As the government aims to buy more innovative products, we must make critical advancements in program protection.
Partnerships between the U.S. government and America’s vibrant private sector have always been a key part of keeping the world safe, but the same independence that allows vendors and contractors to provide innovative new solutions also poses a risk to government data and programs. As the Defense Department and federal civilian agencies empower their workforces to increase the speed of acquisition and deliver better, more innovative solutions—a paradigm shift that Undersecretary of Defense for Acquisition and Sustainment Ellen Lord called “the most transformational acquisition policy change we’ve seen in decades”—we must balance the promise of speed and innovation that it brings with critical advancement in program protection.
The government’s lack of full visibility and control over its vendors’ cybersecurity practices creates an inherent “trust but verify” framework for vendors entrusted with the most sensitive projects in aerospace and defense, vaccine development, nuclear energy and other sensitive areas. This is especially critical in the emerging fields of artificial intelligence and machine learning, where an increasing number of vendors find themselves delivering not completed parts or schematics, but lines of code and datasets that will power the next generation of U.S. defense and intelligence systems. The recent hack of SolarWinds—in which a suspected nation-state actor subverted legitimate update files to penetrate numerous customer networks—is proof positive of the significant damage that can be done by compromising the digital supply chain.
The upcoming introduction of DOD’s Cybersecurity Maturity Model Certification, or CMMC, and other cybersecurity standards acknowledge the importance of these vendors’ work. This mandate also attempts to nullify the unfortunate cyber adage of “assume breach.” In order to be effective and comprehensive, a program protection model should start where an attacker would first begin to surveil a vendor in cyberspace: in its exposed internet presence, such as websites, file transfer services and remote access protocols. This is where all adversaries—whether criminal hackers or nation-state actors—start.
Based on extensive work with government and aerospace and defense clients, I believe that the primary cyber risks to vendors occur across three categories: adversarial access, perimeter hygiene and identity security.
Assessing the risks associated with a vendor requires first assessing the degree to which an adversary may have physical or technical access to their systems. This access can take place via physical surveillance of infrastructure located in adversary countries—both in vendor-owned premises and in low-cost, adversary country-run cloud providers. It can also take place via backdoors embedded in technology, as acknowledged by U.S. government prohibitions against hardware made by Huawei, ZTE, Hikvision and others, and software made by Kaspersky. For example, the U.S. government proscription against Kaspersky software in vendor networks derives from DOD and intelligence concerns that adoption of Kaspersky would put give privileged access to vendors’ computers to a company that one former CIA officer said: “could be, if it’s not already, under the control of Putin.”
The perimeter security of a vendor’s virtual presence is as important as securing the perimeter of its physical premises. As acknowledged by the CMMC’s inclusion of domains like “access control” and “asset management,” program offices and primes should have a robust view into the entirety of their vendors’ internet-facing assets and confidence in their control over access into those services. As further documented in “risk management” and “security assessment,” vendor managers should also be assured that their vendors are consistently evaluating and making informed decisions on the risks present on their perimeter. The ETERNAL BLUE exploit and the WANNACRY ransomware attacks that it powered—an attack that was estimated to have caused almost $4 billion in damage—were based on a perimeter security vulnerability in Microsoft’s SMB protocol.
The final pillar of maintaining a trusted risk relationship with vendors is digital identity security. Digital certificates have long been the backbone of data security and integrity on the internet, but they are vulnerable to misconfiguration and insecurity due to neglect or a focus on expediency in setting up network standards. At best, neglecting certificates can foster bad cybersecurity practices in a vendor’s workforce; at worst, it can lead to actual cryptographic insecurities that could put the vendor’s or the government’s data at risk. Although the risk associated with these cryptographic insecurities requires an extremely sophisticated attacker to exploit, the public exposure of Flame malware provides one example of an attack that could be mounted by exploiting insecure cryptographic algorithms.
Monitoring and managing these three dimensions of risks across vendors is non-trivial and requires the capability to identify, analyze and operationalize large amounts of data in an appropriate time frame. Understanding a vendor’s cyber risk posture requires identifying its entire perimeter—not just its advertised and declared websites and services. Active or inactive development servers, “shadow IT” from mergers and acquisitions or rogue employees, and undocumented network infrastructure can all provide points of access and or potential data exfiltration from a vendor’s network. Perimeter visibility becomes increasingly difficult as vendors—particularly in high-tech industries—migrate to more cloud-based or even cloud-native infrastructures. The constantly-shifting network perimeter created in a cloud environment means programs and primes will need agile collection and analytic capabilities that scale and maintain visibility at a global level, regardless of vendor size.
Keeping an up-to-date, actionable picture of vendor cyber risk demands high-speed analysis and collection capabilities. Risk assessors and cybersecurity experts must be able to keep up with not only the changing nature of vendor networks but also the ever-changing services and connections emerging from their network perimeter.
Finally, operationalizing this data requires program offices and primes to provide context and risk counseling across a large number of vendors. While a small number of risk factors, such as Kaspersky and 889(b)-banned equipment, are proscribed by law and regulations, most program protection offices and primes must rely on influence rather than authority to drive change in vendor cybersecurity processes.
Matt Kraning is the chief technology officer and co-founder of Expanse and former DARPA consultant who holds a Ph.D in electrical engineering from Stanford University. Additional contributors to this piece include Adam Maruyama, Jeff Vance, and Zach Gore.