Industry: Act Now To Secure the Solutions You Offer the Military
The U.S. Department of Defense is equipped with some new authorities and tools to better secure the cybersecurity of its supply chain. The task is large and daunting, but vital, officials said. And while the department is at the beginning of some of its efforts, industry needs to act now to secure its products and solutions, including software and hardware.
“And this is not just traditional information technology (IT),” said David McKeown, senior information security officer and deputy chief information officer for cybersecurity, in the Chief Information Office (CIO), U.S. Department of Defense, speaking at the inaugural AFCEA International TechNet Emergence conference on March 11.
“This is also weapons systems and critical infrastructure. We need to know where these products come from,” McKeown stated. “We need to know how secure the developers were when they developed the code. Are they doing it out in the open internet on GitHub, where everybody can see the code and then learn how to attack it or do they have a secure development environment where they're keeping that code away from the adversaries.”
The Defense Department has authorities, codified under 10 U.S. Code § 3252, to mitigate supply chain risks, including removal of weak and risky industry products from its operating environments.
“We are exploring how we use intelligence…. about adversarial relationships with some of the vendors out there,” the deputy CIO for cybersecurity shared. “We leverage that a lot to make decisions about whether we should remove products from our networks or remove them from our acquisition pipeline purchase lists. And we need to do more of that.”
The office is a member of the Federal Acquisition Security Council and contributes to the decision-making and voting on what industry products should be removed from purchase lists based on supply chain risks.
We need to know where these products come from. We need to know how secure the developers were when they developed the code.
Already, the CIO is adopting a lot of tools that help them examine provenance and supply chain risk. McKeown would like to see more of these types of tools developed and for the department to use them more frequently, not only at the point of the initial purchase of industry products but also continuously, verifying and monitoring security over time about a company or its solutions. “[It is] to make sure something didn't change, that some new business relationship didn't pop up overnight, or if the code has made its way to Russia or China. We need to look at all of those things,” he explained.
Companies should also participate in the military’s Iron Bank secure software development security operations (DevSecOps) environment, suggested Zachary Burke, senior DevSecOps Engineer, VTG, and the former director of Iron Bank. Pointing industry to the platform’s website, IronBank.DSO.mil, Burke noted that companies have many incentives to perform their software development on Iron Bank. It is a great way for companies to be able to do business with the DoD and improve their cybersecurity posture.
The department is even able to employ international software companies through the use of Iron Bank, giving the U.S. military even more industry choices, but in a secure way.
“The perfect example of that is our partnership with Collaboard and the U.S. Navy,” he explained.
Iron Bank worked with the Swiss company to answer the Navy’s need for a digital whiteboarding solution. While there are many companies with digital whiteboarding solutions, some have questionable relationships with other governments, Burke said. Other capabilities are only available as a software as a service. The Navy needed an on-premise solution for mission planning and scheduling of sailors’ shipboard activities.
“We found the Swiss company made exactly what we needed,” he continued. “It's a little difficult to consume foreign software inside of the DOD, and so, we adopted this as a kind of a challenge for the Iron Bank and the Navy to be able to build a new accreditation process for consuming foreign software and running them in Navy environments.”
The company onboarded its software/containers into the Iron Bank and scored at some of the highest levels of containerization security that the organization had ever seen. “Which was amazing to see,” Burke noted. “And as soon as the Iron Bank cyber engineer started giving them advice about how to improve, they immediately started making those changes to their software to improve their score.”
Burke holds this example as proof that their theory is correct, that participating in the Iron Bank and the community engagement between government and private-public partnerships are effective.
“And we have data to prove that participating is not just the gateway for you to do business with the government, but it is a way for you to get solid cybersecurity advice and make those changes to your applications to improve the security postures, not just for your DoD clients but for your other commercial clients,” Burke said.
Moreover, the officials are steering the industry away from proprietary solutions that cannot be verified, preferring open-source, DevSecOps-created software.
“The [product] is packaged up in a proprietary deliverable,” he said. “But if you open-source that deliverable, and let us take advantage of the pieces we want and leave the pieces we don’t want, I think that is really what the future is going to look like. Go open source.”
In addition, the CIO’s office has created a Risk Management Framework (RMF) control set that they are pushing out to the department now. The officials also released capability planning guidance to the force, in which the DOD CIO can specify where organizations need to start spending money from a cybersecurity perspective. “We've got lots of supply chain items in there,” McKeown shared. “And each of the services and agencies need to stand up their own team that looks at supply chain risk management. We're seeing a lot of progress there.”
“The story that needs to be told is that doing all of this upfront will save you a lot of time and effort and pain later on,” McKeown advised the industry in regard to securing their products.
