Defense Firms Should Seize Cyber Initiative.

• Author: Smith, Christopher
• Position: NDIA Policy Points

* American business is under attack. The recent confession by social media giant Facebook that hackers breached nearly 50 million of its users' accounts, despite heavy investments in data and network security upgrades, reminds business and government observers of the significant cybersecurity risks menacing the private sector. In 2017 alone, U.S.-based organizations reported 1,579 data breaches, an increase of 44 percent from 2016.

The Trump administration's National Cyber Strategy, released in September, provides insight into how the federal government intends to respond to deteriorating conditions in cyberspace. While most press coverage of the report focuses on its muscular rhetoric toward foreign cyber threats, reducing cyber risk in the private sector drives much of its agenda.

As a result, industry should expect more government interest in civilian cybersecurity, specifically in the form of tougher regulations on data and digital systems management, more stringent cybersecurity requirements for federal contractors, and preemptive security assessments and investigations.

The strategy balances its costly regulatory agenda with economic policies that positively incentivize industry compliance and technology development. As frontline targets during an era of escalating cyber crime, defense industry firms should proactively rethink business strategies and operations through the lens of the strategy to reduce risks and to take advantage of emerging opportunities.

The strategy's agenda for reducing homeland cyber vulnerabilities directs government purchasing power toward incentivizing good corporate cyber hygiene. Echoing well-publicized administration concerns about cyber risk in the industrial base, it calls for leveraging the acquisition process to reduce federal supply chain risks by enforcing tougher cybersecurity requirements on contractors.

According to one agenda item, federal procurement officials would be authorized to ban vendors or products that fail supply chain risk assessments. As part of these assessments, officials will conduct stringent evaluations of defense contractors' data and systems security plans and practices using security tests, sensor-based monitoring, active threat hunting and routine emergency response to cyber incidents. The administration also proposes expanding Committee on Foreign Investment in the United States and Federal Communications Commission authority to examine and deny strategic investments by...