LI defense firms facing Dec. 31 cybersecurity deadline

The clock is ticking for Long Island defense contractors facing a year-end deadline to meet new federal cybersecurity standards.

Companies that fail to comply risk being cut out of the supply chain, Boeing Co. executive Camille Geiger told industry representatives last week at a conference at LIU Post.

“You must be prepared,” said Geiger, Boeing’s enterprise global diversity leader.

Prime contractors like Boeing will be barred from dealing with suppliers that don’t meet the standards, she said. “Be sure you have everything in place and are ready to go January 1,” she said at the conference, which was organized by Rep. Thomas Suozzi (D-Glen Cove).

Although Long Island’s heyday as a center of defense and aerospace manufacturing has passed, hundreds of such companies remain in the region. Suozzi said his 3rd Congressional District on the North Shore ranks No. 1 in the state, drawing $1.7 billion a year in defense contracts directly from the federal government. Hundreds of millions more come to Long Island through subcontracts with prime contractors.

Robert Botticelli, chairman of ADDAPT, a trade group that advocates for LI aerospace and defense contractors, said the regulations “will be a financial strain” for some companies but can’t be avoided. “Virtually every aerospace and defense company on Long Island has to deal with it,” he said.

Some companies may be able to get help through the Center for Corporate Education at Stony Brook University, which can provide government funding. We “can offset the cost for some of these companies,” said Patricia Malone, executive director of the CCE. She has set a cybersecurity breakfast for manufacturers on Thursday that will also cover the requirements.

One of the companies grappling with the new regulations is CPI Aerostructures Inc., an Edgewood aerospace manufacturer with about 250 employees. Chief executive Douglas McCrosson said the company has spent about $150,000 to meet the new standards.

“It wasn’t inconsequential,” he said. “There was equipment we had to buy. There was more protective software we had to utilize. We had to change almost every aspect of how we access work on the internet. It was really extensive.”

The new security standards require the safeguarding of contractor information systems that process, store and transmit federal contract information.

As a Tier 1 supplier, CPI sells directly to prime contractors like Boeing and Northrop Gumman Corp. But the firm also has suppliers who themselves have suppliers. “There are three or four tiers in the supply chain,” McCrosson said, and every level has to be in compliance.

Among the practices CPI has adopted: Users are barred from accessing online data storage sites like Dropbox and iCloud; laptop hard drives are encrypted; and computers require two-factor authentication such as a password and a code transmitted to the user’s mobile phone. The company is also seeking to improve employee awareness by sending out fake emails like the ones used to trick users into revealing personal information.

Steven Kuperschmid, co-chair of the cybersecurity/data privacy group of Ruskin Moscou Faltischek in Uniondale, said lawyers can have a role in establishing cybersecurity policies. “I don’t think you can do cybersecurity effectively with just a technologist,” he said. “Determining regulatory compliance is a lawyer’s job.”

Despite the resources required, McCrosson said the standards are needed.

“Some regulations we feel are onerous,” he said, “but cybersecurity is a real threat, not only to the defense industrial base, but to the national interest . . . It’s scary out there.”

He said expert hackers are targeting defense contractors.

“These are not kids in their basements goofing around,” he said. “These are largely state actors trying to get designs. They figured out long ago that prime contractors have better defenses” and target companies farther down the supply chain.

“You’re only as strong as the weakest link,” he said.

By Ken Schachter

kenneth.schachter@newsday.comkschach

Ken Schachter covers corporate news, including technology and aerospace, and other business topics for Newsday. He has also worked at The Miami Herald and The Jerusalem Post.