is really setting us up for success [for the rest of 1647 review process].”
For future technologies, the Army is instituting a separate cybersecurity risk evaluation process, he said.