National security demands tight cyber security

Wednesday, April 24, 2019

In a connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it’s astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches. Experts feel this is just the tip of the iceberg: The vast majority of security incidents are never uncovered. The Pentagon needs to tighten cyber security across its vast contracting operations and hold contractors responsible for breaches. If policy makers can contemplate jailing executives who lie about safeguarding personal data, then similarly harsh measures should be considered for those who put our national security at risk.

The contractor breaches have rarely been the kind of top-secret thefts that generate headlines. Most have involved so-called sensitive materials, sometimes the intellectual property of contracting companies. But even small leaks can give hostile nations a leg up on countering the Pentagon’s weapons of tomorrow.

The Defense Department has tried to prevent such fiascos and get contractors to “deliver uncompromised.” The department has periodically tightened minimum security standards for its contractors and is considering upping them again. The contractors argue that voluntary improvements would work better. But neither approach is likely to assure compliance across the board; the military-industrial base is too broad, with prime companies such as Lockheed Martin and Boeing assisted by numerous subcontractors.

Technically, companies whose security systems are repeatedly breached already can be fined or denied contracts. But Pentagon acquisitions officials have been loath to strip them of incentive to help the national defense. In many cases the fines have been relatively painless, and when new contracts are awarded, past indiscretions have been overlooked.

Two particularly worrisome recent incidents were the theft by China of highly sensitive information on naval projects left on an unclassified network, and last year’s breach of private information on 30,000 Pentagon employees. (Sources outside the Pentagon have reported that the second incident involved Booz Allen Hamilton, the firm that employed Edward Snowden.) Perhaps most embarrassing was the 2016 theft of plans for the F-35 fighter — which will cost taxpayers $1.5 trillion over its lifespan. An Australian subcontractor on the project never changed its passwords from the defaults “admin” and “guest.”

These incidents show that things must change. The loss of sensitive materials — whether through gross negligence or intentional acts by rogue employees — should result in fines and punishments, whether or not the data involved are highly classified. Contractors should be held more responsible for the mistakes and failures of their subcontractors.

Breaches that compromise the U.S. military should result in loss of contracts, corporate fines and even criminal charges against managers and top executives. Contractors’ top executives should be required to acknowledge in writing that they are responsible for keeping government data safe — similar to how senior managers of corporations take responsibility for the accuracy of financial reports.

A Guest Editorial