Chinese J-20 fighter prototype, considered suspiciously similar to the American F-35 Joint Strike Fighter
PENTAGON: “I would rather not have to shove this down industry’s throat,” the director of the Protecting Critical Technology Task Force told me here. “I would rather this be a conversation than direction, but we’ve unfortunately seen over the years … if there’s no repercussions to not having security, there’s no incentive to have it.”
“We haven’t really held them to account. Our data that’s been exfiltrated by adversaries over decades, it’s really no harm, no foul,” Maj. Gen. Thomas Murphy told me. “I don’t blame them, [but] now we’re going to provide that incentive.”
“A company’s security or lack thereof has no bearing on whether we do business with them today,” he said. “It’s not something we hold as important as cost schedule and performance.” That needs to change.
Murphy and his task force – less than 20 people – won’t personally sit in judgment on specific companies and programs. Nor will they write the list of the particular high-priority technologies to be protected: That’ll come from defense agencies, the armed services, and combatant commanders.
What the task force is doing is creating the structure to protect the listed technologies and to enforce the protections: the more sensitive the technology, the tighter the protection must be. That means developing new policies and processes that impose stricter top-down controls on program managers, defense contractors, and academic researchers receiving Defense Department funding.
“It’s not my decision to say, ‘you can’t do business,’” Murphy said. “We’re trying to make policy changes. We’re trying to elevate the importance of security in the requirements and acquisitions processes. That’s what this is about.”
The problem, I pointed out in our interview, is that the Pentagon has been pushing hard for years to simplify and streamline those same requirements and acquisitions processes. It’s trying to delegate authority to lower levels within the government bureaucracy and make it easier for private companies – especially innovative small firms and the civilian-focused tech sector – to do business with the Department of Defense. None of that is particularly compatible with stricter top-down controls on anything.
“I understand completely the need to overhaul our cumbersome acquisition process and use these OTAs [Other Transaction Authorities] and other fast-track rapid acquisition processes to get us equipment that isn’t outdated by the time it’s fielded,” he said. “We can’t continue to afford to spend billions of dollars on programs that are going to be compromised or vulnerable by the time they’re fielded, [either].”
“Depending on the criticality of that output, whatever it is you’re buying, I don’t want to go so fast that we sacrifice security,” he said.
Murphy’s task force is “absolutely involved” in undersecretary Ellen Lord’s ongoing rewrite of the massive DoDI 5000 acquisition regulation, he told me. He and his team are working closely with the undersecretaries for acquisition & sustainment (Lord), research & engineering (Mike Griffin), and intelligence (Joseph Kernan); Pentagon Chief Information Officer Dana Deasy; and the four armed services. “We are in lockstep every day,” he said.
The task force also reports directly to an executive committee composed not only of the relevant undersecretaries but, serving as co-chairs, the deputy Defense secretary (David Norquist) and the vice-chairman of the Joint Chiefs of Staff (Gen. John Hyten). That bypasses much of the usual laborious back-and-forth among middle managers.
“We don’t’ have the time to wait,” Murphy said. “This can’t be your typical bureaucratic process that this building is so good at.”
The Executive Committee also helps keep high-level attention on the problem – for now. Between the 24-hour news cycle, White House priorities, and Congress, it’s all too easy for senior officials to “get caught up in the problem of the day [and] put this on the back burner,” Murphy said. “The reason it doesn’t happen today is you have me and the task force screaming about it.”
But “task forces are supposed to be temporary,” he said. “Somewhere probably in the spring of ‘21 we’re going to shutter up the place…. When we go away, in a little over a year, we need to institutionalize what we’ve done so it doesn’t just go back to the old way to doing business, which was not working.”
While the new controls are still a work in progress, Maj. Gen. Murphy outlined three key elements in our conversation, covering the whole life cycle of technology from basic research to worldwide export:
Researchers receiving Defense Department funding – both US-born and foreign – would be vetted for “problematic foreign connections,” such as receiving foreign funding or being part of China’s international talent-recruitment program.
Companies bidding for DoD contracts would be evaluated for security – how well they protect their data – as well as cost, schedule and performance. Companies with low scores for security would be prohibited from working on high-security programs.
Companies would undergo stricter scrutiny for proposed mergers & acquisitions and proposed exports abroad, with increased potential for a DoD veto.
“We were told to use the authorities we already have and see if we could enhance those like CFIUS [the interagency Committee on Foreign Investment in the United States] and export controls,” he said, “[and] maybe block some mergers and acquisitions… Why steal the technology when you can purchase the company?”
The potential problem here is that many US companies – and Pentagon program managers – rely on international cooperation to get the best technology, raise capital, reduce costs, and generally keep firms healthy. Past restrictions have sometimes backfired against the US. Restrictions on the export of satellite technology and drones, for instance, hindered growth for American businesses and allowed European and Chinese companies to dominate international markets, strengthening foreign industries at the expense of ours.
“We want a strong industrial base, clearly, we want companies to flourish, we want our own small businesses to become larger businesses over time,” Murphy assured me. “We would love to have American-made products, clearly, but at the same time… over the past decades we have seen exfiltration of data through multiple means.”
“It comes down to this balance. I think there is a way to do both,” he told me. “Locking it down and blocking everything from export and waving the national security card is clearly not the answer – but for some critical technologies, it just might be the answer.”
No Security, No Contract
While the greater scrutiny on mergers, acquisitions, and exports will only affect some companies, the new security standards will affect everyone doing business with DoD.
“These protection measures that we’ll mandate are not just cyber security,” Murphy said. “It’s personnel security, physical security, [and more].”
“This isn’t just a China task force. It’s not just a cyber task force, either,” Murphy said. “It just so happens that China’s really good at it.”
“In the summer of ‘17… we were notified of a very large exfiltration of data from [multiple] companies in the defense industry base of a program we cared deeply about,” Murphy said, not naming the foreign country involved. After investigating, he went on, “we actually found out it had happened over a year-and-a-half earlier….That loss led to the stand-up of the task force by Secretary Mattis in October 2018.”
“We really need to change the calculus and change culture so industry steps up to the plate and improve their cybersecurity,” he said. “They would self-attest they were compliant, [but] a recent audit [confirmed] their cybersecurity is not very good. Even some of the larger companies… they’re not meeting the terms of their contract.”
Now, instead of relying on companies’ self-assessments, the Defense Department has started dispatching inspection teams to check. In the near term, those teams are made up of DoD personnel, but as the effort ramps up, it will rely increasingly on third parties to determine what’s called Cybersecurity Maturity Model Certification (CMMC).
But, I said, compliance-driven security is deeply problematic. Companies complain the compliance assessment takes too long, while security experts lament the compliance standards don’t update fast enough to reflect evolving threats.
“I would go for compliance right now because that’s better than what we have,” Murphy replied. “I need something.”
There will be some nuance to the process: Companies won’t just get a pass-fail grade, but a score. Contracts will require all bidders to have a certain score or higher, based on the technology involved and where it ranks on the DoD-wide priority list.
“Being on the list is going to come with requirements for added protection. Everything will be protected at a minimum baseline level, but some things will require more,” Murphy said. “Everyone [in DoD] wants their thing on the list, and I would caution them[:] Be careful what you ask for.”
If someone wants to waive security requirements, “that waiver is going to come from the risk owner, which could be the Secretary of Defense or secretary of a service,” he added. “That is not a decision to be made by an O-6 program manager [i.e. a colonel]. We have pushed risk decisions too low.”
The bottom line: If your company’s score is lower than a contract requires, and top Pentagon leaders won’t waive the requirement, you can’t bid.
“That comes with some consternation: ‘That’s not fair!’” Murphy said. “I’m not here to be fair. This is about the erosion of the lethality of the joint force.”
“If our weapons systems don’t work the way they were intended, at a time and place of our choosing, that is an existential threat,” Murphy told em. “We throw around ‘existential’ all the time, [but] it doesn’t’ get much more existential for me…. If we were to go into conflict and our stuff doesn’t work because it’s compromised or vulnerable, that’s a problem. That’s a huge problem.”
Do you have any estimate of what the cost will be of the added security measures, I asked, to the Defense Department, the defense industry, or DoD-funded researchers? “No,” he said, “[but] the cost of not doing something is far greater.” (SYDNEY J. FREEDBERG JR).