TRANSCOM head says contractors struggle with advanced persistent threats

Gen. Stephen Lyons, the head of U.S. Transportation Command, said its commercial suppliers were defenseless against persistent cyber threats despite an increase in overall compliance.

"I don't think any of our commercial providers are in a position to protect themselves," Lyons told the Senate Armed Services Committee (SASC) during a 2021 budget review hearing focused on TRANSCOM and U.S. European Command.

Lyons said the command has worked for several years to bring contractors up to a "basic level of cyber hygiene" and inform company executives of cybersecurity concerns.

"We believe that their level of cyber hygiene has increased significantly," Lyons said of commercial carriers, as a result of including contract language for compliance, self-reporting mechanisms and sufficient resilience.

But enforcement, as SASC Ranking Member Sen. Jack Reed (D-R.I.) raised, is a problem.

"If you're not checking, you can have everything in the contract you want and have nothing," Reed said before asking whether TRANSCOM needed an authority to do no-notice checks on contractors.

Lyons said there were "second and third implications" on doing those sorts of activities and would get back to the SASC on the matter, but he later indicated that the Defense Department's impending unified cybersecurity standard for contractors, the Cybersecurity Maturity Model Certification, would do "significant good" in that area.

The first version of CMMC was released in January and is expected to first appear in requests for proposals by the end of 2020. Once implemented, defense contractors will be required to get a third-party certification to prove they have met basic cyber requirements before they can bid on future contracts.

Lyons also said that despite the weakness defending against advanced persistent threats, TRANSCOM has "multiple providers in each of the commodity areas so if we lose one we can rely on others."