Every year, the Government Technology & Services Coalition beats the drum of cyber security – particularly during October’s Cyber Security Awareness Month.
We pull out the cute little monster virus icons, we parade a series of sessions, webinars and blogs about the perils of ignoring cyber security, and try to provide some tangible steps for small firms – or really ALL firms — to implement to be responsible partners to their Federal clients.
There is still quite a bit of complacency — but the threat – to our nation and to our assets is very real. Most recently, the Senate Armed Services Committee found that Chinese government hackers have repeatedly infiltrated the computer systems of major U.S. companies including government contracting firms of all sizes – to find out about the movement of U.S. troops and military equipment.
U.S. Transportation Command, or Transcom, was aware of only two of the intrusions. Gaps in reporting requirements and a lack of information sharing left the U.S. military largely unaware of the computer compromises of its contractors.
What the Senate Armed Services Committee really found – is that cyber security, information sharing, defending our systems MATTERS NOW. And that protecting “our systems” is protecting a complex ecosystem of both public and private entities enmeshed through so many access points it is virtually impossible to untangle them all. Detecting the patterns of attack requires a complex collaboration between government and industry.
Although efforts to address cyber security are still “in process” – for contractors the writing is on the wall.
Currently – cyber security is still “voluntary.” To satisfy President Obama’s Executive Order on Improving Critical Infrastructure Cyber security – this year we saw the release of two reports that map out the future of cyber in procurement: The DOD- GSA report on Improving Cybersecurity and resilience through acquisition and the NIST’s Cyber Security Framework — a description of what should be in a cyber security program.
The “mandatory” is coming: late last year, DOD required companies handling ‘unclassified controlled technical information’ to implement security controls and report incidents within 72 hours of discovery. This is only the beginning.
Lawmakers are using the tools at their disposal to tighten up security through procurement — a provision was added to the annual National Defense Authorization Act to tighten requirements for defense contractors to report cyber attacks by known or suspected government actors.
So, everyone is – or should be — preparing. But there are still important questions like, “when are my systems ‘secure’? what happens when I am the victim of an attack? What if I’ve done all the right things?”
To find some answers, most contractors are watching the examples. USIS – a government contracting firm that performed background investigations for the government – is currently front page news. After detecting a breach, the company reported it to the Department of Homeland Security. Subsequently their contracts pertaining to background checks with both DHS and OPM were suspended.
At first blush, that sends an ominous message. However, the reality of “cyber” is that every company is vulnerable and every company from Lockheed Martin to the much smaller USIS have fallen victim to hackers, breaches, attacks of one kind or another.
What we are learning every day is that partnerships – BEFORE an attack – will make or break our success. And that “waiting” is not a strategy.
So you’re probably thinking, well that’s all well and good Kristina. What does it mean for me?
It means that if you are working with Federal clients, this is that moment when you look up from the weeds to see the trees:
FIRST: Join the FBI’s InfraGard – or have your CISO join. The public private partnership’s mission is to protect the critical infrastructure of the United States and its roots rest squarely in cyber – protecting our digital infrastructure. They provide invaluable alerts, lots of training and information to assure you are ahead of the curve and know who to call, when.
SECOND: Join an organization, network, information sharing exchange that will educate you about the cyber requirements coming down the pike. Learn what is required – and build your cyber security practices beyond that. Cyber security is a new cost of doing business with the Federal government and you need to be ahead of the curve.
THIRD: Use the free resources available to you to develop your cyber plan and educate your employees. GTSC has a slate of resources available to help small and mid-sized companies educate their employees and the FCC has developed a free cyber security planner for business. StaySafeOnline.org has the resources and information to educate your workforce are there – you just need to use them.
Kristina Tanasichuk is CEO and founder of the Government Technology & Services Coalition. She is also President and founder of Women in Homeland Security and Executive Vice President of the InfraGard National Capital Members Alliance. She has worked in homeland security and domestic infrastructure for nearly 20 years.