Until recently, policing the security standards of such a large number of contractors was all but impossible. But in late January 2019, the DoD’s Chief Information Officer announced that the Department was considering the use of artificial intelligence (AI) to perform spot checks and audits on defense contractor and subcontractor security measures.
The specific model being considered would require the DoD to certify a third-party company to see how the contractor’s security posture compares to the National Institute of Standards (NIS) guidelines and other technology cybersecurity standards.
But the DoD doesn’t seem to have yet decided whether it’s planning to adopt the “carrot” or the “stick” approach when it comes to asking contractors to improve their security measures. One school of thought is that many categories of defense contractors just aren’t hard to find, which means that cutting loose those who don’t abide by NIS guidelines isn’t likely to have an appreciable impact on the work the DoD does.
On the other hand, providing incentives for contractors to beef up their security standards (instead of punishing them for not meeting these standards) can help foster good relationships and reward loyal workers.
One goal the DoD has outlined is its goal to move away from the current self-certification process. Right now, defense contractors are asked only to provide a self-assessment of their cybersecurity measures for DoD review. Because the DoD heavily relies on contractors’ own opinions and estimations of the security of the military data to which they have access, these self-assessments can increase the potential for “optimistic reporting.” This means that serious threats and vulnerabilities may fly under the radar until they’re exploited by an outside party.
By vesting power in the DoD’s undersecretary to evaluate the contractors’ self-assessed reports, the DoD seems far more likely than before to be able to spot and correct cyber vulnerabilities before they attract much attention from outside bad actors.
This contractor reform has also prompted suggestions to review, top to bottom, the DoD’s entire cybersecurity posture. Experts have suggested that the DoD use AI principles to streamline contractor cybersecurity measures wherever appropriate. Many processes and security checkups that are currently performed manually can also be automated through AI, allowing DoD specialists to focus on more value-added work.