Defense agencies should provide ways for industry to fix security issues

The federal government has the right to refuse technology components that could introduce cybersecurity risks into the Defense Department's classified systems, but it should provide manufacturers the opportunity to fix the vulnerabilities to ensure they don't affect commercial and other federal networks, said a security expert.

TechAmerica, a technology lobbying group in Washington; the Professional Services Council, a trade association; and other industry organizations called for Congress to drop Section 815(c) from the 2011 Senate Defense authorization bill, which would authorize Defense agency heads to exclude from procurements specific companies "to avoid unacceptable supply-chain risk."

The provision, which would apply only to the acquisition of classified national security systems, defines supply-chain risk as the potential for adversaries to gain access to and attack the system. The decision to exclude a company would be at the sole discretion of an agency head or a senior procurement executive, and would not be subject to review in a bid protest before the Government Accountability Office or in any federal court.

But determining a company's trustworthiness is difficult because so much technology development occurs overseas, which is harder to oversee and track, said Amit Yoran, chairman and chief executive officer of security software company NetWitness and former director of the Homeland Security Department's National Cybersecurity Division. Defense agencies, however, should have the right to refuse a technology component that could pose a risk to classified systems, if they also provide industry with enough information to mitigate those risks, he said.

"The question becomes, how do you evolve this [provision] so it can ultimately help fix the problems?" Yoran said. "Agencies need the ability to refuse parts in their supply chain, especially for national security systems, but it can't be to just blacklist that company or component without any process in place for enabling the manufacturer to address the problem."

Because the provision applies only to national security systems, failure to compel industry to fix the vulnerabilities introduces the possibility for the "natural bleeding effect," which occurs if classified systems are not properly isolated from other networks that might have installed components from a blacklisted manufacturer, Yoran said. It also places other sensitive computer systems at risk, including those civilian agencies, critical infrastructure sectors and financial institutions maintain.

"In order for this to be fair, agencies need to have transparent processes for evaluating software products and solutions that allow the agency to perform due diligence, while still providing the [manufacturer] due process in response to any identified vulnerability in its products," said Pat Howard, chief information security officer at the Nuclear Regulatory Commission.

TechAmerica does not oppose security standards if they're developed in conjunction with industry, said Trey Hodgkins, the organization's vice president for national security and procurement policy.

"Companies work hard 24-7 to assure the security of their solutions and the supply chain behind them today," he said. "To be effective, they need much more information about the threats and vulnerabilities from our national security agencies."

The Defense Department proposed the provision, claiming it would "maximize competition among all risk-appropriate, technically qualified commercial suppliers while strengthening the department's ability to protect itself from malicious actors seeking to sabotage or subvert critical programs by taking advantage of the government's open contracting structure," a committee staffer said.

"We have met with the industry associations to discuss their concerns about the proposed language and plan to work with the Department of Defense to see if we can mitigate these concerns without undermining the purpose of the provision," he added.