At the end of this month, regulations will come into effect requiring defense contractors to implement “insider threat” detection and prevention programs, with the aim of stopping security breaches. Yet the approach the Pentagon is taking seems to favor its larger contractors, while potentially stifling innovation from smaller competitors and contributing to the problem it claims it will solve.
The new set of requirements “places a substantial cost burden on contractors, which may not all be reimbursable,” note the authors of a commentary on the regulations published at NationalDefenseMagazine.org. “Large companies are better able to undertake these costs and to spread them over a wider array of larger contracts. But many small businesses — those the government is trying to attract — will find that satisfying these requirements will strain their technical and personnel capabilities, and their budgets.”
“The unwelcome result may be a diminution in competition in the classified government contractor space, particularly from smaller, often more innovative entities. For the Defense Department, this means fewer opportunities to develop experimental and innovative solutions through smaller, new contractors and subcontractors, and less creativity in addressing problems.”
This is somewhat ironic, given that it was one of the Defense Department’s biggest contractors, Booz Allen Hamilton, that employed not only National Security Agency whistleblower Edward Snowden, but also the more recent NSA contractor-turned-security-risk Harold Thomas Martin, who was arrested in August. Following a drop in its stock price in October following that news, however, Booz Allen has announced the hiring of former Federal Bureau of Investigation Director Robert Mueller to lead an audit of its security practices, and its stock has since recovered.
For smaller companies that can’t afford to hire an ex-FBI director as part of a public relations campaign, however, the new regulations present a formidable obstacle. The National Defense Magazine commentary continues:
In addition to cybersecurity required by contract and the agency that oversees the contractor’s facility clearance, contractors must now also develop and implement a system security plan. The SSP must include policies and procedures for the contractor to provide information security for the contractor’s information system and reduce the security risks to those systems. It must establish processes for planning, implementing, and evaluating remedial actions to address deficiencies in information systems’ security policies and procedures; and create procedures for detecting, reporting and responding to security incidents.
The SSP must mandate self-inspections of the contractor’s own performance, as well as provide draft formal reports of the inspection findings and written certifications that the contractor’s management has been briefed on the results of the self-inspection and corrective action has been taken to address any issues. Each certification must also include a statement that management “fully supports” the contractor’s security program. This self-inspection obligation is in addition to a requirement for annual testing of information systems security and auditing processes and procedures to detect cyber incidents.
The authors of the commentary also note that the new regulations could have unintended consequences, actually leading to increased vulnerability of sensitive information. They point out that “the requirement that a contractor report vulnerability of its personnel or its computer systems to a government agency may simply place sensitive information where it may be no more secure from outsider access than it was in the hands of the contractor, and it may be less secure.”
“Moreover,” they continue, “if the government collects all information about a suggested insider threat or the data that maybe subject to a cyber threat and places it in its own imperfectly secured systems, that centralization may simply increase the possibility that the information will be improperly accessed. This may provide cyber threat actors with a much more lucrative target for attack by focusing on the data from numerous, threatened contractors stored in a single government site, making it unnecessary to attack numerous contractors’ individual systems.”
Similar concerns about the security of the Pentagon’s own systems and unintended consequences of its centralizing “insider threat” information were raised in comments submitted to the Defense Department by the Electronic Privacy Information Center in June.
The Defense Department may see its new “insider threat” regulations as an innovative approach to ensuring cybersecurity compliance from its contractors. To be sure, the DoD is doing what it does best. It only takes a slight shift in perspective, though, to see that as meaning that the Pentagon is simply creating more bureaucracy and red tape, favoring established industry players who don’t necessarily do the best job or do it the most efficiently, and taking the problem it aimed to solve and making it worse.