The defense industrial base is a prime target for cyber disruption

Cyber threats against the defense industrial base (DIB) are intensifying, with adversaries shifting from traditional espionage toward operations designed to disrupt production capacity and compromise supply chains.

In this Help Net Security interview, Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence Group, explains how attackers target the broader defense ecosystem and why identity has become the new security boundary.

At a strategic level, how do cyber operations against the defense industrial base differ from espionage campaigns against government agencies?

Operations against government agencies often focus on immediate intelligence collection to gain tactical advantages during policy and trade negotiations, or even battlefield support. Campaigns against the DIB, however, are frequently designed for intellectual property and R&D theft, as well as staging access in preparation for a future wartime environment.

A critical strategic goal against the DIB is compromising the industrial base supply chain to degrade a nation’s ability to surge defense components in a wartime environment. This targets the production capacity itself, rather than just the secrets held by government agencies.

What is the most misunderstood risk assumption defense contractors still make about who adversaries are targeting?

The biggest risk assumption I still see is believing threat actors only focus on large defense contractors. The reality is that threat actors are targeting the entire defense ecosystem, from massive prime contractors down to startups building niche products. This is especially true with companies that provide dual-use components used for both civilian and military purposes, like drones. This sector is frequently hit by ransomware and extortion attacks, impacting the defense supply chain indirectly.

What does a mature threat intelligence program look like in an organization that cannot afford to chase every alert?

Instead of trying to detect every potential exploit, organizations should focus on foundational measures that increase visibility, ensure segregation of identities, and enforce rigorous authentication control. By enforcing rigorous authentication and identity segregation, you force the attacker to work harder and take actions that are inherently suspicious, which turns your defense into detection.

Don’t just look at the MITRE ATT&CK framework as a checklist. Build a profile tailored around which threat actors actually target your specific sector. If you build underwater acoustics, your profile should focus on the TTPs of actors known for maritime espionage. A mature program also builds detection logic based on specific Tactics, Techniques, and Procedures (TTPs).

How should leaders think about identity as the primary security boundary, especially in defense supply chains?

The attack surface has expanded beyond corporate networks to include targeting personal emails, professional networking profiles, as well as private devices. An engineer’s personal LinkedIn or a developer’s private GitHub is just as much a part of the attack surface as the corporate firewall. Leaders must adopt a “zero-perimeter” mindset where the identity of humans, machines, and software becomes the enforcement point.

Security boundaries should also extend to third-party vendors. Leaders should know the identity standards of their vendors and ensure that suppliers adhere to similar identity and security standards.