The report found weak industrial security scores driven by increases in cyber vulnerabilities negatively impacted the health of the defense industrial base in 2020.
The defense industrial base faced an uptick in cyber vulnerabilities in 2020, contributing to a slight decline overall in the health of the defense contracting community, according to a new report from the National Defense Industrial Association.
In its annual “Vital Signs” report, NDIA and data company Govini found defense contractors entered the coronavirus pandemic in a “weakened state,” and around 71% of companies surveyed reported the pandemic negatively affected business. Data included in the report comes from before the onset of the pandemic, while survey responses were gathered in August 2020. The report gave the health of the base a “C” grade overall.
“These challenges include but are not limited to intense industrial security threats highlighted by the recent SolarWinds hack attributed to Russia, along with myriad breaches attributed to China; expected flat budgets going forward; decreased investments in the basic science that fuels U.S. innovation; skilled, cleared workforce shortages; and increased regulatory burdens and barriers to entry for those seeking defense contracts,” Hawk Carlisle, a retired Air Force general and NDIA president and chief executive officer, wrote in the report’s foreword to describe the burdens the defense industry faces.
Of the eight categories graded, industrial security had the worst showing with a score of 56 out of 100, one point down from last year’s accounting. The drop is attributed entirely to information security: the number of newly reported common cyber IT vulnerabilities rose to over 17,300 in 2020. That’s up from 14,645 in 2017, according to the report.
“Industrial security conditions continue to decline, losing ground on what was an already poor score. This decline reflects larger trends in the erosion of industrial cybersecurity despite increasing attention and resources being dedicated to combating the threat,” the report reads.
It’s not yet clear how new programs—specifically, the Cybersecurity Maturity Model Certification and Section 889(a)(1)(b)—governing this category will affect the DIB moving forward. But NDIA experts during a Tuesday media briefing on the report said these two compliance tools may make it harder for companies to work with DOD. Carlisle said CMMC, which is DOD’s program for assessing contractor cybersecurity, must be executable for companies.
“Right now many of the commercial enterprises don't have the same rule set on that … I think they'll have to because they're losing intellectual property, but the way it's rolling out and what that does to companies trying to enter the defense industrial base or want to stay in the defense industrial base causes problems,” Carlisle said.
Wesley Hallman, a retired Air Force colonel and a senior vice president with NDIA, added that the lack of clarity around Section 889 Part B, which comes from the 2019 National Defense Authorization Act and prohibits federal contractors from using telecommunications equipment provided by certain Chinese companies including Huawei and ZTE, similarly creates difficult regulatory burdens for DIB companies.
“First off, there is no definition of what is ‘use,’ there's no defined list of subsidiaries and related entities that produce products, and there's also no list of alternatives that companies can go to to substitute in there,” Hallman said. “So this creates a burden of both looking for these things in their supply chains, and then how do you replace those in their supply chains. So that cuts into their ability to do business with the government.”
Coupled with these hurdles is a decline in investment dollars for basic scientific research, according to the report. Resources directed toward information and communications technologies have actually increased, but scientific research and development is receiving low levels of investment.
Even as DOD’s research, development, test and evaluation budgets have grown over the past several years, Tara Murphy Dougherty, Govini’s CEO, said government is no longer the hub for research investment. Dougherty called the shifting locus of innovation leadership “frightening,” particularly if DOD is not able to effectively leverage commercial advances in technology for national security purposes.
Dougherty pointed out that the 2018 National Defense Strategy emphasized modernization, but declining defense budgets in the future may lead to a squeezing of DOD investment funding. In her confirmation hearing before the Senate Armed Services Committee Tuesday, Dr. Kathleen Hicks, nominee for deputy secretary of defense said she believes it is possible to reduce the topline Defense budget number without sacrificing national security.
“So really RDT&E spending and procurement, where DOD can push its modernization priorities, is going to face a tighter and tighter trade-offs,” Dougherty said. “And so while the Vital Signs story and score today is quite strong and accurately so, the forward looking piece because of those pressures, in terms of rising costs and certain accounts, and an overall declining top line, I'd point there in terms of where to be wary looking ahead.”