Eric Schmitt on Telecommunications Cyber Attacks and Federal Procurement Reforms

Cybersecurity Deficiencies in Federal Procurement

• ⚠️ Eric Schmitt highlights deficiencies in the Department of War's handling of post-assault cyber risks, particularly concerning the protection of communications from foreign espionage.
• 🔑 He questions the structural problems in federal procurement that allow these vulnerabilities to persist.

Reforming Federal Procurement for Better Cybersecurity

• 💰 The current federal procurement system is identified as an area where Congress and the executive branch can significantly improve cybersecurity.
• 🎯 By imposing cybersecurity requirements on companies seeking government contracts, the government can ensure systems meet federal standards.
• 🚀 An innovative, commercial approach to procurement is favored for faster integration of new technologies, emphasizing a balance to avoid overimposing cybersecurity burdens.

Minimum Cybersecurity Standards and Audits

• 📊 Companies selling to the federal government should be required to undergo security audits and demonstrate compliance with standards like the NIST Cybersecurity Framework to an independent third party.
• ✅ This approach can expedite the contracting process for smaller, faster companies while ensuring good cyber hygiene.

Limitations of Prescriptive Regulations and Checklists

• rearview mirror checklist-driven approaches have proven unsuccessful, as adversaries evolve daily.
• 💡 The NIST framework is highlighted for its flexibility and ability to withstand time, suggesting a better approach involves regular engagement with government partners on observed threats and mitigation strategies.

Hardware, Encryption, and Zero Trust Architecture

• 🛰️ SolarWinds highlighted deficiencies in outdated hardware, prompting efforts to update systems and improve satellite security, including enabling encryption.
• ❓ There's a surprise and need for further discussion on limitations preventing broad encryption use on satellites, with links often left unencrypted.
• 🧩 The adoption of a zero trust architecture across the satellite industry appears incomplete, potentially due to a misunderstanding of security responsibilities.