Webinar : Supply Chain Cybersecurity to Support the Warfighter
The Defense Logistics Agency handles the supply chain of all federal combat agencies. Their operations are expansive: they work with 12,000 suppliers, issue 9000 contract awards a day, and manage 272 billion in active contracts. We had Dr. George Duchak, Director of Information Operations, and Chief Information & Innovation Officer, DLA, present on the Supply Chain Cybersecurity that supports the Warfighter. Dr. Tommy Gardner, CTO, HP Federal, moderated this presentation.
CMMC raises the bar on private industry cybersecurity by requiring independent assessment of a company’s security, but it does increase costs. Dr. Gardner asked Dr. Duchak about the tradeoff between high standards of cybersecurity for government contractors and the cost burden this bears upon businesses, especially small ones. Dr. Duchak said that high standards of cybersecurity must be required and recognized as a normal cost of doing business with the government.
“Security is a cost of doing business today. DoD must pay for that cost of doing business by making sure the vendor base that we work with has adequate security to protect not only the information that resides on their networks, but who they are connected to and who’s connected to them and connected to them.” As for the cost this brings, Dr. Duchak noted that cloud technology and outsourcing of infrastructure are going to aid smaller companies in adopting these new standards of security.
Dr. Gardner also asked Dr. Duchak how he makes sure that NIST requirements and recommendations for security are embedded in the DLA’s procurements.
Dr. Duchak responded: “We have a close relationship with our contractor, called J7. And when they’re in need of subject matter expertise and particular things, they certainly do reach out to us, and we help them as best we can. I think automating a lot of this or routinizing a lot of this, like you saw with CMMC to make sure that that’s a condition of winning a contract, that you have to be this tall to ride, that will certainly go a long way in improving these things.”
With the recent ransomware attack on the Colonial Pipeline, it is becoming increasingly evident that IT and OT are becoming intertwined. Dr. Duchak thinks that we need to get past the assumption that OT is secure simply because it is segregated from IT, and focus more heavily on securing OT.
“There’s so much commingling now”, he said, “between IT and OT, that if you get into one network, you could get into the other networks. So if there’s anything that keeps me awake at night, it’s OT cyber security, because we’re automating more and more. So cyber physical system security is going to be an increasingly big problem.”
The new presidential executive order highlighted how important Zero Trust is. Dr. Duchak described how zero trust principles are being implemented within the DLA: “ We have roughly 200 or so apps that we use for conducting our business transactions. And we’re going to integrate all into a single DLA platform, with personas for the type of job that you have. If you’re a buyer, well, you only get access to this much of the network, because the persona for the function that you’re doing only allows you that. If you’re an analyst, you may get access to other parts; if you’re an IT administrator you may get different access as well. So we’re moving in that direction.”
We’d like to thank Dr. Duchak and Dr. Gardner, as well as HP and Intel for sponsoring this webinar.