Before you uncork the champagne to celebrate winning that big Government contract you might want to stop and think for a moment. Would your information technology systems and security infrastructure be able to stand up to a hostile, advanced hacking campaign aimed at gaining access to your newest project? Are you one contract away from becoming a target?
Almost two decades inside the Beltway has shown me that few contracting companies, both big and small, are prepared to defend against an advanced campaign to gain access to sensitive information. Security is a very costly addition to any project and in an environment of shrinking budgets it is not something people necessarily want to focus on when trying to do more with less. It is precisely when budgets shrink that security deserves more attention, not less.
Security requirements are sometimes included in Government contracts but there is little, if any, way for the customer to gain assurance that their contractor is protecting the data with which they are entrusted.
It is prohibitively expensive for the contractor to run a truly secure shop and even more so for the Government to send out compliance teams to make sure all their contractors all around the country are following the rules and performing the work securely.
How can the Government know whether the new application their contractor built containing millions of lines of code is clean of any backdoors? If the application was not developed in a highly secure environment with multiple controls in-place and subjected to an experienced, independent code reviewer, then the customer has no way of knowing whether it is clean or not.
Healthcare.gov was developed by a team of companies, the most infamous of which was CGI Federal. Without even reading the contract and subcontracts we already know that all of the companies involved had vastly different security policies and that there was at least one weak link, if not several. Some of the software program was written in at least one foreign country, Belarus. One estimate puts the total lines of code for Healthcare.gov at over 500 million. Now there is a hunt for malicious code that may have been inserted in one or more of those 500 million lines that has potentially compromised the health data of millions of Americans.
Federal contractors are so geared toward winning new business and rarely give any thought to delivery. The Healthcare.gov project is a perfect example of the failure of contractors to understand that the development of Healthcare.gov was a high profile project that would be the target of multiple threats. It required significant thought on how it would be developed and implemented securely. The customer, in this case the U.S. Government, also bears the burden of laying out their security requirements in the contract. Undoubtedly when they were awarded the contract, none of the contractors thought they would become the target of an international hacking campaign during development or that some of their own team members would insert malicious code into the software program.
Any company is a potential target if their customers have anything that may be of value. The seemingly insignificant contract to build a small Java application for Bank XYZ’s employee benefits server could become the backdoor for a foreign-based, multi-million dollar heist that puts the bank out of business next year. An impartial assessment of your customer base and security posture will most likely reveal the risky combination of value and weakness.
Today the Government outsources a significant amount of work to private contractors. This is especially true of information technology work due to the high cost of information technology professionals. Yet if not procured, implemented, and managed securely, information technology is an Achilles heel for any organization. Whether or not security requirements are clearly stated in the contract, federal contractors should ensure that they pay attention to supply chain security, implement security best practices and controls in their work, and protect government information.
By Dan Emory, leads the Cyber Security practice at TKC Global, a guest columnist at CEOWORLD Magazine, and this article is his personal viewpoints in no way reflect those of CEOWORLD Magazine Networks. Follow Dan Emory on LinkedIn.