Contractor networks pose security risk, Defense official says

The Defense Department and intelligence agencies are developing stricter information security standards to reduce the risks, which include offshoring and acquisitions of American IT firms by foreign companies.

Information technology contractors pose a major security risk by not locking down their networks properly, according to the Defense Department's top IT official. The threat, along with risks associated with offshoring and acquisitions of American IT firms by foreign companies, are driving defense and intelligence agency initiatives to develop stricter information security standards.

Comment on this article in the forum.Contractors managed 1,353 systems on behalf of federal agencies in fiscal 2007, according to an Office of Management and Budget fiscal 2007 report on the implementation of the 2002 Federal Information Security Management Act, submitted to Congress in late February. Less than half of 25 major agencies said they "almost always" ensured that information systems used or operated by a contractor met the requirements of FISMA, OMB policy, and guidelines set by the National Institute of Science and Technology.

Lack of oversight, combined with contractors' failure to secure their networks, put sensitive government information at risk, said John Grimes, Defense chief information officer and assistant secretary for networks and information integration, during a panel discussion Tuesday at the Information Processing Interagency Conference in Orlando, Fla.

"We have a propensity to talk about the infrastructure, but we have to remember why we're here -- to protect the data," he said. "There's 'exfiltration' of sensitive data from contractors, [which is] a big issue for national security."

Smaller companies often present bigger risk because they are less accustomed to dealing with sensitive or classified information flowing through their networks than large systems integrators.

"And remember, primes are responsible for what comes up from subcontractors," Grimes said, citing an incident in which a subcontractor assigned a foreign national without proper clearance to write code for a sensitive defense program. "[The company] meant well, but there was ignorance of what could be done," Grimes said.

Defense is working to educate large contractors and develop standards to ensure that proper security protocols are followed, and the department plans to do the same with network and IP providers. Grimes said that globalization, driven by the Internet, makes intellectual property far more difficult to protect. The trend also creates concerns about mergers and acquisitions of IT firms by foreign companies, he said, and the offshoring of sensitive processes.

"Do you know what's coming back? Have you challenged your contractors [to find out]? These are the challenges we as a community -- as CIOs -- need to think about under this umbrella of cybersecurity."