How defense contractors can move from cybersecurity to cyber resilience

As the world’s most powerful military and economic power, the United States also holds another, less impressive distinction: Cyber threat actors target the US more than any other country in the world.

In 2022 alone, the FBI received more than 800,000 cybercrime-related complaints, with losses totaling over $10 billion, according to the agency’s latest Internet Crime Complaint Center (IC3) report — a leap of $3.4 billion from the previous year. As cybercriminals grow in sophistication, the rate and severity of attacks is expected to only increase. According to the World Economic Forum’s 2023 Global Cybersecurity Outlook, 86% of business leaders and an even higher percentage of cyber leaders, 93%, believe a catastrophic cyber event is likely in the next two years due to global geopolitical instability.

For defense contractors, who work with some of our country’s most sensitive information, establishing effective cybersecurity protocols takes on an added layer of importance. Having that information accessed and exploited by malicious actors could have far-reaching effects that includes endangering our national security.

While the US federal government has been in perpetual rulemaking on the Cybersecurity Maturity Model Certification (CMMC) program, it continues to require Department of Defense contractors to meet a series of cybersecurity requirements through contract clauses. In addition, it has continued to boost funding for the Cybersecurity and Infrastructure Security Agency (CISA) to a proposed $3.1 billion for FY2024. These well-intentioned efforts fail to grasp the extent of the danger we face. In fact, CMMC regulations themselves might actually be contributing to the problem.

That’s because the way the government goes about defense contracting doesn’t align with how compliance is actually met. The methods by which defense contractors have attempted to achieve cyber resiliency are completely different from what they may have to do to meet CMMC requirements — and for some businesses, the costs to continue participating in federal contracting opportunities can become so burdensome that they’re no longer worth it.

The commercial space can be similarly profitable for these companies, and the barriers for entry are not nearly as high. Ultimately, this attrition deprives our country of having the best and brightest minds working toward our national defense.

The cybercrimes we typically hear about are isolated attacks experienced by individual businesses or organizations, which might unintentionally create a false sense of security for those who haven’t knowingly experienced a breach, thereby leaving them to assume their defenses are adequate. But as we continue to become increasingly interconnected through our reliance on shared technology like satellite-assisted GPS systems, an attack on one organization can affect all of us.

We’re thinking way too small about a coordinated cyberattack’s capacity for creating major disruption to our daily lives. One recent, vivid illustration of that fact happened in 2022, when the Russia-linked cybercrime group Conti launched a series of prolonged attacks on the core infrastructure of the country of Costa Rica, plunging the country into chaos for months. Over a period of two weeks, Conti tried to breach different government organizations nearly every day, targeting a total of 27 agencies. Soon after that, the group launched a separate attack on the country’s health care system, causing tens of thousands of appointments to be canceled and patients to experience delays in getting treatment. The country declared a national emergency and eventually, with the help of allies around the world including the United States and Microsoft, regained control of its systems.

The US federal government’s strict compliance standards often impede businesses from excelling beyond the most basic requirements. Compliance is the lowest rung on a ladder that also includes maturity, and at the very top, effectiveness. To put it another way, compliance is locking the door, maturity is doing it every single time, and effectiveness is locking every realistic access point.

If you’re a defense contractor, you can begin moving past compliance, past maturity and into effectiveness by following these steps:

1. Establishing a baseline against which you can measure your progress. You need to know where you are to understand where you’re going, so delve into the fine points of your cybersecurity strategy and make a clear-eyed assessment of how they measure up against others in your industry. If you need assistance making this kind of evaluation, you can always hire a cybersecurity firm to help.

2. Understanding your mission and what you’re trying to protect, rather than chasing vulnerabilities. Instead of running down a checklist and attempting to patch every possible hole in your cybersecurity defenses, think about what specific things our adversaries might want from you. What does your business do that is truly valuable? Once you determine which assets are most essential for your business to protect, you can begin building a plan that centers around that.

3. Creating a design basis threat (DBT). This is a set of specific threat profiles that your cybersecurity efforts will be built to withstand. This helps to filter out noise, save time and reduce false alarms, ultimately resulting in a more resilient system.

As technology becomes increasingly complex, it can be difficult for even security-conscious businesses to keep up. Throwing money at the problem won’t fix it; with bad actors already in place and ready to strike, the only way to maintain cyber resilience is through a focused, deliberate strategy.

Rather than assessing your business’s cyber success based on whether you’ve been breached and end up in the news, consider how the protection of your critical data fits into the bigger picture. Good cyber hygiene for one organization improves the cybersecurity for the entire United States, making every business, in a way, a national security practitioner. Make sure the way you run your business’s cybersecurity takes that responsibility into account.