By C. Todd Lopez
WASHINGTON (April 24, 2019) -- Adversaries shouldn't already have read the manual on a new U.S. gun before the first soldier has had a chance to fire one, the Defense Security Service's director of counterintelligence said here today.
"We are in a very highly contested environment, with our opponents quite successfully taking our stuff," William Stephens said at a forum on supply chain security and software at the Center for Strategic and International Studies, noting that U.S. intelligence analysts and other sources support that assessment.
Stephens spoke on the importance of delivering and how to deliver "uncompromised" technology and capability to the warfighter.
What that means in practical terms is that when new technology arrives in warfighters' hands, the only people who should know how it works, what it does and what its limits and capabilities are include the defense contractor that built it, the military service that paid for it, and the service member who's going to use it.
Techniques adversaries use to figure out new U.S. technology before soldiers or airmen get a chance to use it vary greatly, he said, but include such things as exploitation of relationships in the technology community -- such as at conferences and trade shows -- as well as email and mail, surveillance, exploitation of cyber operations, exports or supply chains, and even insider access and outright theft.
Americans pay for a lot of technology to support the warfighter, Stephens said, and when that technology is compromised before the warfighter is able to use it, Americans lose out on their investment. But the biggest threat from compromised technology, he added, is to warfighters themselves.
Some nations, Stephens said, are "exceedingly well-focused on coming after American technology, and that's got to stop."
Delivering Uncompromised Technology
How can the Defense Department improve upon its ability to deliver uncompromised technology to warfighters? Stephens said that might include telling program managers at the beginning of a program they need to deliver a technology uncompromised. That directive is passed down to a prime contractor who will develop the technology. The contractor must operate at a "certain state of care," and that certain state of care, which could be established "legally as a definition."
If a company is operating at that state of care, Stephens said, it can achieve "safe harbor" status, which protects it from litigation. While it will never be 100 percent possible to prevent adversaries from taking U.S. technology, contractors will be able to show they are doing their best to protect technology development from compromise. "They aren't expected to be magic, but they are expected to operate with a significant capability," he said.
If technology is compromised and a company is determined to be responsible for the loss, it may have safe harbor if it had been operating at the legally defined "appropriate state of care," Stephens explained. If the company was not operating at the appropriate state of care, then it may be exposed to litigation and Americans can get back some of their investment.
Stephens said it's possible that insurance markets might grow up around this concept, where companies that are good at establishing and maintaining that state of care will pay lower premiums than those that aren't.
The extensive security needed to provide uncompromised technology is expensive, Stephens acknowledged, and he suggested that small businesses that want to provide technology to the military might be offered tax breaks or low-interest or no-interest loans to help.