DHS official stresses cybersecurity is industry's responsibility

Contractors that fail to live up to security requirements in federal technology contracts should be held accountable, even if the vulnerabilities originated in products or capabilities provided by suppliers, a top Homeland Security Department official said on Tuesday.

In most business situations, "if we have a contractual arrangement and you fail [to meet the requirements], I have legal recourse," said Richard Marshall, director of global cybersecurity management at DHS. "Why wouldn't the same be true when the supply chain [is involved]? I'm buying a product from you, and you represent that it's a product with the following characteristics. If you fail, I have a right to sue you."

Marshall spoke at the SecureAmericas conference in Arlington, Va., an event hosted by the cybersecurity provider International Information Systems Security Certification Consortium.

He noted a number of examples where failures in the supply chain led to serious security implications, including a wave of hard drives infected with viruses that infiltrated the U.S. market from Asia in 2007 and a recent case in which thumb drives were shipped preinstalled with malicious software, eventually leading to the Defense Department imposing a temporary ban on the storage devices.

"Buy from an authorized vendor and make sure that vendor has purchased from an authorized vendor," Marshall advised.

Federal technology and acquisition officials must write contracts that set specific expectations for how industry secures computer hardware and software, including assurances the products they purchase from suppliers and the development processes followed best practices.

"Both sides have to operate under due diligence in defining characteristics [of the contract]," Marshall said. "You're going to want to design a contract in your favor, and I will in mine. There's that constructive tension, but I believe it's [productive] if we have the same objective, which is building good quality stuff."

Just as software vendors are expected to develop security patches to protect vulnerabilities detected in their products, chief information officers must be diligent in keeping their systems up to date.

"That is a daunting challenge," Marshall said. "We always have the time and money to correct a mistake, but we're tight on the front end when it comes to buying smartly and installing correctly."