NoVA native @taosecurity tweeted an interesting article earlier today about new legislation that could affect the security reporting requirements of defense contractors. The legislation, introduced by John Levin as an amendment to the defense budget, would require them to disclose to the Pentagon when they’ve fallen prey to spies and malicious hackers. A lot of government data often exists on contractor networks so any breach could potentially result in the leaking of this information.
Defense contractors may try to fight the amendment, but to a certain extent, they usually already have to disclose this information as part of contract requirements. Of course the best part of the article was the final quote from @taosecurity where he noted “It’s just good customer service” to notify people if there’s a breach involving their data.
In 2009, it came to light that hackers had successfully broken into the most expensive Pentagon weapons program of all time, the F-35 fighter jet, by gaining access to computers allegedly belonging to the defense contractor BAE Systems (the contractor part came out later). There had “never been anything like it,” one unnamed official told the Wall Street Journal. The intruders were later confirmed to be Chinese spies, and lo and behold, in 2012 China rolled out a stealth fighter that looked suspiciously like the F-35. Was it a coincidence?
It took several years for all of the details of the F-35 breach to be unearthed. (The first hack took place in 2007, wasn’t publicly reported until 2009, and BAE Systems’ alleged role didn’t come out until 2012.) But a new amendment to the defense budget, introduced by Sen. Carl Levin (D-Mich.), would prevent contractors from not disclosing when they’ve been hacked. The amendment would require defense contractors to report to the Pentagon when spies and hackers successfully scale their firewalls. And the contractors don’t appear to be happy about it.
Some of the contractors’ grievances were aired in Politico on Monday. Trey Hodgkins, a senior vice president at TechAmerica, a trade association, said that contractors are already participating in a voluntary information-sharing program, and they “are likely to fight the change.”
Do you think defense contractors should be required to disclose when they have been hacked? Post your comments below. Today’s post pic is from Executive.gov.