As the U.S. military tries to ensure its military assets are as secure as possible against cyber-attack, the U.S. defense industry is gathering behind a new set of standards to spot cybersecurity laggards within its own supply chain.
The Aerospace Industries Association, an Arlington, Va.-based trade association that lobbies on behalf of defense contractors, earlier this past week released a set of voluntary standards designed to help U.S. aerospace companies ensure that the weapons systems they make for the U.S. military are secure from hackers.
AIA president and chief executive Eric Fanning said in a statement that U.S. defense companies should see cybersecurity as part of their competitive advantage as they build complex systems for the military.
“With aggressive state and non-state cyber actors targeting the United States, it is essential that our industry work collectively to protect technology and information,” Fanning wrote.
“We are committed to bringing our industry together in partnership with government to implement this and other meaningful measures that keep us and our nation safer from cyber threats.”
The release comes as the U.S. military is considering how it can incorporate cybersecurity assessments and requirements as it awards lucrative defense contracts, something that has imposed new compliance hurdles for manufacturers.
The lobbying group may be trying to prove it can regulate itself without strict government intervention.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Kimberly Baker, senior vice president and general manager for public sector at the cybersecurity consulting group RedSeal, said the AIA’s framework is probably a reaction to new cybersecurity requirements that recently put in place by the Defense Department.
“The aerospace and defense industrial base is pushing back against the fairly stringent requirements” that the Defense Department, in partnership with the National Institute for Standards and Technology, has recently levied on the defense industrial base supply chain, Baker wrote.
“This effort by AIA in my opinion is to soften the requirements that DoD has issued in a June final rule.”
The AIA’s new standards also follow a recent report from the Government Accountability Office which found that “nearly all” of the U.S. military’s advanced weapons systems suffer from “mission-critical” cyber vulnerabilities. As physical weapons systems such as fighter jets, drones and missile systems become increasingly reliant on computer systems for functions such as navigation and targeting, U.S. defense contractors are now expected to build weapons systems that are as resilient as possible against cyberattack.
The goal, Fanning said, is to give defense companies an accepted baseline so that the defense industry’s largest manufacturers can evaluate themselves and their suppliers.
It provides a voluntary checklist based on 20 different metrics including data protection, malware defenses and training, which would place companies into different “capability levels” based on the security of their products.
Companies are ranked on a 1 to 5 scale, 3 being considered a minimum acceptable performance level.
With an AIA-certified rating above 3, a company can say it is going above and beyond the industry norm. If it ranks below 3, a company might want to reevaluate its business.
Cybersecurity experts contacted by the Washington Post said it is usually helpful when specific industry groups come together to agree on security standards.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Thank you for signing up for our e-newsletter!
You should start receiving the e-newsletters within a couple days.
“You want industry groups to get together and decide what’s best for them, because ultimately we’re responsible for our own security,” said Ron Gula, founder of a cybersecurity company called Tenable Network Security.
“It’s really important for members of a certain industry group to be on the same page.”
One limitation of the organization’s certification process, however, may be that companies would make their own determination that they have met the standard.
An AIA spokesperson said in an email that companies will be relied upon to determine how far suppliers have progressed toward meeting cybersecurity goals, though they can request a third-party audit when they are worried that a given supplier isn’t meeting expectations.
Baker, the RedSeal vice president, said AIA “would better serve its constituents and DOD by providing vetted tools and techniques to ensure compliance,” rather than setting standards of its own.