DOD mulls incentives for vendors to report vulnerabilities
- By Lauren C. Williams
- Apr 25, 2019
The Defense Department wants its tech to be delivered uncompromised. But there are several obstacles to supply chain security, including lack of data from vendors on possible vulnerabilities.
For Defense Security Service Counterintelligence Director William Stephens, "uncompromised" means capabilities sent to operating forces without "critical information and or technology being wittingly or unwittingly lost, stolen, denied, degraded or inappropriately given away or sold." Or at the very least being able to account for how something took place, he said at an April 24 Center for Strategic and International Studies event on supply chain security.
DSS oversees cleared industry partners working on classified projects with the Defense Department. Stephens wants to capture potentially adverse information from those vendors as early as possible, even if that means paying companies incentives to get it right.
The agency has a lot on its plate. DSS gets about 50,000 reports annually, seriously looking into about 8,000 for counterintelligence interest. For the last two years, Stephens said reports have been overwhelmingly a mix of cyber and human activity: 16% were cyber only, 30% were human only, 54% had indicators of both. That means only focusing only on the cyber or intelligence connection "is a dangerous thing," he said.
"Industry does a good job" of reporting activity he said -- 15% of facilities report information of counterintelligence interest and a quarter making some sort report. But it's still not enough: DSS needs about three times as many facilities reporting for the data to be statistically significant, hence the need to incentivize contractors to report.
"The challenge is that we're going to have to incentivize if we're actually going to truly get to the depth and breadth of the challenge," he said. "If the incentives are correct, they'll deliver."
Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at firstname.lastname@example.org, or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.