Next-Generation Program Protection: The Next Federal Cybersecurity Challenge

pinkeyes/Shutterstock.com

As the government aims to buy more innovative products, we must make critical advancements in program protection. 

Partnerships between the U.S. government and America’s vibrant private sector have always been a key part of keeping the world safe, but the same independence that allows vendors and contractors to provide innovative new solutions also poses a risk to government data and programs. As the Defense Department and federal civilian agencies empower their workforces to increase the speed of acquisition and deliver better, more innovative solutions—a paradigm shift that Undersecretary of Defense for Acquisition and Sustainment Ellen Lord called “the most transformational acquisition policy change we’ve seen in decades”—we must balance the promise of speed and innovation that it brings with critical advancement in program protection. 

The government’s lack of full visibility and control over its vendors’ cybersecurity practices creates an inherent “trust but verify” framework for vendors entrusted with the most sensitive projects in aerospace and defense, vaccine development, nuclear energy and other sensitive areas. This is especially critical in the emerging fields of artificial intelligence and machine learning, where an increasing number of vendors find themselves delivering not completed parts or schematics, but lines of code and datasets that will power the next generation of U.S. defense and intelligence systems. The recent hack of SolarWinds—in which a suspected nation-state actor subverted legitimate update files to penetrate numerous customer networks—is proof positive of the significant damage that can be done by compromising the digital supply chain.

The upcoming introduction of DOD’s Cybersecurity Maturity Model Certification, or CMMC, and other cybersecurity standards acknowledge the importance of these vendors’ work. This mandate also attempts to nullify the unfortunate cyber adage of “assume breach.” In order to be effective and comprehensive, a program protection model should start where an attacker would first begin to surveil a vendor in cyberspace: in its exposed internet presence, such as websites, file transfer services and remote access protocols. This is where all adversaries—whether criminal hackers or nation-state actors—start.

Based on extensive work with government and aerospace and defense clients, I believe that the primary cyber risks to vendors occur across three categories: adversarial access, perimeter hygiene and identity security. 

Adversarial Access

Assessing the risks associated with a vendor requires first assessing the degree to which an adversary may have physical or technical access to their systems. This access can take place via physical surveillance of infrastructure located in adversary countries—both in vendor-owned premises and in low-cost, adversary country-run cloud providers. It can also take place via backdoors embedded in technology, as acknowledged by U.S. government prohibitions against hardware made by Huawei, ZTE, Hikvision and others, and software made by Kaspersky. For example, the U.S. government proscription against Kaspersky software in vendor networks derives from DOD and intelligence concerns that adoption of Kaspersky would put give privileged access to vendors’ computers to a company that one former CIA officer said: “could be, if it’s not already, under the control of Putin.”

Perimeter Hygiene

The perimeter security of a vendor’s virtual presence is as important as securing the perimeter of its physical premises. As acknowledged by the CMMC’s inclusion of domains like “access control” and “asset management,” program offices and primes should have a robust view into the entirety of their vendors’ internet-facing assets and confidence in their control over access into those services. As further documented in “risk management” and “security assessment,” vendor managers should also be assured that their vendors are consistently evaluating and making informed decisions on the risks present on their perimeter. The ETERNAL BLUE exploit and the WANNACRY ransomware attacks that it powered—an attack that was estimated to have caused almost $4 billion in damage—were based on a perimeter security vulnerability in Microsoft’s SMB protocol.

Identity Security

The final pillar of maintaining a trusted risk relationship with vendors is digital identity security. Digital certificates have long been the backbone of data security and integrity on the internet, but they are vulnerable to misconfiguration and insecurity due to neglect or a focus on expediency in setting up network standards. At best, neglecting certificates can foster bad cybersecurity practices in a vendor’s workforce; at worst, it can lead to actual cryptographic insecurities that could put the vendor’s or the government’s data at risk. Although the risk associated with these cryptographic insecurities requires an extremely sophisticated attacker to exploit, the public exposure of Flame malware provides one example of an attack that could be mounted by exploiting insecure cryptographic algorithms.

Monitoring and managing these three dimensions of risks across vendors is non-trivial and requires the capability to identify, analyze and operationalize large amounts of data in an appropriate time frame. Understanding a vendor’s cyber risk posture requires identifying its entire perimeter—not just its advertised and declared websites and services. Active or inactive development servers, “shadow IT” from mergers and acquisitions or rogue employees, and undocumented network infrastructure can all provide points of access and or potential data exfiltration from a vendor’s network. Perimeter visibility becomes increasingly difficult as vendors—particularly in high-tech industries—migrate to more cloud-based or even cloud-native infrastructures. The constantly-shifting network perimeter created in a cloud environment means programs and primes will need agile collection and analytic capabilities that scale and maintain visibility at a global level, regardless of vendor size.

Keeping an up-to-date, actionable picture of vendor cyber risk demands high-speed analysis and collection capabilities. Risk assessors and cybersecurity experts must be able to keep up with not only the changing nature of vendor networks but also the ever-changing services and connections emerging from their network perimeter.

Finally, operationalizing this data requires program offices and primes to provide context and risk counseling across a large number of vendors. While a small number of risk factors, such as Kaspersky and 889(b)-banned equipment, are proscribed by law and regulations, most program protection offices and primes must rely on influence rather than authority to drive change in vendor cybersecurity processes.

Matt Kraning is the chief technology officer and co-founder of Expanse and former DARPA consultant who holds a Ph.D in electrical engineering from Stanford University. Additional contributors to this piece include Adam Maruyama, Jeff Vance, and Zach Gore.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.