The Defense Department wants to help its partner contractors, large and small, become better at their own cybersecurity efforts, the deputy assistant of defense for cyber policy said yesterday.
"We definitely want to make sure that size is not an obstacle to working with the Defense Department," Mieke Eoyang said at the Defense One Tech Summit. "And we are trying to figure out how to make it easier for [contractors] to understand what kinds of better security practices are out there and what they can do to protect themselves."
Eoyang said U.S. adversaries are very much aware that DOD relies on innovation, but she added DOD doesn't just look at only large contractors when looking for a technological edge. It's also important for contractors to adopt best practices in cybersecurity — such as turning on multi-factor authentication, using cloud migration or working with cybersecurity companies — to enhance their own security, she said.
DOD participates in whole-of-government activities to target and disrupt ransomware, the deputy assistant secretary said, adding that the department is willing to work through its intelligence and law enforcement partners to provide insights to disrupt such threats.
It's vital for industry to think about this from the perspective of resilience, Eoyang said of protection in cybersecurity.
"Companies need to be prepared for the possibility that it could happen to them," Eoyang said. "They need to improve their security, make themselves harder targets, but also really think about continuity of operations, so if, or when, they get hit, they know how to keep moving and how to work around the problem. But I don't think that we want to be in a position where people are turning to the Department of Defense to try and stop every single criminal gang out there …. We have to be able to focus on those nation state adversaries, and we do focus on that. But in the meantime, people also need to focus on improving their own resilience, being harder targets."
DOD is resilient and mature in its cybersecurity practices, the deputy assistant secretary said. "I think it's very clear from the president on down … and other countries should make no mistake about the seriousness with which the United States treats this problem and our interest in being able to get after malicious actors."
DOD has been working through U.S. Cyber Command and other entities, she said, directly with industry to help contractors identify potential malicious activity on their networks. "And there are other things we can do to help people — [such as] when we identify malware, we can post it out there for the world to see — so that they can take that into consideration as part of their efforts to secure their own systems."
As DOD considers how to bolster its allies, security cooperation is a big factor, Eoyang said. "What I've seen so far is that one of the No. 1 requests to the combatant commanders for security cooperation assistance is in the area of cybersecurity. But we do not have the clarity of offerings that the private sector could provide under security cooperation funds to our partners and allies, so I would encourage industry to work with us so that we have a better understanding of what might be available, what they might be able to provide through security cooperation, to help shore up the cybersecurity of our partners and allies. And [our] door's always open to talk about that."