Companies that participate in a potential Pentagon program to conduct threat hunting across the defense industrial base should be protected from legal liability and be given additional financial or technical support to ensure small businesses aren’t crowded out, an industry group is arguing.
The Cyberspace Solarium Commission issued dozens of recommendations to policymakers last year, many of which made it into Congress’ annual defense authorization legislation. One of the provisions that made it into the final law requires the secretary of defense to deliver a report by September, laying out the feasibility of a DoD-led threat hunting program that focuses on identify and rooting out cybersecurity vulnerabilities in the systems and networks of defense contractors. If that report is favorable to the idea, DoD officials plan to have such a program in place by 2022.
Last week, the Intelligence and National Security Alliance, a non-profit professional organization for intelligence and national security personnel, issued seven different recommendations for how such a program might be set up. An undercurrent to many of the ideas is a belief that the government should tread carefully when setting up such a program, rely on carrots rather than sticks to entice participation and sharply limit rules that govern when DoD or third-party officials can root around a company’s network.
The authors warn that adding threat hunting requirements to programs like the Cybersecurity Maturity Model Certification may do more to box out many small businesses than spur the creation of new threat hunting teams. While large defense contractors will likely already have the resources and sophisticated threat hunting programs needed to receive the highest level of certification from CMMC, small and mid-size businesses “may require technical and financial assistance to remain part of a viable national defense supply chain.”
That could include anything from financial incentives and technical assistance for small businesses, as well as allowing them to treat investments in threat hunting as an “allowable cost” under Pentagon contracting rules that are subject to reimbursement by the federal government.
Businesses should pass along their internal analysis of network metadata, but military officials should not require defense contractors to hand over the metadata itself, since it might also contain personally identifiable information or run afoul of privacy laws in Europe and in some U.S. states like California. Other ideas like placing sensors on contractor networks, INSA believes, may require additional legislation.
“A company should not be required to permit an outside party — either a vendor or a government agency — to operate or place sensors on its network,” the report states.
The rules and conditions that would govern a threat hunting program for defense contractors it is up in the air right now. Experts reached by SC Media say that’s largely the product of congressional language in last year’s National Defense Authorization Act that gave DoD few mandates and wide flexibility to figure out the details of how to structure such a program.
“What we’re hearing today is a biproduct of some of the other conversations we’ve have in the past [from the private sector] that we don’t want you on our networks, we don’t want to have to do anything that’s required by the government, leave us to our own devices and if something happens, we may inform you or we may not, because there’s nothing requiring us to,” said Chris Cummiskey, a former DHS official and senior fellow at the McCrary Institute for Cyber and Critical Infrastructure Security.
While some in industry may want DoD to slow down, the opposite may be true for the federal government, which is facing intense pressure from Congress, the White House and the private sector to move quickly and prevent future incidents like the SolarWinds or Microsoft Exchange campaigns, where contractor or commercial products were exploited to penetrate government networks.
For instance, one recommendation calls for DoD to essentially punt any plans to implement a threat hunting program until at least January 2023, saying it “should be rolled out slowly to establish the program’s value and to assess first-, second-, and third-order effects on the [defense industrial base] supply chain” and arguing for a more deliberate approach that includes tabletop exercises and a pilot program.
Robert Metzger, author of “Deliver Uncompromised” and an expert on the cybersecurity requirements of the defense industrial base, argued a slow-roll approach like that would probably not be acceptable to the Pentagon or policymakers in Congress who have spent much of the past year witnessing a series of devastating supply chain hacks and other intrusions into contractor and government systems. Taking an overly cautious approach, or falling back into old arguments about government overreach into the networks of companies that do business with the military, could lead DoD right back to the unacceptable status quo and cause other stakeholders like Congress to develop their own mandates.
While there are certainly valid concerns about moving too quickly and making mistakes, “the experience of SolarWinds and other events teaches us that there is an urgency to this problem that doesn’t really reconcile to the careful approach,” said Metzger. “We want to be careful, we don’t want to demand the impossible, we of course must be attentive to the small business base, but if we err too much on the side of care and precision, we’re going to find that we have more examples of of SolarWinds-type events, more harm done. And what that can lead to is a political solution in Congress to answer these questions itself.”