To Ron Davis, potential disaster is always a click away. As chief information security officer for Huntington Ingalls Industries, which provides amphibious assault ships and nuclear-powered aircraft carriers and submarines to the national arsenal, his nightmare attack scenario is less WarGames and more The Absent-Minded Professor.
“Let’s say you have a network of 100 employees,” says Davis. “The network is connected to the internet. Fifty people receive an email, and one of the 50 clicks on the link.”
When that link is clicked, says Davis, “something bad happens in the background.” And, just like that, someone from outside the company “effectively becomes an insider threat,” he says.
Davis has been running the security IT team at Ingalls—the largest military shipbuilding company in the U.S.—since 2017. On a typical day, his systems might face malware, phishing, and hacking efforts, all targeting Ingalls as well as the proprietary government information it houses. Those threats, according to the Ingalls 2020 annual report, come from many fronts: nation-states, cybercrime syndicates, and hacktivists looking to further a political agenda.
While Ingalls hasn’t been breached on his watch, Davis says the dynamic is changing daily. “We’ve taken hits, and we’ve been successful responding to these attacks,” he says. But “it’s a barrage that has been happening over the last year and a half, two years.”
He’s not alone. The defense industry is dominated by a handful of well-known corporations like Ingalls, Lockheed Martin, Raytheon Technologies, Northrop Grumman, and Boeing. But, in fact, it is highly fragmented, with some 700,000 companies—many with annual revenues of less than
$15 million—pitching to meet the sensitive needs of the military.
And they’re all vulnerable. Some 44% of U.S. defense contractors with more than 500 employees had experienced a cyberattack as of 2019, according to a study by the National Defense Industrial Association (NDIA).
In recent years, the U.S. Government Accountability Office (GAO) has issued multiple reports on the failure of the Department of Defense (DOD) to maintain proper cybersecurity. In 2018, the GAO watchdog said the DOD faced “mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats.” In 2020,
it said the department had yet to fully implement its 2015 cyber hygiene plan. This year, the GAO reported it found contracts for weapons systems that omitted cybersecurity requirements and verification processes.
Part of the cybersecurity challenge for contractors is bureaucratic. Cybersecurity requirements and protocols can differ from agency to agency. They also add layers of cost to a contractor’s budget. And because compliance is largely through the honor system (meaning contractors themselves check the appropriate bureaucratic boxes), some contractors are cutting corners.
That, in turn, makes them and the DOD vulnerable to breaches, says Leigh Armistead, president of Peregrine Technical Solutions, a cybersecurity consultancy with defense experience. “Just like any industry,” he observes, “until you have a carrot or stick, commercial businesses may or may not decide they want to abide by [those requirements].”
Today’s cybersecurity challenges for defense agencies are historical. Defense systems, within and across military branches, traditionally weren’t encouraged to connect. “Security for a long time was a lot of cloak-and-dagger,” says William Sako, vice president of security risk consulting at Telgian Engineering & Consulting, which provides risk mitigation for public and private projects. “You didn’t want anybody to know your source code. You didn’t want anybody to know about your system. As long as it was proprietary, it was safe.”
Proprietary platforms and systems are expensive, and the defense industry, like other business sectors, is moving from on-site infrastructures to shared networks and platforms to lower costs, improve profit margins, and satisfy customers who want connectivity. That’s fine if the systems that contractors are sharing are properly guarded, but that isn’t exactly how it has played out.
Security for a long time was a lot of cloak-and-dagger. You didn’t want anybody to know about your system.
“The manufacturers went really crazy to develop their equipment to work without considering security stuff,” says Richard Mahnke, a regional practice leader of security risk at Telgian.
In November 2020, the DOD announced it would require all defense contractors to obtain Cybersecurity Maturity Model Certification (CMMC), which is a framework that measures a contractor’s digital security credentials and the extent to which it is using best practices. The rollout has been plagued by a lack of auditors to process certification, says Mark Kirstein, vice president of customer success at Cosant Cyber Security, a consultancy serving small and midsize organizations.
Tough comprehensive cybersecurity rules for defense contractors are sorely needed. Cyberattacks are one of the main weapons that nation-states use to steal military intellectual property, Kirstein says. Other countries’ jet fighters, missiles, and tanks “are looking exactly like ours. [Those nations are] going through defense contractors and getting access to the intellectual materials.”
The costs associated with the DOD’s cybersecurity protocols can be challenging for small contractors. Agencies may have some security standards under review, or be in the process of issuing final standards on interim requirements, which can lead to additional costs for the contractor when rules are formalized.
“My experience with contractors is a lot of them wait for the final standards to come in,” says Alex Gorelik, an associate attorney with Smith, Currie & Hancock, a law firm that specializes in government contracts and construction. “They want to make sure if they’re upgrading their cybersecurity standards that they’re doing that once, not multiple times over.”
Contractors navigate security requirements in different ways. There are companies that implement all the appropriate standards for the agencies they serve, Davis says. Then there are contractors that believe they have met the standards, but—as becomes apparent when they get hacked—they actually haven’t. Often it’s not entirely their fault. Davis says contractors with little cybersecurity expertise will implement digital security themselves instead of hiring an outside specialist.
“The understanding of the level of attack sophistication that’s coming at defense contractors is just not there for some of the smaller contractors,” says Davis. “When you take a deeper dive into what those small contractors are doing, you realize they don’t have a firm grasp of cybersecurity, which leads to a mis-implementation.”
As the DOD and its thousands of civilian defense contractors have struggled to build coherent cybersecurity mechanisms, new cyber risks related to Internet-of-Things (IoT) devices have opened up.
“That’s where huge threat vectors are,” says Armistead.
Many projects—be they on-the-ground weapon systems, fighter jets, aircraft carriers, or submarines—use sensors, surveillance equipment, industrial controllers, and wireless communication, and these tools are becoming increasingly dependent on IoT technology. In fact, the GAO has reported that IoT use is surging across agencies and departments, both to reduce cost and create new services.
While contractors are rapidly embracing IoT, it wasn’t until late last year that Congress passed the IoT Cybersecurity Improvement Act, directing the National Institute of Standards and Technology (NIST) to develop and publish guidelines for government agencies on the use, management, and security of IoT devices. The regulatory catch-up has meant that draconian action has been required to close the door on IoT vulnerabilities. For example, a recent ban on the use of cameras and surveillance equipment supplied by China was needed because of vendor-included “back doors,” Davis says.
Even defense spending outside of commercial contracts can trigger vulnerabilities. The DOD inspector general issued a report in 2019 noting that the Army and Air Force had in the prior year bought at least $32.8 million of “information technology items, such as Lenovo computers, Lexmark printers, and GoPro cameras, with known cybersecurity vulnerabilities.”
“We’re passing off the risk across and down the supply chain to the point we don’t know who we’re doing business with, we don’t know how to validate, and we end up with a SolarWinds issue,” says Jeffrey R. Wells, co-chair of the cybersecurity, data protection, and privacy team at Clark Hill, a large international law firm. (SolarWinds, a U.S. information technology firm, was the subject of a cyberattack, believed to be committed by Russian hackers, that spread to its clients and went undetected for months.)
How to comply
In May, President Biden issued an executive order aimed at improving the nation’s cybersecurity. The order set out a strategy of partnership between government and private industries to remove contractual barriers to the sharing of threat information, adopt security best practices, and enhance software supply chain security.
While Armistead welcomes the order, he says defense contractors need to be in control of their own cybersecurity strategy. That means firms that are bidding for defense contracts must be happy with the costs associated with the new cybersecurity protocols and be confident their internal cyberdefenses can deliver over and above what the DOD requires.
The understanding of the level of attack sophistication that’s coming at defense contractors is just not there for some of the smaller contractors
There is scope for defense contractors to do much more. For example, the use of basic security tools like firewalls and multifactor authentication by smaller firms is “at a much lower [adoption] rate than large companies,” according to the NDIA study.
Armistead says organizations should be asking themselves fundamental cyber hygiene questions, which often will address the risks they are currently facing.
Questions like these can indicate real-time solutions: Do you update your network software? Do you know your asset inventory? Do you have cybersecurity policies? Do you allow all people to have administrative privilege? Can people use their own laptops? Do you have an incident response plan? Have you implemented a zero-trust network access model?
“A lot of it is common sense,” Armistead says. “There are a ton of companies that are not doing the basics.”