“The consequence is the erosion of the lethality of the joint force,” said Murphy, director of the Defense Department’s Protecting Critical Technology Task Force. “You cannot put a price on that.”
The task force’s beginnings date back about four years, when a nation stole technology after hacking into a company’s computer network, Murphy said. Which nation and what technology aren’t relevant — what is relevant is that DOD didn’t find out about the loss for over a year, he said.
The revelation that technology had been taken led to an investigation of how it happened, what the effects would be and how such a loss might be prevented in the future, Murphy said.
“We gave a series of recommendations, and a series of mitigation activities based on what we believe to have been stolen,” he said.
One recommendation based on the yearlong investigation was to stand up department-level oversight of the exfiltration by adversaries of DOD-controlled unclassified information from the defense industrial base networks, the general said. Later, he added, then-Defense Secretary James N. Mattis selected him to lead a new task force to focus on keeping the DOD and services from losing more technology and information to adversaries.
“The direction I was given was pretty clear: be bold, break glass, don’t accept the status quo,” he said.
That’s not how the Pentagon typically operates, Murphy said. “We tend to be more measured,” he said. “But I have a time-limited task force. I don’t have time to go slow and steady. And neither does our nation when it comes to losing our critical technology to China.”
Though the Protecting Critical Technology Task Force is small, the general said, he doesn’t need a large group to accomplish its goals over its expected two-to-three-year lifespan.
The task force operates along four lines of effort:
- Protecting the defense industrial base;
- Protecting the research and development enterprise, which includes academia, labs and universities;
- Using existing authorities such as export controls and the authority of the Committee on Foreign Investment in the United States through the Foreign Investment Risk Review Modernization Act of 2018 to keep U.S. technology from being purchased by adversaries; and
- Operationally responding.
One of the task force’s most critical jobs is to identify exactly what technology is most important to protect — what adversaries might want most and what would be most devastating if it were lost and to ensure those priorities are protected accordingly Murphy said.
“If you treat everything as if it’s most important, you protect nothing very well,” he said. “You have to make those tough choices.”
To help with that, he said, his task force is developing a methodology to prioritize the most important technologies, a task mandated by the 2019 National Defense Authorization Act.
“Most importantly, we are going to mandate protection measures against those programs and technologies based on the criticality; that is, where they are in the priority and tier,” he said, adding that the final list of critical technologies that must be protected, and the level of importance placed on each will be classified.
Murphy said some mistakenly believe the Protecting Critical Technology Task Force is only about cyber activities, but it’s not. “We are concerned with all means by which a competitor might get our technology, our information or our data,” he explained.
U.S. technology can fall into an adversary’s hands in many ways, Murphy said — some that are legal, and some that are not.
Hacking, or network infiltration, is just one example of how U.S. technology can be taken, Murphy said. For example, technology is also transferred when a foreign company buys an American company and gets all the technology the American company owns, he noted, including defense capabilities.
Another key avenue for loss is through the faculty members and students selected by universities to conduct DOD-funded research. Increasingly, the Department is finding that some of these faculty members and students, have undisclosed ties to a foreign government that is incentivizing them to transfer that know-how or technology out of the U.S. to a strategic competitors military. Many times, Murphy said, DOD has no way of knowing who those researchers are.
We need to increase awareness of the problem and create a culture in which securing technology is as ingrained as buckling a seat belt in a car.
Another step the task for is taking is elevating the importance of security in the requirements and the acquisition processes, ensuring it is considered alongside cost, schedule and performance.
“The Pentagon needs a vote as to whether or not a particular acquisition or merger has national security implications,” he said. “That’s what we do. We need to accelerate that. These things are happening every day.”
In addition, program security should be part of the criteria for evaluating program managers, the general said, and defense contractors’ ability to keep details about what they are working on out of adversaries’ hands must also be considered. That’s not currently the case, he said.
“I’m not sure that today a company’s security, or lack thereof, actually has any effect as to whether or not we do business with that company,” he added. “That needs to change.”
High cybersecurity standards also are important, Murphy said. Though they’re not perfect, he acknowledged, larger defense contractors tend to have stronger cybersecurity measures. “Smaller companies have a harder time and oftentimes can’t afford the cybersecurity that some of the bigger companies do,” he said. To address that, the task force has developed a series of pilot programs to help the smaller companies affordably improve their cybersecurity.
Meanwhile, the general said, larger companies must know how their subcontractors operate, how secure their networks are and who their employees are.
“Supply chain understanding is something that the task force is going to take on in a big way in its second year,” Murphy said. “I want to have total situational awareness and understanding of all the companies in our supply chains.”
Through its new Defense Industrial Base Cybersecurity Assessment Center, the Defense Contract Management Agency has begun evaluating the cybersecurity posture of some of the larger defense contractors, Murphy said. But that effort can’t be applied to every situation, he acknowledged. “It’s not scalable for a department organization to be assessing the entire industrial base,” he said.
With that in mind, DOD’s Acquisition and Sustainment Office came up with the “cybersecurity maturity model certification” concept, through which a third party would evaluate cybersecurity capabilities of large and small companies and rate them based on their performance. That rating would need to be at a certain level based on the criticality of the program for the company to be competitive for the associated contract.
Bottom line, technology theft puts the United States at a disadvantage in its strategic competition with China and Russia, the general said.
“In most competitions, there’s a winner and a loser,” he said. “I know what end we want to come out on. We are in a fight every day with our strategic competitors on our university campuses, in our businesses, in cyberspace. And the prize is military technological advantage. We need everyone in this business to smarten up and to have a shared belief of the threat, and a sense of urgency to correct the path that we are currently on.”
BY C. TODD LOPEZ
