WASHINGTON — When the Pentagon awarded the contract for the Long Range Strike-Bomber (LRS-B) program on Oct. 27, it declined to list key details, including which subcontractors would support prime contractor Northrop Grumman.
At the time, Lt. Gen. Arnold Bunch, Air Force military acquisition head, said those details were being kept quiet “due to classification and enhanced security.”
Now, the Defense Department's top acquisition official is warning that such heavy classification may become the norm.
In an exclusive television interview with Defense News with Vago Muradian, Kendall said that “in general, the department is moving toward a posture which tries harder to protect our information,” one which will feature less public information – and could eventually see more programs designated as classified.
The justification? The threat of data being stolen by near-peer competitors, who can quickly turn it around and use it against the US.
“The more information we put in the adversary’s hand about who to target with those attacks and what to go after, the more effective those attacks can be, so we’re highly motivated right now to protect our information and protect whatever lead we may have over competitors,” Kendall said.
Examples of foreign nations hacking into US industry and stealing technology are easy to find, with perhaps the most notorious being a 2011 breach of Lockheed Martin’s data. In the intervening years, China has rolled out its JF-31, a clear copy of the F-35 joint strike fighter on which Lockheed is the prime contractor; it has also put forth a copy of Lockheed’s offering on the Air Force's Three Dimensional Expeditionary Long-Range Radar (3DELRR) program.
The Pentagon has already taken steps to increase security in its industrial partners, but those have been slow to develop and implement – and there is no proof they ultimately make a difference.
“If those sorts of steps aren’t effective we’re going to have to do something even more severe to protect that information,” Kendall warned.
Asked for an example, Kendall was direct: “Make more things classified.”
After the interview, Kendall insisted that “I’m not talking about any major change in policy anytime soon” regarding increased classification. But he pointed to the issue of subcontractors, in particular, as one where the building is concerned about vulnerabilities.
“It depends on what they’re building for us, and it depends on the information associated with that, that flows back and forth,” Kendall said. “People use modern design tools and they link them together, then that database is basically accessible from lots of different locations.”
Would It Work?
A trio of analysts agreed that the Pentagon has its heart in the right place, but questioned whether adding more classification to programs would really increase security.
Ben FitzGerald of the Center for a New American Security said it’s questionable if hiding subcontractors or program details would really stop a hacking attempt.
“I’ve no reason to doubt the sincerity of the argument. I’m just not sure that it’s the right security posture for the 21st century,” FitzGerald said. “In the past we could just classify things and no one would know. Now it just adds a veneer of security.”
Rebecca Grant, a former Air Force official now president of IRIS Research, agrees that making more programs classified won’t help much with this issue, while adding a fiscal burden.
“We’re trying to control costs,” she noted. “If you over-classify, how do you arrange to go to meetings? You suddenly impose classified facilities and expenses, and it could add costs to programs we’re trying to keep lean.”
Adds Stephen Bryen, who led the Pentagon's technology policy efforts during the Reagan administration, “that’s a huge problem, because then you have to have only cleared people working on it. And that’s an issue.
“It's very time consuming to get people cleared, and industrially it’s very difficult,” he added. “The other side of the problem is when you do that the users of the equipment have to have security clearances. So it creates a kind of bureaucratic nightmare under the current rules.”
Increasing the security challenge, FitzGerald notes, is that the limited number of industry partners means a limited number of targets for another nation to go after.
LRS-B serves as a good example. The Pentagon has not disclosed the engine manufacturer, ostensibly for security reasons. However, there are only three military engine manufacturers in the US – GE Aviation, Rolls Royce and Pratt & Whitney.
Defense News has confirmed GE Aviation is not providing the engines, while Rolls is unlikely due to being a UK company. That leaves Pratt as the likely subcontractor. But because of the limited number of manufacturers, a hacker could simply cast a wide net and go after the limited engine supply pool in the US, targeting all three.
“It doesn’t add any level of security, and one would hope that these companies have far more effective security measures in place than putting your index finger to your lip and saying ‘Don’t tell,’” Grant said, before raising a larger concern.
“Where do we start to draw the line on this? How do you start to walk that back? Can firms not even say they’re in the defense business? It becomes more and more absurd,” she said. “DoD deciding not to name a couple subcontractors is not sufficient to protect these design process. So I think it’s a little bit off the mark. And I think it starts a bad trend.”