16 March 2019

China’s Cyber Prowess is Shaping How the Pentagon Buys

By Brandi Vincent,

China’s drastic expansion of military and technological capabilities over the last 15 years has America’s procurement leaders focusing on the cybersecurity of what they buy.

“Over the last roughly full decade to 15 years, [China has gone] from being a very minor military player to a major military player with over 300 ships,” Deputy Under Secretary for Acquisition and Sustainment Alan Shaffer told the American Council for Technology and Industry Advisory Council’s Acquisition Excellence Conference Tuesday.

He said China was the second nation to field fifth-generation fighter aircraft, it has an extensive missile system, and it “actively uses cyber capabilities to ‘borrow’ other people’s intellectual property.”

Shaffer shared the Defense Department’s priorities for the coming year, including driving F-35 Joint Strike Fighter costs down, modernizing nuclear deterrents as well as nuclear command and control systems, providing real-time responses to combatant commanders and improving supply chain operations, among others.


But as the Defense Department makes considerations around buying things going forward, he said it’s imperative to think about cybersecurity and the capabilities that come from non-conventional weapon systems.

“We know for a fact that China uses cyberspace effectively to mine information,” Shaffer said. Shortly after, he added, “and we know that companies like Huawei are tied into Chinese intelligence services.”

Shaffer said he is concerned that the Chinese tech giant, Huawei Technologies Co., is moving very quickly in developing 5G networks and he warned against an Huawei-built 5G infrastructure being built in the U.S., Canada, or abroad. He said with the right software in place, communications sent over 5G networks can be sent back to network owners, which can lead to serious security vulnerabilities.

“I am not saying there are backdoors in Huawei’s 5G networks, but since it’s a software-enabled network and we know how some nations operate, we need to think very seriously about what we are buying and what our friends and allies are buying,” Shaffer said.

He also highlighted the Trump administration’s latest warning to Germany that the U.S. will pull back on intelligence sharing, if the European country allows Huawei to build its 5G Network infrastructure.

"We have to know the pedigree and surety of the underlying technology that we put into our systems,” Shaffer said. "That’s an important part of acquisition within the Department of Defense.”

The Homeland Security Department is warning political candidates that they need to take cybersecurity seriously no matter what level of government they’re running for.

The department has steadily ramped up its election security operations following Russia’s interference in the 2016 race, with the newly minted Cybersecurity and Infrastructure Security Agency responsible for much of the work. While CISA’s efforts have largely focused on securing election infrastructure and sharing threat information, the group is also working with political campaigns to bolster their digital defenses.

While presidential hopefuls and other high-profile candidates usually have the resources to invest in security, that’s not the case for thousands of people running for federal, state and local office, according to Jeanette Manfra, CISA’s assistant director for cybersecurity. As such, low-budget campaigns are left relying on personal devices and accounts, which are potentially rife with bugs and easy to infiltrate, she said.

Often, low-level candidates also don’t think there’d be any reason to target them, but Manfra warned it’s impossible to know what races online adversaries will be interested in swaying.

“I don’t care if you think you’re not interesting or your information is not interesting,” she said Saturday at SXSW. “When it comes to elections, anybody can be a target.”

Political campaigns aren’t considered critical infrastructure under current law, so CISA is limited in the amount of resources it can provide them. But Manfra told reporters the agency is providing security training to officials at both the Republican and Democratic national committees, as well as campaign staffers.

The agency also issued a set of security guidelines that even the most cash-strapped campaigns could follow, like using two-factor authentication, strong passwords and encryption, she said. The plan also recommends campaigns regularly patch their software, create an action plan for responding to cyber incidents and follow other cybersecurity best practices.

“There’s most likely on any given Tuesday an election happening somewhere in this country, so this is not something we can ever stop focusing on,” she said.

No comments: