Before taking on my current role with SoundWay, I had the pleasure of (well, lets just call it “the experience of”) working at the cross section of Government and Industry. Specifically, engaging in working groups championed by the U.S. Department of Homeland Security, General Services Administration and Department of Defense. In these working groups, you had a handful of government employees (Govies) trying to wrangle in industry in a way that aligned with then President Obama’s Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”.
There was a continuous murmur of “yes, there is a problem and yes we need to do something”. As the Govies continued from late 2013 to 2018 to “suggest” industry needs to do a better job, some industry trade organizations pushed back with “We are doing just fine.” Or “Who is going to pay for it?” Or “Its another regulation that has no teeth to it so bother me when I need to be bothered”.
Having performed numerous cyber risk assessments on commercial enterprises, I knew back then that they were not “doing just fine”. In fact, pretty far from it. Because commercial enterprises have historically looked at cybersecurity as exclusively an “IT” function, they categorically missed the opportunity to understand prior to a cyber incident the costs associated with not having adequate or reasonable cybersecurity.
A large part for this lack of understanding is our culture. Our adversaries think long term and we are a two-week memory nation. This also leads to a hubris of “Oh that’s crazy Tom Clancy rhetoric.”. The rhetoric became realized when the intelligence communities put together a brief on technology vendors Kaspersky, Huawei, and ZTE. In 2017, President Trump issued an order banning the utilization of Kaspersky.
But just as industry’s culture has yet to mature, our Uncle Sam has also had issues. Specific to this piece, the “order” issued by Trump pertaining to Kaspersky, that applied to federal civilian and military networks. Okay, but “who” provides these capabilities? If you responded with “U.S. Government Contractors” you would be correct. I bring this to your attention because last week it was announced that during the CMMC Mock Assessments, that Kaspersky was identified in contractor’s technology stack.
While I am sure we would all agree, that is not the smartest play a contractor could make, we need to ask ourselves what is the “so what” in all of this?
First, why did the contractor(s) still have Kaspersky in play? It could be something as simple as the CEO of the company deferred to the “IT” staff that has used it for years and if it ain’t broke, don’t fix it. But this ties back to my original point of looking at cyber as exclusively an “IT” matter.
Second, were the impacted contractors notified in writing by the U.S. Government either as a memorandum, contract modification, or other that Kaspersky shall not be used on their systems vs. being used on the Government’s?
I foresee significant issues moving forward with CMMC if acquisition authorities continue to take a position of “well I threw the DFAR clause in, what more can I do?” Respectfully, I respond “PLENTY”. Understanding how to improve what is within the “four corners” of a legally binding agreement can significantly improve the Government’s position towards reducing cyber risk.
Relying on self-attestation for cyber is like the car insurance industry relying on the truthfulness of the drivers. There is a reason so many of them are asking for you to use their tracking apps so they can confirm you drive the way you advise. Why? Because self-attestation has proven to be ineffective and a failure.