On May 7, the nation received a sobering reminder of the threat cyberattacks pose to our communities, when a ransomware attack disrupted the operations of Colonial Pipeline — a fuel-transportation conduit that runs like an artery through the East Coast, supplying almost half of the fuel consumed there.
While the attack may seem remote to residents of Hawaii, its impact should cause reverberations that reach the islands’ shores, triggering increased vigilance by those who operate in industries that are known targets of cyberattacks. One such industry is the vast network of contractors and subcontractors who perform services for the Department of Defense (DoD) in Hawaii.
Home to Indo-Pacific Command, a National Security Agency cryptologic center, and more than 70,000 uniformed personnel and DoD civilians, Hawaii unquestionably punches above its weight in the national defense arena. It’s no secret that the military footprint in Hawaii brings thousands of jobs and billions of dollars to the state. For example, DoD data for the federal government’s fiscal year 2019 indicates that Hawaii’s economy relied more heavily on defense spending than any state in the country other than Alabama, and defense- contract spending in Hawaii during fiscal year 2019 was approximately $2.5 billion.
But, as the old adage goes, to whom much is given, much is expected. Along with billions of dollars in defense contracts comes the important legal obligation — and, we would argue, patriotic duty — for defense contractors in Hawaii to safeguard computer systems through robust and federally-compliant cybersecurity practices. Such practices are critical, because cyberattacks that target companies providing important goods and services to the military can disrupt military readiness in the short run, or worse, erode American military superiority in the long run.
Unfortunately, the concern that those who seek to harm our nation’s security will attempt to attack defense contractors’ computer systems is not an academic one. On Dec. 14, 2018, The Wall Street Journal reported that Chinese hackers were “breaching Navy contractors to steal everything from ship-maintenance data to missile plans, … triggering a top-to-bottom review of [the Navy’s] cyber vulnerabilities.”
A 2019 report to the secretary of the Navy, entitled “Cybersecurity Readiness Review” stated that “[k]ey [Defense Industrial Base] companies, primes, and their suppliers, have been breached and their IP stolen and exploited.” These reports underscore the important role defense contractors serve in protecting computer systems that contribute to our nation’s security.
A critical step many defense contractors and subcontractors must take to build their cybersecurity infrastructure is satisfying the requirements set forth in an interim rule issued by the DoD late last year. The rule requires many defense contractors to undertake a self-assessment of their cybersecurity infrastructure and submit results to a DoD website before entering new contracts with the DoD. The rule also implements a phased rollout of the Cybersecurity Maturity Model Certification framework — a system that will, over time, require many defense contractors to obtain a third party’s certification that the contractors’ cybersecurity processes and practices achieve an appropriate maturity level.
These requirements establish an important “floor” — i.e., minimal level — of cybersecurity infrastructure, but defense contractors should aim much higher. Protecting computer systems from cyberattacks should be an ongoing process that involves identifying vulnerabilities and proactively developing solutions necessary to mitigate the risk that malicious actors will exploit them.
As threats to these systems emerge and evolve, defense contractors in Hawaii must do their part to continue the state’s longstanding tradition of supporting the military in word and deed. Companies in a state that gave so much in defense of the nation in times past must protect the homeland today through strong cybersecurity practices. Doing so will strengthen the local economy and, more importantly, protect the technological advancements that contribute so much to our nation’s security.
Kenji Price is a partner at McDermott Will & Emery, based in Washington, D.C. He previously served as the United States Attorney for the District of Hawaii. Michael Stanek is a partner at McDermott Will & Emery. He previously served as counsel to Hawaii U.S. Sen. Mazie Hirono.
