Holding Government Contractors Responsible for Cybersecurity Is Trickier Than It Sounds

The federal government wants to hold defense contractors accountable for the cybersecurity of their supply chains but that’s no easy feat, experts said Tuesday.

Industry representatives told lawmakers on the Senate Armed Services Committee about attempting to tackle cyber threats as a federal contractor. Much of the hearing was focused on one specific issue: increasingly complex levels of supply chains make it difficult for prime contractor to ensure all subcontractors are upholding cybersecurity protections. And that ever-lengthening chain increases the possibility of compromised information or cyberattacks.

“I don’t know why we don’t hold the larger contractors who are responsible for the contract to make sure the subcontractors they are hiring have protections,” Sen. Joe Manchin, D-W.V., said. “Somebody has to be held accountable.”

The panelists explained a large part of the problem is that the government frequently does not have access to the contracts between primes and their subcontractors, or a prime contractor may know its immediate supplier is but not know the subcontractors that supplier uses—a loop that can repeat for each subcontractor.

Senior Vice President and General Manager of MITRE National Security Sector William LaPlante said during his time working as an acquisition executive, he often noticed that some prime contractors had more detailed knowledge around their own supply chains than others. He said it was surprising to realize that some didn’t even know who their subcontractors were working with, even on their own government-sponsored projects.

“The knowledge of the primes to the sub to the sub to the sub is uneven,” he said.

Christopher Peters, CEO of the Lucrum Group, said prime contractors are hesitant to offer up their subs’ identities to the feds, out of fear that, if exposed, the government may select their subs instead of them in future contracts. This, in turn, makes it nearly impossible for the government to ensure all subcontractors contributing to federal projects are abiding by cybersecurity protocols.

“We wonder why we’ve been hacked so much and why [China copies] everything? You all just explained it. There’s no checks and balances,” Manchin said. “It looks to me like we are protecting a business model more than we are protecting the security of our country.”

Michael MacKay, chief technology Officer for Progeny Systems Corporation, a small business that works with the Navy, said his team has spent “countless hours” worrying about the issue of subcontractors that they may not know about who work on their projects and report to their subcontractors. He said it’s imperative for players at each step of the management process to take ownership.

“We are a subcontractor to Lockheed Martin and Lockheed Martin assesses us the same way that we assess the [subcontractors] that work for us, so the flow down is critically important,” MacKay said. “But the guy at the top who has the prime contract has to take on the responsibility of seeing things all the way down to the bottom. And they have to ask the hard questions.”