As the U.S. military tries to ensure its military assets are as secure as possible against cyberattack, the U.S. defense industry is gathering behind a new set of standards to spot cybersecurity laggards within its own supply chain.
The Aerospace Industries Association (AIA), an Arlington-based trade association that lobbies on behalf of defense contractors, on Tuesday released a set of voluntary standards designed to help U.S. aerospace companies ensure the weapons systems they make for the U.S. military are secure from hackers.
AIA president and chief executive Eric Fanning said in a statement that U.S. defense companies should see cybersecurity as part of their competitive advantage as they build complex systems for the military.
“With aggressive state and nonstate cyber actors targeting the United States, it is essential that our industry work collectively to protect technology and information,” Fanning wrote. “We are committed to bringing our industry together in partnership with government to implement this and other meaningful measures that keep us and our nation safer from cyber threats.”
The release comes as the U.S. military is considering how it can incorporate cybersecurity assessments and requirements as it awards lucrative defense contracts, something that has imposed new compliance hurdles for manufacturers.
The lobbying group may be trying to prove it can regulate itself without strict government intervention.
Kimberly Baker, senior vice president and general manager for the public sector at the cybersecurity consulting group RedSeal, said the AIA’s framework is probably a reaction to new cybersecurity requirements that were recently put in place by the Defense Department.
“The aerospace and defense industrial base is pushing back against the fairly stringent requirements that [the Defense Department], in partnership with [the National Institute of Standards and Technology], has recently levied on the [Defense Industrial Base] supply chain," Baker wrote. "This effort by AIA in my opinion is to soften the requirements that DoD has issued in a June final rule.”
The AIA’s new standards also follow a recent report from the Government Accountability Office that found “nearly all” of the U.S. military’s advanced weapons systems suffer from “mission-critical” cyber vulnerabilities. As physical weapons systems such as fighter jets, drones and missile systems become increasingly reliant on computer systems for things such as navigation and targeting, U.S. defense contractors are now expected to build weapons systems that are as resilient as possible against cyberattack.
The goal of the voluntary standards, Fanning said, is to give defense companies an accepted baseline so the defense industry’s largest manufacturers can evaluate themselves and their suppliers. It provides a voluntary checklist based on 20 different metrics, including data protection, malware defenses and training, that would place companies into different “capability levels” based on the security of their products.
Companies are ranked on a 1 to 5 scale, 3 being considered a minimum acceptable performance level. With an AIA-certified rating above 3, a company can say it is going above and beyond the industry norm. If it ranks below 3, a company might want to reevaluate its business.
Cybersecurity experts contacted by The Washington Post said it is usually helpful when specific industry groups come together to agree on security standards.
“You want industry groups to get together and decide what’s best for them, because ultimately we’re responsible for our own security,” said Ron Gula, founder of cybersecurity company Tenable Network Security. “It’s really important for members of a certain industry group to be on the same page.”
One limitation of the organization’s certification process, however, may be that companies would make their own determination that they have met the standard. An AIA spokesman said in an email that companies will be relied upon to determine how far suppliers have progressed toward meeting cybersecurity goals, though they can request a third-party audit when they are worried a given supplier is not meeting expectations.
Baker, the RedSeal vice president, said AIA “would better serve its constituents and DOD by providing vetted tools and techniques to ensure compliance," rather than setting standards of its own.