By Thomas Lind, Co-Head of Strategic Intelligence, BlueVoyant
Securing the Defense Industrial Base (DIB) is a key national security objective of the United States. The task is challenging: it means securing a multi-tiered, interlinking supply chain hundreds of thousands of companies long, ranging from machine shops of a few dozen employees to billion-dollar prime contractors.
In an attempt to assess and support the cybersecurity posture of the defense sector, BlueVoyant recently undertook an analysis of companies in the defense industrial base. Building on research carried out by researchers at Michigan State University and our own insights gleaned from CMMC consulting, we focused on small-to-medium size enterprises (SMEs) as a critical and overlooked component of supply chain resilience. Looking at cybersecurity posture, threats, and compromise, our analysis found evidence of vulnerabilities across our sample set.
However, BlueVoyant research also shows that securing the DIB is a tractable problem. With the right combination of CMMC regulations, cybersecurity monitoring, and support from government, the DIB can be made much stronger and resilient than it is now.
This issue is critical. Businesses in the DIB are high-value targets for nation-state adversaries and other cybercriminals. Today, the news is awash with examples of how these third-party attack strategies have been successful: in the last year alone, cyber attacks exploiting Microsoft Exchange, F5, Pulse Secure, and, of course, SolarWinds have all impacted U.S. defense networks. At the same time, opportunistic ransomware attacks have also risen in frequency and impact, and just last year we reported attacks on US contractors who had been hit by the Babuk, Ryuk, maze and DoppelPaymer ransomware groups.
Securing the DIB is not only a pressing issue for greater national security: it is also eminently possible. BlueVoyant’s recent report, Defense Industry Supply Chain and Security, seeks to support policymakers and defense contractors in shaping a stronger and more resilient cybersecurity posture.
Adversaries pivot to target SMBs
Arguably, defense contractors face the same opportunistic threats as any business, however, the DIB’s biggest problem is the complexity of securing such an enormous ecosystem. Since the first cyber intrusions in the late 1990s and early 2000s, prime contractors and other large companies have developed more robust security defenses against cyberattacks. As a result, adversaries have pivoted towards targeting small to medium-sized enterprises (SMEs) that are subcontractors within the same supply chain. This attack strategy is based on the expectation that SMEs will have fewer and less sophisticated defenses and will thus provide an easier entry point to all entities within the entire supply chain.
Knowing this, BlueVoyant undertook a review of the cybersecurity risk posture within the DIB. To do so, we chose a sample set of 300 companies, avoiding primes and other giant defense contractors and instead limiting the pool entirely to SMEs. In a total industrial base of some 100,000 companies (or more, according to some estimates), three hundred companies is not large enough to identify reliable patterns but large enough to observe statistically significant insights into overall supply chain security. We examined the companies for vulnerabilities in their cybersecurity posture; for evidence of targeted threat activity; and for evidence of compromise. The analysis also sought to identify patterns or trends in risk, in hopes to illuminate how risk is concentrated (or not) within a supply chain – and thus help primes and the DoD to direct their resources and attention in future.
We arrived at two key insights. One, our findings indicate that significant issues exist within our sample set, suggesting wider issues across SMEs in the DIB: just under half (48%) of all companies analyzed had critical cybersecurity vulnerabilities, 20% (one-fifth) had critical vulnerabilities and evidence of significant, intentional threat targeting, and 7% showed critical vulnerabilities, evidence of significant, intentional threat targeting, and also had evidence of potential compromise. Overall, vulnerabilities to ransomware were widely observed throughout the group, especially unsecured remote ports known to be the major route of access for ransomware gangs.
Two, we found that industry type was a stronger predictor of risk than company size alone: manufacturing and R&D companies had the highest risk profiles when assessing email security, IT hygiene, malicious activity and vulnerabilities. 100% of the large R&D companies assessed displayed network vulnerabilities, with 66% of these companies also showing evidence of targeting.
Espionage and intellectual property threats are also increasing
This comes at a time of significant pressure on defense companies. Advanced persistent foreign actors have targeted the DIB for years for the purposes of espionage and intellectual property threats; in the last year, they have achieved significant success, and that in the public eye. In October 2020, the NSA issued an advisory noting that Chinese APT groups were exploiting vulnerabilities in Pulse Secure VP and F5 Networks’ cybersecurity software to target defense contractors, and in April this year these groups were reportedly exploiting another software vulnerability to attack defense contractors with vulnerabilities in Microsoft Exchange services.
To this point, just under half of the companies that we examined had ports vulnerable to ransomware, as well as other severe vulnerabilities. This included unsecured data storage ports, out-of-date software and OS, and other vulnerabilities rated severe to NIST frameworks.
Furthermore, 7% of the companies analyzed showed critical vulnerabilities and evidence of targeted threat activity, and evidence of compromise. Additionally, more than six months after the F5 and Microsoft Exchange vulnerabilities were announced, several companies were still observed with these vulnerabilities on their networks.
CMMC and other regulations are being implemented
In order to address these issues, a series of government regulations have set standards designed to raise the baseline of cybersecurity requirements. Most recently, in 2019 the DoD announced that they were launching the Cybersecurity Maturity Model Certification (CMMC) as an expansion of, and improvement upon, the National Institute of Standards and Technology (NIST). CMMC is designed to help apportion compliance and responsibility in appropriate measures throughout a complex ecosystem and to also ensure third party verification and controls are in place. However, our research found that more than a quarter (28%) of companies analyzed showed evidence indicating they would fail to meet the most basic, tier-1 CMMC requirement.
Perpetual monitoring and management is required
Regulations will certainly help to reduce the attack surface, but compliance is not security. Regulations are typically measured at points in time and are therefore not necessarily synonymous with ongoing effective cybersecurity. Without a doubt, compliance is a key first step towards baseline security – but more is needed. How can organizations create a secure environment for defense companies while also supporting the development of a large and diverse ecosystem? How can they close the gap that exists with these periodic point-in-time assessments and deliver more ongoing monitoring and management of the systems security throughout an entire supply chain? Often smaller firms do not have the resources and budgets to deal with increasing, targeted cyberattacks.
Going forward, continuous cybersecurity monitoring should be a key component for defense companies to secure their supply chain. Here prime contractors can reduce their risk exposure by focusing on the most high-risk segments of their supply chain. Our research highlighted that R&D companies are particularly vulnerable targets for malicious insertion in the supply chain and focusing on them can reduce risk to all segments. Additionally, predictive analysis is possible based on quantitative measures, and can provide the DoD and prime contractors with findings to help them identify and more effectively manage risk. BlueVoyant is undertaking more advanced research, in cooperation with Michigan State University’s top-rated supply chain management program, to see if more reliable predictive measures are possible.
Focusing on supply chain health
For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain, but are partly blind to the vulnerabilities that exist. Smaller companies need to put more attention and resources into identifying ongoing risks and understanding overall supply chain health in order to combat the growing threat landscape.
The good news is that the two recent Executive Orders – one on American Supply Chains, and the other on Improving the Nation’s Cybersecurity – direct much-needed attention and funding to cybersecurity in the defense supply chain, but they are only the start. Closer co-operation between the DoD and the private sector is required to support a more vibrant, diverse, and secure defense sector.
Just as threats are evolving, so too are the conditions that shape the US defense industry, and the sector is increasingly introducing commercial technologies and acquisition practices that have the potential to disrupt and change the traditional defense contractor business model for the better. Organizations need to put in place accessible compliance frameworks, robust and proactive risk tracking, continuous external monitoring – all of these steps will support a more secure defense sector and are absolutely achievable with closer co-operation between the DoD and the public sector.
