USAF Deputy CIO: Changing IT Acquisition Makes Contractors Responsible for Security

Matt Barry, chief operating officer of HP Federal, looks on as William Marion, the Air Force's deputy chief information officer, speaks at the 10th annual Billington CyberSecurity Summit, on Sept. 5, 2019, in Washington, D.C. Billington Summit courtesy photo by Nathan Mitchell.

As the Air Force starts to buy information technology services like any other commodity, the service’s contractors and vendors will be increasingly central to its cybersecurity, the service’s Deputy Chief Information Officer Bill Marion said Sept. 5.

“We have to flip the whole paradigm” of cybersecurity, moving from a view with the Air Force at the center, to one where the service’s vendors are doing the heavy lifting, he told the Billington CyberSecurity Summit in Washington, D.C.

The new paradigm implied that defense officials might need advance information about business moves by contractors, he said.

“Even forecasting mergers and acquisitions, right? Because … we don’t think far enough ahead. There’s been a lot of research about that,” he said.

Key to the new paradigm is the issue of how to incentivize Air Force suppliers to adopt stringent cybersecurity standards needed to protect weapons systems from espionage and worse sabotage by adversary nations, Marion said.

“If you incentivize it right, industry will build it for us,” he said, but added that getting the positive incentives right was “the hardest part.”

“Right now, our biggest incentive is a stick,” he said, referring to efforts to enforce National Institute of Standards and Technology information security controls onto Pentagon contractors. “We all know that doesn’t work in the long term and it doesn’t actually encourage the right behavior from industry.”

As the Air Force moves towards an enterprise-IT-as-a-service model — buying computer networks the way it buys aviation fuel — the risks shift, Marion said. “We have to learn to think differently The walled garden model of cybersecurity has gone away.”

Putting contractors at the center of Air Force cybersecurity also highlights the importance of securing the supply chain and underlines the importance of transparency, Marion said, “You have to have a partnership with industry, to have the financial discussions To have the no-kidding, honest feedback about who their partners are.”

“You can’t get rid of supply chain risk, you just have to manage it,” he said.

But managing supply chain risk quickly gets difficult when you consider the number of suppliers and subcontractors on a big defense contract — and their own chain of suppliers and vendors, pointed out Matt Barry, chief operating officer of HP Federal. “Where I think we in industry are falling short is in managing risks in the 3rd- and 4th-order supply nodes,” he said.

Nonetheless, Barry said, “There’s an opportunity or sweet spot here.” Big vendors could leverage DOD supply chain security requirements to enforce transparency from their suppliers. “We need to be able to look up and down the [supply] chain and have some level of visibility to give us more confidence when we’re representing our extended supply chain, we are standing on solid ground.”

But that degree of visibility into cybersecurity of the supply chain creates a data set that could be used by attackers, pointed out Katie Arrington, a defense official who was recently appointed to the new post of chief information security officer for the assistant defense secretary for acquisition.

“These [data sets] become golden eggs,” that can be stolen by hackers, she said. “Who needs that visibility? Is it the intelligence community? Is it the program manager? These are questions we need to address.”