31 December 2018

How the new acting Pentagon chief views cybersecurity

By: Justin Lynch  

President Donald Trump announced in a Dec. 23 tweet that Patrick Shanahan will become acting secretary of defense Jan. 1, replacing outgoing Pentagon chief Jim Mattis two months early. While it is not clear how long Shanahan will remain in the job, he is on the short list of officials who could become the full-time Pentagon chief.

Regardless of the length of his tenure, Shanahan, the Pentagon deputy since 2017, has been one of the Pentagon’s top advocates for stronger contractor cybersecurity and IT acquisition and will lead the department months after it was given expansive and loosely defined authorities to conduct offensive cyber operations.

How Shanahan will handle these greater cyber authorities, even on a temporary basis, remains an open question that will be tested immediately amid evolving challenges, such as an alleged hacking campaign from China.

Unclear views on cyber operations

In August, the secretary of defense was given the ability to conduct offensive cyber operations without informing the president as long as it does not interfere with the “national interest” of the United States, four current and former White House and intelligence officials have told Fifth Domain.

A Pentagon official told Fifth Domain that while there is a general outline of what specific operations may affect the American “national interest,” some details are not explicitly defined.

And a review of his public remarks show that Shanahan has not made significant comments about how America should conduct offensive cyber operations. He has shiedaway from giving detailed responses about U.S. Cyber Command.

“There are two new war-fighting domains, cyber and space, for which we are developing doctrine and capabilities,” Shanahan said Sept. 19.

A spokesperson for Shanahan did not respond to questions from Fifth Domain.

Focus on defense contractors

As deputy, Shanahan has focused on “re-wiring” the Pentagon. He has called good cybersecurity “foundational” to working with the department.

“Cybersecurity is, you know, probably going to be what we call the ‘fourth critical measurement.’ We’ve got quality, cost, schedule, but security is one of those measures that we need to hold people accountable for,” Shanahan said Sept. 19 during an Air Force Association conference.

Shanahan’s focus on contractor cybersecurity comes as China is believed to be targeting defense contractors, particularly those on the lower end of the supply chain, in an attempt to steal sensitive American secrets, according to intelligence officials and industry executives.

Shanahan, however, has placed responsibility among the top defense firms.

“I’m a real strong believer that the Tier 1 and Tier 2 leadership has a responsibility to manage the supply chain,” Shanahan said in the Sept. 19 speech.

In October, Shanahan was put in charge of a new Pentagon task force to combat data exfiltration that focuses in part on these defense firms.

“Together with our partners in industry, we will use every tool at our disposal to end the loss of intellectual property, technology and data critical to our national security,” Shanahan told Fifth Domain in October.

A specific area of focus inside the department is finding out which companies are in the Pentagon’s supply chain, according to officials involved in the process, but it is not clear if it is specifically part of Shanahan’s task force.

Inside the Pentagon, Shanahan has also emphasized the need for smarter IT acquisition.

In an October. interview with Fifth Domain, Shanahan expressed frustration with the Pentagon’s procurement process, but said to expect “a number of things that are foundational to being able to achieve enterprise solutions.”

He hinted that those changes are focused on the “right platforms and the right level of integration” that can support high-end computing and artificial intelligence.

“I’m super frustrated that we can’t go faster on like basic things like the cloud,” Shanahan said. “Most of everything we do is software-driven.”

Aaron Mehta contributed to this report.

No comments: