The 2023 U.S. DoD Cyber Strategy is a significant document that outlines the DoD’s approach to cyberspace for the next several years. But why is the U.S. DoD Cyber Strategy important for the Australian Defence Industrial Base (DIB) seeking work with the Defence Primes or in the U.S. Defence market?
AUKUS and the potential of relaxed export controls are increasing opportunities for Australian DIB SMEs as collaboration ramps up. Because of this, we are already seeing opportunities realised with our clients expanding and taking on new projects.
And while there are many defence companies energised by this potential seeking new export and local opportunities with United States Primes, it doesn’t mean existing cyber processes are enough to satisfy increasingly demanding clients.
The U.S. DoD realised that this increase in collaboration with allies and partners increases the attack surface for their adversaries to seek and obtain strategic advantages by targeting the sensitive and critical information shared due to the collaboration.
Unlike similar Australian government and defence documents, the United States government don’t seem particularly shy of calling out their adversaries and making it explicitly clear the activities those adversaries are undertaking.
For example, the strategy document states, “Using cyber means, the PRC has engaged in prolonged campaigns of espionage, theft, and compromise against key defense networks and broader U.S. critical infrastructure, especially the Defense Industrial Base (DIB)” and it goes on “The PRC poses a broad and pervasive cyber espionage threat. It routinely conducts malicious cyber activity against the United States as well as our Allies and partners. It steals technology secrets and undermines the DIB in an effort to erode U.S. military advantage.”
In addition to the cyber strategy, many Defence and government officials have been as blunt. Recently, Lt. Gen. Robert Skinner, the commander of the Joint Force Headquarters-Department of Defense Information Network, said that ”hackers backed by China, Russia and other adversaries are applying “very high” levels of effort to digitally infiltrate, surveil and make off with plans or intelligence closely held by suppliers to the Department of Defense.” He adds. “That’s why our work with CMMC and our work day-to-day with our defense industrial base partners is critical moving forward, because that’s where the adversary is really targeting.”
The above statements leave no doubt as to where they see their threat coming from and who the targets are.
The DoD recognises that SMEs are often the source of innovative new technologies and capabilities and are crucial to the ongoing U.S. Defence strategic advantage. However, the DoD also knows SMEs are more vulnerable to cyber-attacks than larger companies.
This is why the U.S. DoD is ramping up efforts to enforce and validate minimum cyber security standards across the defence industry, including their allies and partners (for the avoidance of doubt, this includes Australia). The upcoming Cybersecurity Maturity Model Certification (CMMC) is based on a more structured and prescribed implementation of existing information security frameworks (I won’t bore you with the specifics here), but with the ability for the DoD to specifically enforce and validate compliance.
This ability to mandate and verify compliance, with the requirement flowing down to subcontractors, is catching the Australian industry on the hop and it is obvious that much of the DIB is not as well protected well as they should be.
To this end, the Strategy explicitly calls out the information protection requirements; ”Department will also align DIB contract incentives with DoD cybersecurity requirements. Toward this end, the Department will continue implementation of the CMMC, which requires companies to certify compliance with information security standards in order to receive certain priority contracts.
It is critical to understand the the U.S. DoD intend for CMMC to be the “unifying standard for the implementation of cyber security across the DIB“.
The defence primes are educating their critical suppliers on the importance of their contracts and the upcoming requirements. The message to the contractors from the primes is loud and clear: uplifting their cyber posture is not an option; it’s mandatory.
The other message from the Primes is that a proactive cyber program may give their supply chain a competitive advantage over other companies seeking work on the same project, encouraging them to identify cyber as a business enabler rather than a cost. At a recent CMMC briefing, I held with Lockheed Martin, it was interesting to note that there was equal attendance by Business Development as there was I.T. and Cyber.
By participating in the CMMC program, Australian DIB SMEs can improve their cybersecurity posture and make themselves more attractive to DoD and Primes, making their procurement decisions easier in a global context.
To understand where Australia is at from a global competitiveness perspective, it is essential to be aware of what is happening in other countries. For example, the U.S. Defence cyber strategy states; “We will complement this program with other efforts to increase active defense measures and improve data protection across the DIB, such as provision of no-cost cybersecurity services to qualifying companies.“
There has been much talk about the close alignment between the Canadian DIB and the U.S. The Canadian government has recognised the need for alignment between their industries, including cybersecurity, and announced the Canadian Program for Cyber Security Certification (CPCSC).
CPCSC aligns directly with CMMC and intends to have reciprocal certification. So, Canadian defence contractors already have a head start with clear direction from the government.
Other allies are going down the same path, directly supporting SMEs to meet cyber external obligations imposed by their governments, defence contractors and the international threat environment.
KEY CHALLENGES FOR AUSTRALIAN DEFENCE SMEs
Implementing appropriate cyber hygiene and information protection controls for Australian Defence SMEs can be cost-prohibitive relative to the size of the contracts they are bidding for.
Many cyber solutions’ price structures need to align with the SMEs cost base and are disproportionate to the volume of information or systems they need to protect.
A key strategy to reduce costs is to reduce the scope of the environment that needs to be protected. Limiting your critical defence information to a secure enclave is simpler and more cost-effective to implement, sustain and report compliance.
This is why Secure State have partnered with proven defence security solutions, Vault Cloud and archTIS, to provide our clients with a secure environment that meets all defence industry security obligations.
Skills and cyber knowledge
The attraction of working with large system integrators and consulting firms and associated pay packets means it is difficult for SMEs to acquire I.T. and cyber staff with suitable cyber skills and experience to deal with sensitive defence information.
Engaging a specialist defence industry service provider enables you to meet all the security requirements with a team with specialist knowledge of the appropriate frameworks and experience to implement an operationally effective and efficient environment.
Secure State are a team of consultant and engineers with appropriate security clearances and, more importantly, extensive knowledge and experience working with defence SMEs experiencing rapid growth and providing innovative products to both the Australian and international markets. We design, deploy and sustain secure environments that facilitate this growth. We meet their clients’ growing expectations around information protection and cyber security and report against their appropriate security frameworks such as CMMC, ISO27001 and the ISM.
The 2023 U.S. DoD Cyber Strategy is essential for the Australian Defence Industrial Base to understand, particularly, small and medium-sized companies. Australian DIB SMEs need to reduce their risk of cyber-attack by nation-state adversaries and become more competitive in the global marketplace.