Red Flag: Pentagon Contractors Get Two Year Extension on Data Protection Rule
In a worrying sign, Department of Defense Contractors requested and won an almost two year extension on new rules that would require them to protect sensitive information stored on their networks.
The U.S. government’s struggles to keep sensitive information out of the hands of hackers are well documented. But a report from Bloomberg suggests that the problems facing the government and military in securing that data are even deeper and more complex than was previously believed.
In an article on January 20, reporters Tony Capaccio and Chris Strohm noted that the Pentagon agreed to delay for almost two years a requirement that companies working with the Department of Defense document their ability to protect sensitive but unclassified information from cyber attacks.
The requirement, which was instituted as part of the Pentagon’s budget authorization in 2013, would affect around 10,000 companies. It would require Pentagon contractors to document that they and their suppliers have systems in place to protect sensitive information.
That requirement did not go over well with defense contractors, however. “We got feedback from industry that they did not think they could fully comply Day One" Claire Grady, director of defense procurement and acquisition policy, told Bloomberg in an interview. Of particular concern was a requirement that contractors document a fully operating access-authentication system down to the subcontractor level. “We probably overestimated what the state of the industry was," Grady told Bloomberg.
At the root of the issue are guidelines from the National Institute of Standards and Technology (NIST), finalized in June, for protecting controlled, unclassified information. Among other things, those requirements call for the use of multi-factor authentication technology to prevent account hijacking and takeovers. Bloomberg’s article noted that the two-factor authentication requirement was an obstacle to compliance. But the NIST rules also require a variety of other controls on information flows that are likely to be nettlesome for companies. Among other things, they call on organizations to control information posted or processed on publicly accessible information systems and – generally – to control the flow of controlled, unclassified information (CUI) in accordance with “approved authorizations” (aka “policies”).
Business groups, including the Chamber of Commerce, argue that – taken together – the new regulations are burdensome and expensive to implement. But while all the guidelines, taken together, may be overwhelming, it’s hard to argue that requirements like configuration management, strong authentication or brute force protections for connected systems are burdensome in 2016. While it might be understandable to grant extensions on a handful of particularly thorny requirements that would demand more time to adhere with, its hard to see how a two year extension for Pentagon contractors and their suppliers will improve the security posture of the U.S. military any time soon.
The requirements embedded in the Defense Authorization Act of 2013 were a belated response to more than a decade of sustained and damaging cyber attacks on U.S. defense contractors. Security firms have documented the work of no fewer than 20 separate hacking groups affiliated with the People’s Liberation Army who have targeted U.S. government agencies, military branches and private sector contractors that do business with them. One group was dubbed “Putter Panda” because of its penchant for targeting golf-playing conference attendees in the initial stages of a sophisticated cyber attack.
While not intended as such, the requirements embedded in the Defense Authorization Act of 2013 serve as a kind of stress test: imposing requirements for basic protections on companies that would do business with the U.S. military and its contractors.
But if that’s the case, then the decision to give companies another two years to comply with the requirements suggests that Pentagon contractors are simply not up to the task (admittedly so). That, in turns, suggests that they have not learned the lesson of the last decade: that sophisticated cyber adversaries are targeting their employees and networks. Basic cyber protections around remote access to systems and networks and protections for sensitive data as it moves within and outside of controlled network environments are, in effect, table stakes in the 21st century’s equivalent of “The Great Game” – a global contest for power, influence and economic superiority.