WASHINGTON ― Washington seems likely to take steps requiring the defense industrial base to better harden against cyberattacks, two veterans of the Cyberspace Solarium Commission said Wednesday.
Speaking at the C4ISRNET Conference, the commission’s executive director, Mark Montgomery, said he foresees the panel’s recommendations that the Pentagon make cyber intelligence sharing and threat-hunting capabilities mandatory for suppliers will “kick into effect.”
“There’s [recommended] language in legislation that allows the [defense] secretary once he’s had a successful report to start taking action on both the threat hunting and information sharing, so I’m excited to see that happen,” Montgomery said.
Congress, in its 2021 defense authorization law, required reports into the feasibility of those requirements. Erica Borghard, a former task force leader with the commission, also told conference-goers she was looking to the reports to tee up further action.
The comments came as the Biden administration responds to Russia’s recent SolarWinds breach, a sprawling, months-long cyberespionage effort that reportedly struck nine federal agencies, along with dozens of private-sector companies.
Earlier this month, the Government Accountability Office reported that the Pentagon had improved cybersecurity for weapons platforms but still struggled to outline cybersecurity requirements in contracts for weapon systems.
“The reality is DoD does impose a lot of requirements on the [defense industrial base] as part of the terms of their contracts,” Borghard said, “and I think that I’m optimistic that we can craft a way of improving public-private collaboration for this particularly unique relationship, in a way that takes into account the concerns of private actors, as well as the government.”
Acknowledging that some companies have been reticent to share data with the government, Borghard said the congressional reporting requirement asked what incentives and liability protections might satisfy the private sector.
Borghard said the intelligence sharing recommendation is meant to build on existing voluntary efforts.
“There are mandatory incident reporting requirements but what we were envisioning was more of a comprehensive threat intelligence program to really get a complete and holistic understanding of the threat environment and threats to the DIB, given that adversaries target across verticals in industry,” she said.
The commission saw the threat-hunting capability required by the DoD’s Cybersecurity Maturity Model Certification, or CMMC, as insufficient and believed there should be some threat hunting and mitigation capabilities across the defense industrial base. The commission was indifferent about whether the capability should come from companies themselves, the government or third parties, Borghard said.