Can a Proposed Voluntary Cyber Protection Program Save CUI in the Supply Chain
All hands man your battle stations! Foreign advanced persistent threat (“APTs”) cyber actors incoming! The defense industrial base (“DIB”) is under attack. Defenses have been successfully warding of these attacks for years – just like Wildcat squadrons provided a fighter umbrella for carriers from drive bombers and torpedo bombers during WW2. Attackers who face stiff defenses when attacking primary targets face no such virtual umbrella of fighter cover as valuable controlled unclassified information (“CUI”) lands on networks down the DIB supply chain. These attacks down the vulnerable supply chain are contributing to the “erosion” of the DIB and put military operations at risk in the future. This development has not gone unnoticed at DOD. Yet new regulations – expensive, complicated, and requiring expertise – have not yet shown to sufficiently address the issue of cyber vulnerabilities down the DIB supply chain. In July 2020, the RAND Corporation proposed a comprehensive solution to bring small DIB participants down the supply chain into the fold for little to no cost to these small businesses – through a voluntary DIB Cyber Protection Program (“DCP2”). Cybersecurity is only as strong as the weakest member of the DIB supply chain. These weak links can be reinforced by providing tools and expertise down the DIB supply chain through the DCP2.
The current regulatory environment for protecting controlled unclassified information on DIB networks is based on Defense Acquisition Regulation Supplement (“DFARS”) 252.204-7012 and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. These regulations are not successfully protecting CUI on DIB networks and are insufficient according to the RAND report. The NIST standards are self-certifying requirements. A new regulation – in notice and comment -- called the Cybersecurity Maturity Model Certification (“CMMC”) builds upon the NIST standards while adding third party certification of compliance standards (the RAND report believes that CMMC is unaffordable for small and medium sized businesses.) Current regulations also assume that CUI always flows down from prime contractors and relies on prime contractors controlling access to their CUI down the supply chain. This completely ignores the existence of CUI at all levels of the supply chain – and that at lower levels of the supply chain companies do not have sufficient expertise or resources to protect their CUI from APTs.
In order to protect CUI from APTs RAND proposes a voluntary Cyber Protection Program (“DCP2”) through which DOD provides cyber security tools for little to no cost for small and medium sized businesses in the DIB. The goals of the program are (1) to allow for real-time monitoring of DIB networks through information sharing between the DIB supply chain, (2) offering cybersecurity protections to firms that do not independently have resources to adequately protect CUI, (3) providing data protection that prevents disclosure of CUI across the DIB supply, and (4) offering legal protection to members of the DIB supply chain who share information that is used in “unanticipated” ways. In exchange for DOD provided tools members of the DIB supple chain will agree to feed real time sanitized network data to a security operations center (“SOC”) devoted to defending the DIB.
The SOC can either be run directly by DOD or by a “trusted third party.” Utilizing a trusted third party reduces the probability of privately owned data company data being sent to the DOD while reducing legal concerns of intellectual property conscious members of the DIB supply chain by separating DIB networks from direct contact with the DOD. At the same time a SOC run by a trusted third party would still be funded by the DOD and is expected to be more expensive. An SOC operated by the DOD could utilize a centralized DOD cloud that would allow members of the DIB supply chain to move CUI off premises and into a secure cloud. Although RAND does not mention this, the JEDI program – which is creating a secure cloud for DOD – could provide the backend for a centralized DIB cloud.
The purpose of the SOC is a central repository of real time sanitized data from DIB networks. The SOC would be responsible for providing dynamic cyber intelligence, disseminating security alerts, and providing recommended courses of action to identify and counter attacks from APTs. Sanitized data fed to the SOC would include metadata, security alerts, and anonymized log files. Software to sanitize data would be provided to program participants without cost.
The DCP2 incentivizes participation and protects CUI. Firms – who otherwise cannot afford a similar level of protection – have the opportunity to protect their own CUI, while the DOD receives real-time insight into the state of the DIB supply chain. This proposal is meant to supplement, not replace, the CMMC. While this program will impose a significant cost on the DOD, RAND argues that such a program is necessary because the DOD is ultimately responsible for protecting the DIB supply from APTs. Small and medium sized business do not -- and will never have -- the resources to defend against dedicated persistent attacks from competent nation-state actors. A partnership across public and private entities providing the protection that the DIB needs is the most effective solution to remedy the issue.