In the latest feature from Executive Mosaic’s GovCon Expert program, GovCon Expert Tommy Gardner, PE and CTO of HP Federal, explores the impact cybersecurity is having on the federal market, the evolution of cyber warfare, the flaws of our cyber systems and possible solutions.
If you want to share your voice across our unmatched publications and other social media products, click here to become a GovCon Expert.
The Acquisition of Cyber Systems
Most of you reading this article are familiar with Federal Acquisition Regulations (FAR) and the Federal Planning, Programming Budgeting and Execution System (PPBES). You have likely heard of the fourth pillar of acquisition decisions that includes cybersecurity along with cost, schedule and performance as foundational tenants.
You may have even heard senior government executives, like Katie Arrington, CISO for DoD Acquisition Office and 2020 Wash100 Award recipient, speak of how you cannot trade off cyber capability with cost, schedule and performance, but you still need to select the best cyber currently available on the market in order to ensure mission execution.
You may not know that these tenants hold true in industry as well as in government. While industry is usually seen as having a different mission. In some respects, they are making decisions to serve their customers in the same manner that governments make decisions to serve their constituents.
In both cases, buying the best cybersecurity on the market only makes sense, when considering the impact on mission, operations and profits that a cyber attack can have. The uncertainty, variety, and scale of a potential attack cannot be predicted.
To have second the best cybersecurity capabilities only adds risk to the performance of your mission in industry and government. If you’re only making purchase decisions with cost as your main consideration, you might as well put your head in the sand.
If there was an international law that stated only certain forms of cyber attacks were allowed and any others were out of bounds and considered a war crime, we’d be able to design systems to protect against those known and approved cyberattacks. Such a law would reduce a lot of uncertainty for users and allow for industry to design systems capable of resisting those attacks.
An analogy would be the initial use of mustard gas in the first World War. The atrocity of a mustard gas attack was so revolting that countries banned it from future warfare. That universal lack of acceptance of no mustard gas still did not prevent countries from using it. Iran, Iraq and Syria are among those accused of its use, even though banned through international convention.
The same problem would exist in cyber warfare. Even if certain attacks are banned, the attacks conducted by rogue states, independent actors under direction of a large state apparatus, cyber military organizations or large criminal elements would continue to break the rules.
These players would use a law like this to their advantage. They would formulate attacks to get around the law, or ignore the law completely.
It reminds me of my days in the Navy. When pulling into a port call, the Senior Enlisted would warn the sailors of which parts of town, bars or establishments were off limits. Inevitably, there were some sailors that would use that information as a road map and head directly to the off-limits spots as soon as they got off the ship.
Similarly, you can count on cyber criminals to head right to any off-limits area a law proposes. Cyber law will not make us safe. Our systems need to be designed to withstand all known attacks and be resilient against any unknown or unexpected attacks.
Rapid recovery is essential. The capability or design objective needs to be like the old Timex watch commercial of the cliff divers in Mexico diving while wearing a Timex.
“It takes a licking and keeps on ticking” was the commercial conclusion.
This will only happen, when information systems are designed with the best possible cyber as the principle criteria of design. The idea of bolting on a cyber solution afterwards will only result in the second best capability. That takes significant research and investment. The Advanced Persistent Threat (APT) is not standing still. They are investing and improving daily. We need to follow suit and keep pace.
So how do you tell what cyber capabilities are the best? What Cyber Metrics do you use to differentiate the various offerings? Computers, workstations, laptops, printers and even 3D printers are not commodities. Their exterior may look similar, but the internal design can be the difference between successfully avoiding an attack or resulting in mission downtime or data exfiltration.
Few Acquisition officials in government and perhaps even fewer in industry understand how to evaluate different product designs. You have to go beyond the marketing claims and get into the logic of how the design works against various threat scenarios.
Cyber ranges are conducting many forms of cyber testing. They need to start evaluating the design principles behind the products for how they combat various threat scenarios and APT tools. These are complex decisions and require extensive training to make the right decisions.
In these quarterly musings, I plan to go into detail on some of these subjects:
- Is there standard testing that can be applied?
- How will Cybersecurity Maturity Model Certification (CMMC) help?
- How will economic concepts embodied in Game Theory help protect your cyber enterprise?
- What does Social Utility theory tell us about the cyber market?
- Should sustainability be a factor in buying decisions? Should AI written code be allowed and is it safe?
I am happy to address any other topic of concern on your mind and welcome any feedback.