A BlueVoyant report highlights critical vulnerabilities within the defense supply chain ecosystem. The report includes evidence of the exploitable cyber weaknesses of SMBs within the Defense Industrial Base (DIB) and demonstrates how cybercriminals are becoming increasingly adept at locating and exploiting the weakest link within the supply chain.
As part of its assessment of the scale of the problem for SMB defense companies, the security of 300 subcontractor firms was examined within the DIB using its third-party datasets and proprietary research.
Cybersecurity gaps were identified in the subcontractors’ security practices to garner a better understanding of the security posture of less visible members of the complex defense supply chain.
Defense supply chain vulnerabilities
- Over half of the 300 SMB defense contractors had critical vulnerabilities to ransomware.
- 28% of companies analyzed showed evidence indicating they would fail to meet the most basic, tier-1 CMMC requirement.
- Manufacturing and R&D companies had the highest risk profiles when assessing email security, IT hygiene, malicious activity and vulnerabilities. Industry type was a stronger predictor of risk than company size alone.
- 48% of the companies showed severe vulnerabilities such as unsecured ports vulnerable to breach or exploitation, unsecured data storage and ports, and unsupported software.
- Almost one-tenth of the companies analyzed showed critical vulnerabilities, evidence of targeted threat activity, and evidence of compromise.
- 100% of the large R&D companies assessed displayed network vulnerabilities, with 66% of these companies also showing evidence of targeting.
- More than six months after the F5 and Microsoft Exchange vulnerabilities were announced, nine companies still had the vulnerabilities on their networks.
In the U.S., securing the DIB is one of the most critical national security objectives and policymakers are acutely aware of the high stakes with cyberattacks. Businesses within this sector form the backbone of the U.S. defense industry and are high-value targets for nation state adversaries and other cybercriminals. Although defense contractors face the same opportunistic threats as any business, the DIB’s biggest problem is the complexity of securing such an enormous ecosystem, spanning thousands of companies.
Govt regulations and compliance standards improving cybersecurity requirements
The introduction of new U.S. government regulations and compliance standards, such as the Cybersecurity Maturity Model Certification (CMMC), are set to improve the baseline of cybersecurity requirements. Yet, despite the discipline reflected in the new regulations, many challenges remain for smaller firms, which do not have the resources and budgets to deal with increasing, targeted cyberattacks.
There were addressable concerns for DIB companies with low organizational cybersecurity capabilities and key recommendations for improving the defense industry’s overall security efforts were provided. Key insights can help Department of Defense (DoD) and defense prime contractors focus their attention and can be used to support and extend recommendations that are present in the 2017 DSB Task Force report and in the 2020 Cyberspace Solarium Commission report and include:
- Continuous cybersecurity monitoring is a key component of a secure supply chain.
- Prime contractors can reduce their risk exposure by focusing on the most high-risk segments of their supply chain. Findings align with prior reports that R&D companies are particularly vulnerable targets for malicious insertion in the supply chain and focusing on them can reduce risk to all segments.
- Predictive analysis is possible based on quantitative measures and can provide the DoD and prime contractors with findings to help them identify and more effectively manage risk. However, more research with a larger sample size and wider variables is needed to truly measure the risk of an industry with this scale.
Commenting on the research, Austin Berglas, Global Head of Professional Services, BlueVoyant, said: “As prime contractors and other larger DIB members develop more robust and sophisticated security defenses, it’s no surprise threat actors have pivoted towards targeting SMBs within the same supply chain. In particular, manufacturers and R&D companies are lagging in terms of their own cyber posture, leaving the entire defense industry wide open to the threat of ransomware and other third-party attacks.
“For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain but are partly blind to the vulnerabilities that exist. For smaller companies, identifying ongoing risks and understanding overall supply chain health is a daunting but vital process, and more attention and resources should be dedicated to combating the growing threat.”
Jim Rosenthal, CEO, BlueVoyant, concluded: “The U.S. defense supply chain is a vital national security asset, but the DIB is currently in an inefficiently secure state. In the face of relentless and successful cyber espionage, the nation’s primary focus should be on creating a secure and resilient supply chain.
“The two Executive Orders: one on American Supply Chains, and the other on Improving the Nation’s Cybersecurity, direct much-needed attention and funding to cybersecurity in the defense supply chain, but they are only the start. Closer co-operation between the DoD and the private sector is required to support a more vibrant, diverse and secure defense sector.”