The Defense Industrial Complex is one of the largest networks of businesses and organizations all focused on improving and elevating the United States’ defense capabilities and systems. Currently, over 220,000 companies of all sizes work in connection with the Department of Defense (DoD) and the various branches of the Armed Forces providing equipment, resources, and services, many of them focused on information technology solutions.
While the Pentagon and those that work in other military branches are constantly monitoring for external physical threats to the country, cybersecurity is rapidly growing in importance. With the recent pandemic and the very public Solar Winds breach, the White House in late 2021 requested over $10.4 billion in cybersecurity budget for the DoD, a sizable increase over previous budgets.
The increasing threat is very real. From January 2020 through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) revealed the targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. In some of these cases, the actors had access to several CDC networks and their sensitive data for up to six months
In late 2021, a report revealed that up to 20% of the United States’ top defense contractors were “highly susceptible” to a ransomware attack, with 42% having experienced a data breach in 2020 alone.
Yet the reality is that the Defense Industrial Complex, both on the government side and in the private sector, still faces many challenges when it comes to monitoring and preparing for potential cyber attacks that could disrupt their daily operations and potentially the country as well.
With that in mind, we will explore the challenges and opportunities defense cybersecurity currently faces and what improvements can be made for all involved.
Cyber Security Issues and Challenges Within the Department of Defense and Armed Forces
While cybersecurity is a top priority for the U.S. military, how the various branches actually oversee and execute cyber vigilance remains a source of internal debate. Recently, several top military officials pointed out this fact. The Navy’s Chief Information Officer recently said that he felt the Navy’s cybersecurity approach was too focused on compliance and not on readiness.
By only focusing on compliance, essentially agreeing to a standard response plan in place and not deviating from that plan, any organization can run the risk of delayed response, inadequate protection, and wasted or underutilized resources. A readiness model, when applied holistically, better allows the organization to react quickly and adapt more easily to ever-evolving threats, both internal and external.
Many other former DoD officials who worked in cybersecurity also cited the need to move away from focusing on compliance to one of speed and readiness. While such a transition might cause some early mistakes at the outset of implementation and execution, learning from those missteps would eventually lead to more success and more robust security, although it remains to be seen if the often risk-adverse military will be willing to make such changes soon.
Cyber Security Protocols for Outside Partners Working with the Military
Intelligence sharing is key for successful cybersecurity. The sooner the larger collective knows about an impending threat, the quicker and the better response. That’s especially important for outside vendors and companies that work with the military, especially when it comes to protecting sensitive information.
For any new or current companies that wish to work with the defense industry, several protocols and requirements are already in place to ensure compliance and to protect both sides from potential threats.
Companies are required to complete what is known as the Cybersecurity Maturity Model Certification (CMMC), which sets the minimum cybersecurity requirements for companies. The DoD also requests that companies review the National Institute of Standards and Technology’s publication 800-171 called “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
In addition, if a cybersecurity incident does occur, outside companies must report the breach to the DoD Cyber Crime Center. This website is the prime gateway for a defense contractor to become a voluntary DoD public-private cybersecurity partner for those that have questions or need additional information.
While every company will likely have its own internal cybersecurity protocols, they should also adhere to the DoD’s cybersecurity recommendations.
- Maintain current architecture diagrams with hardware and software inventories to ensure quick threat response.
- Configure security settings on all devices and software.
- Employ active defenses for known threat agents and stay informed of the latest intelligence and response actions.
- Monitor devices and network activity log and look for suspicious behaviors.
- Activate multi-factor authentication on all devices.
- Ensure email and browser security is up-to-date.
- Install malware protection on all networks.
- Encrypt all data both at rest and in transit.
- Train staff to respond as needed to suspicious events.
- Have contingency plans in place and ensure that emergency response/notification can respond to a cyber event.
Recommendations on Improving Defense Cyber Security Preparedness
As both the DoD and outside organizations work together to ensure cybersecurity preparedness, here are some recommendations that both sides can implement for greater protection.
Make information sharing mandatory rather than voluntary: Currently, the process for DOD partners and companies to share information on recent or potential cyber threats is strictly voluntary. While this is a good start, the problem with any kind of voluntary reporting is that relevant tips or insights will either never be shared, perhaps because an outside company feels that by doing so could jeopardize their business relationship with the DOD, or the information is shared late because the company either gets too busy with other things or takes too long to formalize how they want to share the information.
Mandatory reporting is the answer. However, that will require formal policies and legislation that both the public and private sectors can agree on. While there will likely be some on both sides that will challenge the need for a formal policy, increased and timely information sharing is the first step in staying ahead of potential adversaries.
Cutting costs and streamlining protocols: As the DoD increases its partnerships with new and small businesses, making it easier for them to stay compliant and not letting costs be a deterrent is a priority. In November 2021, the DoD recently shared plans for updating the CMMC program to an updated CMMC 2.0 version. The updates are scheduled to include a streamlined model aligned with widely accepted National Institute of Standards and Technology (NIST) standards, reduced assessment costs, and waiving some CMMC requirements under limited circumstances.
The new CMMC 2.0 program, which is still undergoing review, and user feedback, is scheduled to be fully implemented in 2023. Some uncertainty remains if small companies, especially those who do not handle sensitive data, will still need a third-party assessment of their security instead of a self-assessment before being considered fully DoD compliant once CMMC 2.0 is launched. But any final version that makes it easier and less expensive for companies to become compliant will be a big improvement.
Put the greater defense first over individual interests: While the DoD can at times seem very bureaucratic and its goals to streamline and improve security practices slow, it’s important to note that many in DoD are aware that more needs to be done to prevent the next big cyber attack. For companies that are currently working with, or want to work with the military, don’t wait for the DoD or other agencies to do needed due diligence or upgrades within an organization’s cyber security protocols.
Be proactive. That includes keeping up-to-date with the latest cybersecurity, news, and best practices. Ensure that all employees and management are trained on how to spot and prevent a potential breach, even if they don’t necessarily work in IT or in a technical capacity. As the saying goes, “A chain is only as strong as its weakest link.”
Any company that seeks to within the Defense Industrial Complex must make cyber security a top priority. Doing so will ensure the organization’s success and that our nation’s defense remains strong and secure for everyone.
Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.