Members of the Senate Armed Services Committee (SASC) expressed concern during a March 5 hearing over the cybersecurity of U.S. Transportation Command’s industry partners.
Sen. Angus King (I-Maine) asked new TRANSCOM Commander Army Gen. Stephen Lyons to consider performing “red team” exercises to identify security flaws in the systems of the command’s transportation and logistics partners.
“I would urge you to consider that as an option. … It has a way of waking people up when a skull and crossbones appears on the CEO’s computer,” King said.
Sen. Marsha Blackburn (R-Tenn.) referred to a 2014 Senate probe that found that Chinese hackers had successfully infiltrated U.S. Transportation Command’s networks about 20 times.
Lyons, who assumed responsibility of U.S. Transportation Command in August 2018, said the cyber resiliency of its private sector partners is “a significant challenge.”
“I would admit to you, if an advanced persistent threat actor were on their systems today, it would be problematic,” he said. TRANSCOM is working with its industry partners to improve their cybersecurity processes, including requiring self-assessments, fine-tuning contractual language and ensuring compliance with National Institute of Standards and Technology (NIST) standards, Lyons added.
The Pentagon is working to build a better process for certifying industry partners for cyber compliance by the end of 2019, the department’s assistant secretary of defense for acquisition, Kevin Fahey, said last month at a National Defense Industrial Association event in Washington, D.C (Defense Daily, Feb. 13). The plans currently include a cyber “scorecard” to rate companies on their successful compliance and eventually develop a credit score-like system to indicate a supplier’s level of cyber readiness related to DoD standards, he said at the time.