In the following article by a DC based reporter for Sputnik News, English language Russian media: www.sputniknews.com quotes Dr. McDuffie from a recent interview resulting from his position as a Lead Research Scientist with the Cyber Security Policy and Research Institute of The George Washington University, Washington, DC”
The US Department of Defense’s supply chain, running from defense contractors to their subcontractors, is particularly vulnerable to cyberattacks, cybersecurity experts told Sputnik.
WASHINGTON (Sputnik) — Unlike US government information systems, which run on a separate secure network, many companies rely on public internet that is more susceptible to intrusion.
“Information that is actually classified by the US Government only exist on government systems and is well protected,” Cyber Security Policy and Research Institute Lead Research Scientist Ernest McDuffie told Sputnik.“But the systems that might be at a private contractor that are sensitive or considered classified by that contractor will have their own set of standards about how they protect that,” McDuffie added.
McDuffie explained that defense contractors and their subcontractors would ideally have cybersecurity systems in place meeting US government standards.
However, he noted, a company would not be able to tell if its systems are up to the government standards because the information is not public.
McDuffie argued the problem of cybersecurity is exacerbated down the defense supply chain.
“It is very difficult for a contractor of the US government ensuring the security level of a contractor operating for them and how secure their information is,” McDuffie said. “Then the problem multiplies as you go, each contractor will have subcontractors.”
McDuffie further noted that the complex interrelationships in the private sector compound the problem of ensuring cybersecurity, as there is no technical solution that guarantees any piece of information will be secure moving across multiple systems.
“Even if you did have the ultimate technical solution there is always going to be the human element to worry at each of those different subcontractors. The biggest vulnerability in any cyber security system is always the human element regardless of what is happening on the technical side,” McDuffie said.
James Ryan, a co-founder of the cyber-defense and cyber infrastructure service company Litmus Logic, told Sputnik the supply chain is the most complicated part of ensuring cyber security.“The supply chain is one of the easiest ways to break into bigger companies,” Ryan said. “As soon as big companies finish with their strategies the next thing they ask is ‘how do we push this down the supply chain?’”
Ryan argues there are solutions to protecting supply chains from cybersecurity threats, and there will be a market-driven shift to force companies to implement strong cybersecurity measures, or they will go out of business.
“We are about the see a shift as big as the internet over the 15 years where we will start pricing cyber risk into our prices. We will see a change in buyer demand, the buyer asking for reduced cyber risk,” Ryan said.
Ryan suggested that by incorporating cybersecurity into defense purchases the Pentagon will have to pay more for products with cybersecurity guarantees.
In 2014, the US Department of Defense announced it would form a cybersecurity command, but top officials including Deputy Defense Secretary Robert Work have admitted the threat to the defense supply chain is least understood and able to combat.