The Department of Defense is working with a unnamed company to mitigate cybersecurity vulnerability discovered in a technology used by the Pentagon, the DoD’s Deputy Chief CIO Michele Iversen said Nov. 12.
Without going into specific detail, Iversen said the department is working to remove the product.
“The company was compromised [and] had a big cybersecurity vulnerability,” said Iversen, speaking at Fifth Domain’s annual CyberCon conference. “And we have seen bad things coming from those products, so we are looking at how to use our authorities … [to] block those products or companies for national security systems.”
This highlights a broader issue facing the DoD: how to protect its supply chain.
To mitigate supply chain risk, Iversen said that she is working on a supply chain illumination tools. She said that these are useful because its made up of publicly available information that doesn’t need any level of classification.
Specifically, she said she’s working on a decision support tool where she can expose a “bare minimum set of publicly available supply chain information.”
“So when people are going to look and make their purchases, they have information available to them,” she said.
She said, ultimately, she wants the DoD CIO’s office to offer that tool as a service.
The National Institute of Standards and Technology is also starting to develop cybersecurity tools. NIST’s Jon Boyens, acting deputy chief of the computer security division, said that his team at the standards agency is working on a supplier inter-dependency tool “to look at different suppliers and their criticality” to allow for government to be more effective in asking for capabilities during the procurement process.
“Industry is saying, ‘You know, we’ve invested in this but we’re not getting any incentives’ … and so they’re kind of looking for incentives for investing in technology,” said Boyens.
Iversen said that technology research and development also presents its own attack surface with which it needs to grapple. If the research and development was done in a foreign country, that presents a unique set of threats. For example, Iversen pointed to back-up software being placed into a nuclear command-and-control system.
“Maybe you just say anything where the R&D … [is] done in those countries is just off limits,” Iversen said. “It just makes common sense. It’s fixing stupid.”