WASHINGTON -- Brad Mihlfried's employer, Butler County-based Xper Inc., has long supplied the U.S. military and its prime contractors with transparent armor for tactical vehicles.
"Some people call it bulletproof glass," he said, but "we always say that nothing's bulletproof."
Mihlfried, the company's director of information technology, has been racing to cultivate a different kind of armor as cyberattacks have stolen customer data, compromised government systems and disrupted gasoline supplies and grocery store meat aisles.
Just as the company strives toward bulletproof products, Mihlfried is trying to shore up its cyberdefenses to comply with new U.S. Defense Department regulations -- or risk losing access to military contracts.
"I'd say, within the past four to five years, it's gone from 0 to 100 miles an hour," Mihlfried said. While the company met the department's initial 2017 cybersecurity standards, "now it's like, you need to prove it."
The company is among many government contractors, corporate giants and mom-and-pop shops all wading into new technological territory to fortify their systems.
As they largely go it alone, U.S. officials in Washington are facing rising pressure to provide more support to private-sector companies that stand vulnerable to attacks that would disrupt energy, transportation, manufacturing and other key sectors that President Joe Biden wants to grow anew in the wake of the covid-19 pandemic.
In May, after the Colonial Pipeline hack that temporarily shut down fuel supplies to the East Coast, Biden ordered a review of ransomware threats.
The review is studying ways to disrupt criminal networks; building an international coalition to hold countries who harbor them accountable; expanding cryptocurrency analysis to pursue criminal transactions; and reviewing the government's own ransomware policies.
Earlier this month, the U.S. Justice Department announced federal authorities had recovered $2.3 million in ransom money, paid in cryptocurrency, to the hackers who shut down the pipeline.
Yet the White House has repeatedly kept the private sector at arm's length, even after a second major hack hit Brazilian company JBS, the largest meat producer in the world. Republicans have used the hacks to score political points, calling on the administration to improve the country's cyberdefenses and approve more oil and gas pipelines.
Ultimately, "these are private-sector entities who have a responsibility to put in place measures to protect their own cybersecurity," White House press secretary Jen Psaki said June 2. "As it relates to why criminal actors are taking actions against private-sector entities, I don't think I'm the right one to speak to that."
On June 3, Anne Neuberger, a deputy national security adviser, penned an open letter warning American businesses to urgently take security measures like multifactor authentication and test their systems to spot vulnerabilities. Neuberger noted "a recent shift in ransomware attacks -- from stealing data to disrupting operations."
Biden's annual budget proposal to Congress in April earmarked $1.3 billion for cybersecurity -- a rounding error in a $6 trillion spending package.
"We need a real robust effort between the public and the private sector," David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security, said in an interview last week. "And in many cases, the administration has to take the lead."
Hickton, as the U.S. attorney for the Western District of Pennsylvania from 2010 to 2017, led numerous cybercrime efforts.
In 2014, Hickton filed a first-of-its-kind indictment against the Chinese military for economic espionage against Pittsburgh-area companies and organizations. The same year, he led an indictment that named a Russian cybercriminal, Evgeniy Mikhailovich Bogachev, as the mastermind behind a virus that affected millions of people worldwide.
Since leaving office, Hickton has counseled organizations on how to handle ransomware attacks. Often, there is not a clear path, he said.
"We didn't effectively have an answer to it because you never wanted to tell people to pay the ransom," Hickton said, "but we didn't really have a solution other than making sure your system is backed up."
Hickton said the government should heed the advice of a March 2020 report issued by the Cyberspace Solarium Commission, a panel established by Congress to draft a national cybersecurity strategy. The group published more than 80 recommendations, grouped into six pillars, including aiding the private sector.
"The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations," the report stated.
"While recognizing that private-sector entities have primary responsibility for the defense and security of their networks," the report said, "the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts."
COMPLEX, EVOLVING FIELD
Cybersecurity is a complex and evolving field that goes beyond the expertise of the average company's information technology shop, requiring smaller companies to consider contracting with security firms to get all the expertise.
The road ahead for military contractors trying to comply with the evolving Defense Department standards illustrates the challenge.
The 2017 regulations required contractors to meet security standards to handle controlled unclassified information -- a murky term that could include legal material, health documents, technical drawings and blueprints, intellectual property and other types of data.
"It's not black-and-white," Mihlfried said. "There's a lot of gray area."
Companies like Xper drew up plans on how to store and transmit such information, trained employees and crafted incident response plans. They were required to self-report any shortcomings and plans to improve. Xper passed with a 100% score, Mihlfried said.
The new rules require a third-party audit to score each contractor and group them onto one of five levels of "cyber hygiene." The most basic systems sit at Level 1; the most advance rise to Level 5 and are eligible for top-tier contracts.
"We've been spending quite a bit of time serving manufacturers in our community, helping them get prepared for this," said Matt Holjes, managing director for business development for Catalyst Connection, a Pittsburgh organization that is part of a federally funded network that helps small to mid-size manufacturers grow.
"They're going to have to be audited to determine whether or not they can maintain their position in the defense supply chain," an industrial base that is growing rapidly in the Pittsburgh region, according to the Catalyst Connection, which is a unit of the U.S. Commerce Department called the Manufacturing Extension Partnership.
Several firms in the region declined to comment for this article, citing the confidential nature of their cybersecurity defenses.
Reached for comment, a Defense Department spokeswoman referred to online resources, including a frequently asked questions page, which indicated a phased rollout of the regulations.
This fiscal year, the department will require no more than 15 new prime contractors to be audited on the standard. By fiscal 2025, the department expects that number to rise to 475 contracts, with all subcontractors expected to adhere to the same standards.
In Hickton's view, one of the biggest questions is how aggressively the U.S. government should pursue offensive cyberattacks to shut down cybercrime networks and punish the countries that harbor them.
He argued it was an effective initial step to "name and shame" cybercriminals, even if their home countries have protected them so far.
In Bogachev's case, prosecutors put up a $3 million reward for his capture, "and I still believe he will be caught," Hickton said.
"Even if we couldn't get them, we were imposing costs on them by declaring that they did it, by putting the spotlight on them, by chasing them if we could," he said.