Pentagon push to boost cybersecurity could affect Canadian suppliers

CBC March 5, 2020

The Pentagon has been engaged in a quiet, deliberate effort to plug all of the cyber-holes in its high-tech systems and among its defence contractors — an operation that will soon spill across the border into Canada.

Ellen Lord, the U.S. undersecretary of defence for acquisition and sustainment, said today cybersecurity has been one of her biggest concerns since being appointed by the Trump administration two and a half years ago.

Increasingly, major defence contractors have found themselves targeted by hackers from China and Russia who have stolen troves of sensitive data on new and existing weapons systems.

"Bottom line is, I don't think the average American citizen understands that we're at cyberwar every day," Lord told the Conference of Defence Associations Institute's annual meeting in Ottawa today.

The burden of keeping data secure is being placed on the companies themselves, she added.

After consulting with the National Security Agency (NSA), the U.S. electronic spy service and the military's Cyber Command, the Pentagon rolled out a new program in January aimed at forcing defence contractors to deal with points of vulnerability.

"We have written new cyber security standards that we are putting in all of our new contracts," said Lord. "We are looking at the defence industrial base and how they need to address cyber security and how we as a government can hold them accountable."

The initiative includes a cyber security "certification and accreditation" system, similar to the International Organization for Standardization.

Lord said it's not a one-size fits all solution and that companies looking to do business with the Pentagon will have to meet one of five levels of certification, depending upon the contract.

The defence industrial complexes of Canada, Britain and Australia are tightly stitched into the U.S. system. Lord said allies are looking at a similar measures which she hopes to see coordinated with American efforts.

"This is something we're talking with Canada about, with allies and partners, because a lot of us are doing the same thing," she said.

The problems with existing systems — software already in the field — is being dealt with aggressively. Contractors who are responsible for maintaining complex systems on warships and aircraft are being told by the Pentagon to close their potential security gaps.

"We are going to start shutting equipment down if they are not brought up to standard because every day we see [intelligence], we see how much has been compromised," Lord said.

Troy Crosby, head of the Canadian Department of National Defence's materiel branch, said Innovation, Science and Economic Development Canada has launched a "cyber secure program" and there's a hope that the two countries can find a way to align their efforts.

Some analysts and critics in the U.S. have argued that contractors — even those that make cyber security a priority — will find the cost of meeting uniform standards prohibitive.

Beyond that, many major contractors have complex supply chains with many smaller companies that also would be required to spend substantial sums of money to keep up with evolving threats.