ENCRYPTION: WHAT IS A DEFENSE CONTRACTOR'S ROLE IN A CYBER WORLD?

• Author: Basso, Brandon M.

1. Introduction

   Before the twenty-first century, warfare consisted more of artillery than computer network attacks, (1) yet, the increase in both terrorist activity and number of cyber warriors prompted Congress to introduce legislation to address the evolving cyber threat. (2) In 2002, the implementation of the SAFETY Act started the production of high technology defense equipment geared more for cyber warfare than artillery warfare. (3) The word 'SAFETY' is an acronym for 'Support Anti-Terrorism by Fostering Effective Technologies'. (4) Furthermore, the act awarded liability protection to defense contractors ("contractors") to manufacture defense equipment after a "certified" terrorist event happened. (5)

   With increased terrorist activity, the SAFETY Act introduced a new type of equipment used for protecting American lives during a vulnerable time. (6) Additionally, limiting contractor liability encourages more contractors to develop cyber products that would prevent terrorist attacks, including cyber-attacks. (7) Moreover, after the equipment was built, it was readily available for the Department of Defense to deploy into anti-terrorism missions. (8)

   The Secretary of Defense has authority to target rogue actors who launch cyber-attacks against the U.S. Government. (9) Additionally, other Federal agencies such as the National Security Agency (NSA) have authority to approve or disapprove the cyber equipment that assists military personnel on deployment. (10) Further, President Obama specifically referenced encryption equipment as a means to handle cyber threats in the National Defense Authorization Act (NDAA). (11)

   One particular type of equipment with 'Tactical Local Area Network Encryption' (TACLANE) capability is the TACLANE en-cryptor, sold by the contractor General Dynamics, which can both ward off attacks and serve as a private highway for classified information. (12) The TACLANE encryptor is a piece of hardware embedded with computer software that protects highly sensitive data and seals classified communication. (13) Moreover, TACLANE is an essential part of the Army's WIN-T program which has its own line item in the NDAA. (14) Further, while building such equipment, contractors must comply with federal regulations that prevent them from discussing or disclosing proprietary information about encryption equipment and programs such as WIN-T. (15)

   First, this Note will establish how cyber warfare has influenced contractors to build more encryption equipment in the twenty first century. (16) Second, this Note will explore how lawmakers and government agencies were prompted to implement legislation and impose regulations geared towards cyber security and terrorist threats. (17) Third, this Note will take the language from such legislation and federal acquisition regulations and explain how contractors must comply. (18) Fourth, this Note will explore how such regulations and agency demands affect the contractor while they build such equipment. (19) Finally, this Note will highlight the actual equipment used, its functionality, and the competition between contractors to build the best high technology military equipment for our military. (20)

2. History

   The evolution of warfare from artillery to cyber is challenging for law makers and federal agencies to handle because cyberwar is an unfamiliar threat. (21) Further, military conflicts previously involved physical force and imposing one's armed forces against the enemy (22), rather than imposing sophisticated technology attacks on the enemy's computer network. (23) Additionally, it is challenging for a targeted entity of a cyber-attack to identify who launched or directed the attack, if it is a cyber-attack, or whether the cyber situation is just a network malfunction. (24) Moreover, the targeted entity may be delayed in recognizing that it was a victim of cyber warfare. (25)

   Despite the complexity of a cyber-attack, the SAFETY Act prompted contractors to build equipment and provide services so subjected entities could withstand attacks. (26) The role of the SAFETY Act is to "provide important legal liability protections for providers of Qualified Anti-Terrorism Technologies - whether they are products or services and encourage the development and deployment of effective anti-terrorism products and services by providing liability protections." (27) Additionally, the newly manufactured 'Anti-Terrorism Technology' has made the U.S. military even more formidable than it was before. (28) Yet, cyber warfare is the exact opposite of warfare used during the American Revolution, where the opposition lined up across from one another engaged their artillery. (29)

   A cyber-attack is defined as, "the use of deliberate actions--perhaps over an extended period of time--to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks". (30) To deal with such attacks, the SAFEY Act prompted contractors to build equipment that would protect targeted networks from being harmed. (31) Yet, the SAFETY Act is a subsidiary to the 'Homeland Security Act of 2002,' which was first enacted to analyze cyber security-risk situations and the types of 'critical infrastructure' that would be attacked from cyber warriors. (32) After the Homeland Security act analyzed and identified the type of networks vulnerable to attacks, the SAFETY act approved the type of technology necessary to protect such networks. (33) Thus, commencement of the manufacturing of high technology defense equipment started because of these two pieces of legislation. (34)

   A popular practice exercised by vulnerable companies with big data is encryption, specifically, hardware encryption that protects company data at rest. (35) Moreover, encryption is gaining popularity because modern warfare consists of hostile computer attacks directed at an adversary's computer network with large amounts of data. (36) Therefore, military customers ("customer(s)") use a specific type of a hardware encryption device known as the TACLANE encryptor, built by the contractor, General Dynamics Mission Systems, Inc., which is hardware equipment built with an incorporated software code to encrypt data. (37) The demand for hardware encryptors has increased, and TACLANE encryptors "provide high-speed interoperable solutions to protect company networks and information against evolving cyber threats." (38) However, those who build such encryptors must comply The FAR is a set of regulations that dictate how contractors write their contracts, build equipment, share data, impose liability, provide cost and pricing data, and bid on solicitations. (40) For example, a prime contractor, as an entity, is responsible for attaching pertinent FAR clauses in a contract with a customer, or with a sub-contractor working for the prime contractor to develop a product. (41) Further, attaching FAR clauses to contracts is an attempt to shield both parties from liability by showing that both the buyer and the seller are in compliance with the FAR. (42)

   There are many types of FAR clauses that contractors need to comply with during performance of a contract. (43) But, one of many clauses used for cyber security purposes is FAR clause 52.204-21 which states that, "[t]he Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems," and then lists the necessary safeguarding procedures. (44) Additionally, the Department of Defense implemented DFAR 252.204-7012 (45) which states that, "[if] the Contractor discovers a cyber-incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract the Contractor shall," and then lists the methods by which the contractor must report the cyber incidents. (46) Moreover, during performance of a contract, it is likely that proprietary information will be exchanged between a contractor and a customer. (47) Thus, clause FAR 252.227-7013 enforces ownership rights of shared proprietary data, even if disclosed to a customer solely for contract purposes. (48) Moreover, TACLANE encryptors are mainly used to protect the data referenced in FAR 252.227-7013 because such specialized data separates contractors from others, and if disclosed, will result in a contractor losing its competitive edge over another contractor. (49)

   In addition to TACLANE, another military program used by Army customers is titled the War Fighter Information Network Tactical (WIN-T). (50) WIN-T is an Army telecommunications system that consists of satellites transported by Humvees, unmanned aerial vehicles, 'manpack' radios, ruggedized computers, tactical relay towers, and TACLANE encryptors that ultimately enable soldiers to communicate faster and more effectively with each other during contingency operations. (51) More importantly, WIN-T contains a cyber-capability that effectively encrypts soldier communication and allows personnel at command posts (connected to the network) to 'drill down' into the weeds of the network and hunt for adversaries who try to penetrate the soldier's communication. (52) Yet, with such an advanced system comes more regulations for contractors to comply with and ensure that there is no disclosure of classified technical data or software codes while building cyber systems. (53) For example, contractors that build

   WIN-T comply with DFAR clause 252.239-7016 which is titled, 'Telecommunications Security Equipment, Devices, Techniques, and Services,' (54) and was written to regulate contractor telecommunication systems which are defined as:

   voice, record, and data communications, including management information systems and local data networks that connect to external transmission media, when employed by Government agencies...