A powerful theme of defence industry conversations around the world is the increasing criticality of cyber security.
It is a focus for governments who worry that capability returns on their investment in the development of new technology may be quickly stolen by adversaries. If hackers can steal technology from industry (or through weak links in industry’s supply chain) as is already well proven, then the advantage delivered by defence investment in next generation systems is disincentivised.
This also threatens defence industry’s business model, especially over the long term, since industry depends on the development of next generation weapon systems to sustain its design capabilities and retain and grow market share (and profit) as existing systems age to obsolescence. It is little surprise then that there is growing consensus on improving cyber security among defence industry observers, but it is much less clear how this objective is best accomplished in both the short and longer term.
Cybersecurity Maturity Model Certification (CMMC)
In the United States, a fast-moving policy initiative has emerged to establish an industry certification regime, known as the Cybersecurity Maturity Model Certification (CMMC).
CMMC establishes a system of third-party certification of escalating levels of cybersecurity maturity that will be required to be eligible to compete for US defence contracts and subcontracts beginning later this year. There is consensus around the need for increased cybersecurity protection, including more robust requirements for the higher tiers of defence industry which handle the most sensitive data, as well as a general recognition that third-party certification is preferred to the self-certification which happens today under existing standards from the National Institute of Standards and Technology.
However, the consensus breaks down pretty quickly after these two general points are conceded. As a result, CMMC implementation has been slowed, limiting this year’s implementation to a few pathfinders.
Since the third-party certification system is still just being established, to be overseen through an unusual volunteer accreditation board, there are substantial open questions:
- How much these certifications will cost?
- What happens when a firm feels it has been unjustly denied certification?
- How will firms that don’t have existing defence contracts will be able to recover the costs of achieving the certification required to compete for future contracts?
It is a safe bet that these issues will be thoroughly litigated in the halls of the Pentagon and industry planning sessions as well as in the courts before clear answers to these questions emerge.
In the meantime, though, industry is motivated to prepare to achieve accreditation and defence leadership is reassured enough to budget increased investment in technology which stands as a form of initial success for CMMC.
CMMC Staying Relevant
However, it is already clear that CMMC is likely to be a stopgap measure that may succeed in bandaging a gaping wound temporarily, but that is likely to lose effectiveness over time.
In a world where the internet of things is proliferating rapidly and the quantity of information requiring protection is growing exponentially, the certification levels outlined in CMMC will need to be adjusted frequently to ensure they stay relevant to the threat. As digital thread becomes increasingly prevalent in defence supply chains, the number of firms requiring more challenging, higher level certification, will also grow rapidly.
It is possible that CMMC could quickly become as overburdened, and potentially ineffective, as the security clearance process for industry personnel has been.
AI the solution?
It is at this point of information overload that artificial intelligence (AI) may serve to provide a part of the answer. Rather than employing human reviewers to assess cyber hygiene practices, AI algorithms can be used to assess actual vulnerabilities in industry networks and to identify points of entry and other problems that require correction in real time.
As the volume of data and networks requiring accreditation grow, AI can help manage the increasing volume and complexity of cyber data. DoD may be uniquely qualified to help industry develop AI tools for this purpose through its investment in artificial intelligence development and its Joint AI Center.
Ultimately cybersecurity protection of defence industry will work best if it leverages cybersecurity best practices emerging in the broader economy to the maximum extent possible. It will be highly concerning, in the alternative, if CMMC becomes a substantial barrier to entry into defence supply chains for non-traditional and commercial suppliers.
Ironically, for CMMC, success may mean that it turns into just another bureaucratic box to check that doesn’t meaningfully distinguish become companies competing for government contracts because cybersecurity has become simply part of the bottom line for industry. Government will need to continue the broad engagement with industry on cybersecurity even as nascent systems like CMMC come fully online.