Katie Arrington’s job is to win the room.
She’s at San Francisco’s Moscone Center on Feb. 26 at the RSA Conference, one of the largest cybersecurity events. In the last year, she’s spoken at more than 100 events, which may explain why today, she’s sick. Her voice, typically loud and energetic, is raspy and shaky.
Arrington’s title is clunky: chief information security officer for acquisition in the Office of the Under Secretary of Defense for Acquisition and Sustainment. Translated, she’s leading the Pentagon’s effort to add new cybersecurity requirements for the 300,000 companies that do business with the Pentagon. Her challenge, almost every day, is to convince industry it should embrace the Defense Department’s new auditing standards, which are aimed at improving cybersecurity.
In this room, she sits next to a top American executive from the Chinese technology company Huawei to discuss — rather, argue about — supply chain security, alongside a Harvard lecturer and think tank fellow. In the months leading up to the panel, the U.S. government and Huawei fought in court over a provision in the fiscal 2019 defense policy bill that bans federal agencies from buying the company’s equipment.
The audience is shoulder to shoulder, no seat spared. “This session promises to be one of the most interesting, colorful and perhaps debate[d] topic,” the moderator begins.
Arrington, however, doesn’t understand what all the “hoopla” is about.
“Really, honestly, it’s not that big of a deal,” she told C4ISRNET hours before the session.
The Department of Defense has made the RSA Conference a greater priority in recent years as it tries to heal a strained relationship with Silicon Valley. Outside the Capital Beltway, the cybersecurity community often views the department’s mission with skepticism or that of an overly strict parent.
In contrast, defense leaders see themselves as offering lucrative contracts with reasonable sets of security requirements for winning the work, which can range from the acquisition of military weapons systems and basic IT tools to mowing grass at military bases.
But after years of suppliers with weak cybersecurity tormenting the department, it’s now Arrington’s job to find a solution. The conventional wisdom among defense officials is that cybersecurity problems can’t be solved — they can only be mitigated.
“Supply chain security is an insurmountably hard problem,” said fellow panelist Bruce Schneier, the Harvard lecturer and well-known technology guru.
So Arrington flies all over the country, speaking to room after room of defense contractors and trying to convince them, somehow, that they must impose tighter cybersecurity controls. And if they don’t? The Pentagon could lose out on state-of-the-art technology to protect national security secrets.
And if industry doesn’t care about that? Then businesses will lose out on profitable DoD contracts.
The underdog
Arrington has spent much of the last two and a half years shuffling in and out of rooms, working to persuade audiences she can solve pressing community problems. In 2018, it was a different cause: politics.
Her problem then was Rep. Mark Sanford. Sanford, she said, spent too much time on cable news fighting with President Donald Trump and not enough time on local issues. So Arrington challenged him in a Republican primary.
Sanford, the former South Carolina governor of “hiking the Appalachian Trail” fame, had never lost an election. But Arrington, endorsed by the president, pulled off the unexpected, knocking off the political powerhouse by about 2,500 votes and adding her name to South Carolina political folklore.
“If somebody tells her she can’t do something, she ignores that,” said Andrew Boucher, a consultant for Arrington’s congressional campaign. “She ignores the naysayers.”
Now, Arrington, 49, is leading a robust overhaul of the Pentagon’s cybersecurity requirements for contractors, known as the Cybersecurity Maturity Model Certification, or CMMC. The department is pushing the reform at a breakneck pace, at least as far as Defense Department reforms go. Her team has issued several drafts and the final standards in the past year.
“She’s got lightning in her veins,” said retired Adm. James Stavridis, the former supreme allied commander of NATO and a member of the board of directors for PreVeil, an email encryption company. “She’s smart, and she’s smart enough to know she doesn’t know everything.”
That lightning kept CMMC on pace for its final standards rollout in January, an aggressive timeline that one trade association representative characterized as a “herculean effort.” This summer, CMMC is scheduled to be included in requests for information for upcoming Pentagon contracts.
If all goes according to plan, CMMC would mitigate several cybersecurity issues that plague the DoD supply chain, and the government would have a mechanism to verify contractors’ cybersecurity claims. The guidance recognizes that security differs from business to business while allowing the government insight into companies’ cyber posture before awarding contracts.
The problem now is a system where companies can self-assess their cyber defenses. Arrington describes it this way:
“Everybody thinks when they walk out of the room in the morning, when they walk away from the mirror, they look great, [but] when you put the mirror up and you say, ‘Yeah, nope’ — you didn’t draw your eyebrows on right today.”
Through these changes, the department has to retain a fair and competitive acquisition process. It’s a massive overhaul that needs a charismatic and competent leader to succeed, said David Berteau, president and CEO of the Professional Services Council, a trade organization that represents more than 400 government contractors.
“Very little important change gets done without a vocal, capable champion present all the way through,” he said.
That’s Arrington.
Experts estimate that China steals hundreds of billions of dollars worth of American intellectual property annually, including military technology. The federal government’s concern with Huawei is that its presence could allow the Chinese government to access the feds’ data. Chinese actors have continuously breached Navy contractors, as the Wall Street Journal reported in 2018. In addition, China accounts for 90 percent of the U.S. Justice Department’s economic espionage cases as well as two-thirds of its trade secrets cases, according to a 2019 Congressional Research Service report.
Pentagon officials see the success of CMMC as critical “because of the ongoing and escalating threat of cybersecurity challenges,” said Berteau, who also worked for six defense secretaries. “It has real consequences for America, above and beyond the consequences for a particular contract or a particular program.”
But leaders in the defense industry still have questions. Company executives wonder what level of certification they will need, a centerpiece of CMMC that will affect competitiveness. Business leaders also don’t know when they need to get the certifications. Others still have questions about reimbursement for “allowable costs” for compliance, or don’t understand how subcontractors can recover compliance costs, if at all.
Though some industry members have criticized the Pentagon for the rapid speed at which CMMC has proceeded, others acknowledge it is years overdue. For each day CMMC isn’t part of solicitations, the Defense Department is losing out on implementing tighter cybersecurity controls until contracts expire, the argument goes. And Arrington is quick to mention the standards need to be in RFPs this fall.
“Our adversaries … their whole job is to have us not exist. The easiest way to do that has been through our supply chain,” she said on a January podcast. “It’s the easiest way to get access to us.”
‘Everybody has a superpower’
Tensions rise on the RSA Conference panel after Arrington explains why the Defense Department must stay away from risky technology that may allow access into DoD networks through backdoors.
Why, she questions, would the federal government use hardware made by a company with close ties to the Chinese government — the same government that’s plotting economic domination, trampling over human rights and looking to spread communism?
But isn’t it true there are several other countries that can install backdoors and launch virtual attacks, responds Huawei’s Andy Purdy, implying the United States has that capability as well?
“That’s ridiculous!” Arrington says, with her arms outstretched to her sides. “The bottom line is we’re a democracy, we’re different!”
In the last 18 months, Arrington’s earned a reputation for her candor with the defense-industrial base, a community of vendors accustomed to dry presentations on programs from other senior DoD officials. She responds to criticism on LinkedIn. She’s direct with contractors, once telling them to chant: “We all are going to get breached.” Then there’s the origin story of the acronym that became shorthand for her program.
“It was a glass of wine on a Friday night, and that’s how you got ‘C-M-M-C,’ ” Arrington jokingly said Jan. 28 at the law firm Holland and Knight. “Really, unique, huh? Yeah, I went cray-cray on the acronym.”
But joking aside, Arrington knows the government contracting process can be cumbersome. She reminds audiences that she came up in industry and understands.
“Ladies and gentlemen, we’re a ‘we,’ ” Arrington said in June last year, as if it were an applause line on the campaign trail.
Her approach, she said, is part of a paradigm shift that defense contractors must adopt. Accepting there’s a risk of a breach will lead to stronger cyber defenses. To get this done will require a web of industry relationships. Arrington knows this. “Everybody has a superpower,” she said in an interview, and hers is collaboration.
Sources in industry agreed, telling C4ISRNET that Arrington and her team’s success thus far is due to their engagement with small businesses, prime contractors and trade associations.
“It’s collaboration! That’s what the human condition is about. What we can do together is far more impactful than what we’ll ever do on our own,” Arrington said.
Driven to serve
Twenty-eight minutes into the RSA session, the prickly nature of the panel prompts the moderator to quip: “I’m glad we’re at least expressing how we feel here.”
Huawei’s Purdy is passionately arguing that all bad technology should be removed from the supply chain, when Arrington cuts him off. He shuts his eyes momentarily and takes a deep breath.
She continues until Harvard’s Schneier says that “5G’s lost, and our only hope now is to try to secure 6G.” He then adds: “I’m rooting for you, but I’m not optimistic.”
Arrington — again finding herself on the defensive — interrupts the moderator to pointedly ask Schneier who he’s really rooting for. He responds by saying he hopes Arrington can build a Huawei-free 5G network.
“Why would I have to build a 5G network? When did the Department of Defense ever build a network?” Arrington asks, snapping her head back to look at the packed audience, her eyebrow furrowed on a face of sarcastic confusion.
The quip earns laughter from the crowd, a sign her humor and wit are working to her advantage.
Arrington “fell in love” with cybersecurity when she worked at the defense giant Booz Allen Hamilton. She’s fascinated by the power and interconnectedness of technology. Cyber, she said, is like fire: It can provide benefits such as warmth or help with cooking. But handled improperly, it will burn you.
Similarly, poor cyber hygiene can destroy everything a victim is connected to, including national security secrets. Or, as she said on a January podcast, “When Al Gore created the internet, he did not realize what he was doing.”
She’s also long been attracted to solving problems in public life; even President Jimmy Carter encouraged her at five years old to find solutions to problems. And there are plenty of problems to solve in local politics. So in 2016 she turned politician, winning a seat in the South Carolina House of Representatives. That was a “great training ground” that prepared her to wrestle with contractors’ concerns.
“Your job is to listen to all the disparate pieces and work on the best solution set for all,” she said.
Her foray into the South Carolina political scene was brief — just two years — before she launched her bid for Congress. Ten days after she beat Sanford in the Republican primary, however, Arrington and a friend were hit head on by a drunk driver. They were taken to the hospital with life-threatening injuries. She was bleeding to death. Her back was fractured. Several ribs were broken. A main artery in her legs partially collapsed. Doctors had to remove part of her colon and small intestine.
She spent two weeks in the hospital. When Boucher visited, she wrote a note — unable to speak due to the tubes down her throat — telling him: “Two weeks and I will be right back at it.” He joked to her that finally he could tell her what to do without her talking back.
With the hand that wasn’t strapped down, she flipped him off.
After a few weeks of recovery, she was in “tremendous” pain that limited how much time she could spend campaigning, Boucher said. Arrington spent weeks in a wheelchair, then used a cane. But toward the end of that summer, she helped pack and deliver sandbags as the area prepared for a hurricane.
For Arrington, the wreck gave her a new perspective.
“Even when you think you are at your worst, the sun will rise and you can make it better the following day,” Arrington said in an interview. “I mean, you don’t go through what I went through with my car accident and getting that awareness of ‘tomorrow will be OK, like, I’m alive.’ ”
She went on to lose the election. But the week after the congressional race concluded, both candidates left for Washington, D.C., on the same day, with Arrington cryptically telling the Post and Courier she was “going to see some groups of people.” Later, she joined the Defense Department.
“I teared up walking into the Pentagon the first day like, ‘OK, I’m really going to make a change now. I’m really going to be part of the solution,’ ” she said.
Unfinished business
On stage at RSA, Chinese IP theft is a primary point of discussion. Arrington’s CMMC effort is designed to defend against that, but the panelists continue to poke at the government’s decision to ban Huawei.
At one point the moderator asks Arrington: What if Huawei were to go through the CMMC process and earn certification? Then could its hardware be used in DoD networks?
“It’s against the law. Why are you asking a silly question?” Arrington quips, staring unflinchingly back at the laughing moderator, the crowd cheering in the background. “This is a moot point. The law is done.”
But now Schneier wants to deal in hypotheticals: If it was legal, would it be reasonable to allow Huawei into the process?
Before answering no, she says: “Even Huawei can admit [that] their programmers are where Microsoft was 25 years ago, right?”
Purdy looks forward, tongue literally in cheek, tugging awkwardly at his black dress shirt.
As CMMC becomes part of every acquisition, Arrington wants to move ahead with tools that highlight cybersecurity gaps in the supply chain, and she expects international allies to adopt some standards. Her goal for CMMC isn’t for it to serve as checklist, but rather as a living document that can evolve to address new threats.
Eighteen months into the job, Arrington is struggling with at least two other problems. The first is there aren’t sinks to rinse out coffee mugs in the Pentagon.
“We have to wash our coffee cups in the bathroom, it’s not a big deal,” she said. “But if I could figure something out like a little kitchenette, that would be nice.”
The second is her work-life balance, she said. When she says she’ll meet with industry, she means it.
For more than a year Arrington’s been the public face of CMMC. That leaves a third problem lingering as a presidential election approaches: What happens to Arrington, and CMMC, if there’s a new administration next year? For now, her trip to San Francisco is just another packed bag, another flight and another opportunity to evangelize to an audience of cybersecurity professionals.
By now, the panelists have targeted her on several occasions, and at the end, the moderator says: “Katie, looks like they’re, like, beating up on you here.”
“We don’t mean to, though,” Schneier interjects. “You’re, like, on the good side.”
“I am on the good side,” Arrington replies.
The audience applauds. She wants to add another comment, but the clapping cuts her off. She waits. Even Purdy gives her a few claps.
“I came here today because sometimes you just gotta say the truth and you just gotta hold the line.”
She’s won over this room, and she did it while making the case for more stringent requirements that put additional burdens on companies.
Her voice was nearly gone, but another room, another meeting of industry leaders awaits. For Arrington, another set of problems is always waiting.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.