Contractors Are a Bull's-Eye for Hackers
The U.S. defense industrial supply chain is vast, complex and vulnerable. Organic components, large-scale integrators, myriad commercial service providers, and tens of thousands of private companies sustain the Defense Department. According to the SANS Institute, the percentage of cyber breaches that originate in the supply chain could be as high as 80 percent.
Some progress has undoubtedly been made with regard to securing the supply chain. The Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 supply chain program, for instance, introduced 109 stringent requirements for Defense Department suppliers dealing with sensitive government data—53 related to technology and 56 related to security policy. But while DFARS applies to all contractors and suppliers regardless of size, it has not yet been fully implemented and it is not bulletproof. Still, it is a big step toward securing the supply chain at all levels.
Small supplier, big target
The supply chain of large-scale integrators, such as Lockheed Martin, Northrop Grumman and Raytheon, have invested heavily to make their information technology systems more cyber resilient and DFARS-compliant. Their systems are robust from a cybersecurity perspective, as they have been hardened by many years of defending against sophisticated cyber attacks.
Since the big players are more secure, attacks are now focused on the second- and third-tier suppliers. These lower-tier suppliers generally lack the manpower to form a dedicated information security team and provide the security mechanisms to protect themselves against sophisticated attacks—a reality that is the impetus for the creation of DFARS. As a result, these lower-tier suppliers and contractors often represent a greater risk to intellectual property and sensitive government information being exposed.
Suppliers had until December 31, 2017, to finalize a DFARS compliance plan, but they didn’t necessarily have to be fully compliant by that date. And, as things stand now, a reliable audit process is lacking for DFARS. Thus, some lower-tier contractors are still exposed to the potential for cyber attacks and the possible loss of controlled unclassified information (CUI).
Preventing another Sea Dragon
At its core, preventing a situation like the Sea Dragon hack means knowing how to protect critical data—, which is best done via strong perimeter defense and a risk-adaptive and user-centric security approach. In a company with hundreds of employees, only a small subset of users will likely deal with highly sensitive information or controlled unclassified information. Perimeter defense provides network segmentation of critical data. Meanwhile, a risk-adaptive approach layers analytics onto security efforts so an organization understands who is accessing sensitive information and can quantify the risk each person presents.
Employees can be assigned individual “risk scores” based on the information they have access to, their roles and responsibilities and overall behavior patterns. The higher the score, the more susceptible the user is to being compromised, either accidentally or as a target for adversarial hackers. As an example, the Sea Dragon hackers targeted an individual working at the Naval Undersea Warfare Center and used that person’s credentials to access data on the organization’s network. By automatically detecting this anomaly of behavior, the user’s access to data can be automatically blocked.
Securing the vast defense industrial supply chain is extremely important. For the second- and third-tier suppliers that represent the greatest risk, developing a proper security posture must go beyond the supply chain itself. Those suppliers must also consider security measures, including a strong perimeter defense and user-centric data protection in order to prevent a Sea Dragon type of hack—or something worse.
Sean Berg is the senior vice president and general manager, Global Governments and Critical Infrastructure, Forcepoint.