Learning from COVID-19 as a Contested Environment

What does it take to be a champion of cybersecurity for the Defense Industrial Base that can be relied on when allies face a contested environment? COVID-19 created a test case with important answers to that question because the pandemic itself has acted as a global adversary. This case analysis will show how COVID-19 represents a challenging reality for the US supplier base during an international crisis and how the pandemic serves as a wake-up call on two related issues:

• COVID-19 exposed how much more progress the Defense Industrial Base needs to make for mobilization of any kind
• The wake-up call is even louder in the case of readiness for a cyber incident because its onset can be so sudden, systemic, and geographically widespread

In this case, COVID-19, as an adversary, drove a kind of nationwide and international shutdown of the Defense Industrial Base that, to date, has been prevented through the dedication and innovation of the Department of Defense (DOD) and its supplier community. Despite those heroics, every supplier can tell a story of how we could and need to do better in the future.

What follows is a case analysis of the experience for one of those suppliers, which illustrates the overall point that COVID-19 has exposed less Defense Industrial Base readiness than we need in three areas:

1. Collaboration infrastructure
2. Shared contingency plans
3. Checklists of specific actions within those plans

Take the example of DIB-Co.* Like 99% of the Defense Industrial Base members, DIB-Co only covers a small part of the Defense ecosystem. However, for any partner connected with that sector that depends on DIB-Co’s commitment to excellence, DIB-Co plays an indispensable role.

In DIB-Co’s case, no official communication across the US Defense Industrial Base had been made to identify which companies qualified as “essential” once shutdowns began in early March 2020. DIB-Co only knew to stay open because emails came in from customers who were themselves sub-suppliers. These larger firms had the benefit of staff and systems to double-check that DIB-Co would be maintaining operations as a sub-supplier since customers considered DIB-Co “essential.” For all those organizations that lack the staff to coordinate communication among their sub-suppliers like DIB-Co, the status quo leaves a breakdown in needed collaboration.

While unofficial customer dependencies turned out to be key for DIB-Co’s staying open, DIB-Co’s neighbor was not so lucky. That factory also manufactured industrial products that could be considered essential. However, this factory next door never received any requests or notifications that gave them the confidence to keep employees on the job. As a result, all of the employees at the neighboring factory were laid off based on that breakdown in official information sharing and collaboration. By the time anyone there recognized their essential status, employees were already on unemployment, so the process of calling them back was much more complicated.

In contrast, DIB-Co not only kept its workers employed but volunteered alongside its local chamber of commerce and the surrounding community to help support frontline services. DIB-Co retooled their operations to support COVID-19 response to customer needs and evaluated whether the firm could retool and produce ventilator parts as an emergency contractor. DIB-Co was struck that the authorities making the emergency request did not offer sufficient specifications to enable DIB-Co to determine whether the fit would be right based on the company’s current machining capacity. Ultimately, DIB-Co concluded that the tolerances needed for the ventilator parts required more reconfiguration of DIB-Co’s machining centers than would make sense…unless a case was made that no one could meet the requirement except DIB-Co.

DIB-Co’s CEO believes that the decision not to participate might have had a different outcome if DIB-Co received more coordinated and precise information combined with shared visibility of available resources.

In short, collaboration in response to any incident requires secure exchanges distributed across the relevant supply chain partners. Today, China’s government and a small number of nationwide industry partners use top-down alignment to accomplish this coordination. The country’s Belt and Road strategy takes that approach to global supply chain coordination as well. This government-driven approach would not fit the US environment, but some more distributed capacity exchange would work.

According to the DIB-Co’s President:

“We’ve responded to COVID-19, but we can do even more in the future if we work smarter together. We shouldn’t wait, as a company or as a country, for the next emergency to talk about the essential products and services we can already predict the country will need. For example, why don’t all of us as local machining companies understand our capacities ahead of time for making essential products for predictable scenarios? That way we would be able to better leverage our capabilities here in the US during a crisis when it’s hard to be dependent on faraway suppliers.“ — DIB-Co President

DOD has discussed this notion of a capacity exchange as a goal since the end of World War II, and it has been a best practice for the private sector since the late 1990s. Any company or country puts itself at risk by falling behind in the ability to leverage Networked AI and Big Data-driven cybersecure trade exchanges. In turn, success for DIB-Co and the entire Defense Industrial Base depends on effective joint mobilization and innovation among customers, suppliers, Research and Development, educational institutions, trade/professional associations, and other partners.

The effectiveness and efficiency of that mobilization drives the outcomes that America needs: a stronger US Defense for immediate and emerging threats, an innovative Defense Industrial Base, and a resilient economy. To date, the US still lacks the fully engaged, nationwide movement to upskill the Defense Industrial Base for cybersecure collaboration and capacity exchanges. Major General Thomas Murphy, who leads the DOD Task Force that sparked the creation of Cybersecurity Maturity Model Certification (CMMC), calls this a whole-of-nation strategy as opposed to a whole-of-government strategy.

Key Takeaways

1. Contested Environments. COVID-19 exposed basic holes in Defense Industrial Base cybersecure supply chain operations that will be instructive in all contested environments.
2. Private Sector-driven Mobilization. Successful cybersecurity improvement across America’s Defense Industrial Base requires a national movement for cybersecure commercial efficiency and effectiveness. DOD mandates can accelerate that mobilization but cannot lead it.
3. Capacity Exchange Preparedness. The coordination of cybersecure capacity exchanges are common sense but not yet common practice

By Ted Rybeck, Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee