Industry Perspective: NDIA Survey Shows Industry Must Do More For Cybersecurity
Adoption and deployment of cyber technologies have improved the effectiveness of U.S. warfighters across the globe. From reducing the cost and lead-time for high-tech weapons production, to ensuring reliable communications across the battlefield, cyber underlies many defense innovations.
However, despite the numerous advantages of a cyber-connected world, the proliferation of cyber tools presents an array of threats and vulnerabilities that deserve the attention of decision-makers across the defense enterprise. Cybersecurity breaches are increasingly common across industry and government, with the defense industry being no exception. With the cost of these breaches reaching into the billions of dollars, demand for more robust cybersecurity controls and regulations comes from the highest levels of government and Congress.
The Defense Department seeks to address these concerns by placing a more intentional focus on data that falls outside of classified controls but remains valuable to an adversary.
Technical data, ordering information, and instructional materials are examples of data deemed “controlled unclassified information,” or CUI.
While a more exhaustive definition of CUI is still in development, requirements to protect it have been included in contracts since late 2018. The DFARS 252.204-7012 clause requires contractors abide by the 100-plus cybersecurity controls developed by the National Institute of Standards and Technology in Special Publication 800-171. The effectiveness of these controls and their impact on industry is the focus of recent research by NDIA.
The 2019 DFARS 7012 Cybersecurity Survey provides a glimpse into industry’s perspective on cybersecurity regulations current as of mid-2019. Participation from industry varied in sector, size and geographic location to provide a representative cross-section of the defense industrial base.
The survey was developed in conjunction with NDIA’s San Diego Chapter and was distributed via email and to NDIA members. The survey opened in April and ran until July. Approximately 300 responses were collected from industry representatives across the country.
Results measured notable differences in experiences across large versus small companies, primes versus subcontractors, and new entrants versus established actors. Questions gathered data about company financials, information technology processes and corporate views on current policy.
One finding is that cybersecurity breaches are pervasive across industry but range in cost and severity. Some attacks go unnoticed while others debilitate business. The defense industry has experienced a range of cyber-attack events, according to the study results. Overall, one quarter of participants have been prior victims of cyber attacks, with a concentration on businesses larger than 500 employees. Forty-four percent of these companies suffered attacks and an additional 30 percent of this group responded that they were unsure if they had been attacked.
If even half of these unsure respondents are victims, the attack rate for larger firms stands greater than 50 percent. The high frequency of attacks across the defense industry demonstrates the seriousness of the cyber risk. The question is increasingly moving away from if a company has been the victim of an attack, to when a company will experience an attack.
As the number of cyber attacks grows, so does the range of cyber-related threats. Of a list of current threats facing industry, a cyber attack from an outside actor was ranked by 43 percent of respondents as the most threatening, followed by the fear of a dismissed employee wreaking havoc on the company’s systems. Industry participants viewed threats of contract revocation or retribution for the mishandling of sensitive material as comparatively much less threatening, signaling that current mechanisms for discouraging contract violations are not viewed as a serious threat in comparison to other cyber vulnerabilities.
The growing risk to industry from cyber attacks has driven growth in information security companies offering tools and services to prevent or recover from these attacks.
Companies now have a litany of fortification products and consulting services available to help them fend off attackers in the cyber arena. These tools, of course, offer varying levels of protection and range in cost, thus adoption of them across industry varies widely.
Of the security measures presented, the presence of a firewall was cited as the most common for both small and large businesses. A similar level of adoption was seen for the use of multi-factor authentication and VPNs for remote work for large businesses, but the response saw a large drop-off of utilization of these tools among smaller companies.
Across the board there is evidence that small businesses use security measures at a rate of approximately 20 percent less than their large counterparts. Cost, lack of experienced personnel to implement secure practices, and the belief that these tools provide little benefit compared to the cost potentially explain this lower level of implementation. It is worth noting, however, the NIST 800-171 standard requires a number of these security measures, indicating many of these companies may currently fail to meet requirements.
While the lack of compliance may cause concern, one area that’s more worrisome is the levels of preparedness across industry for an attack. Only 40 percent of respondents expressed lack of confidence in their company’s ability to recover from a cyber attack within 24 hours, 30 percent claimed to not have a good sense of the cost of recovering from an attack, and small businesses are trailing large ones by 15 percentage points in agreement with the statement that “our employees are well prepared to understand and respond to cybersecurity threats.” These indicators should alert government and industry to the continued presence of significant cyber vulnerabilities across the defense industrial base.
Those in government tasked with monitoring cyber threats are clearly concerned about weaknesses in industry’s cyber fortifications. The Defense Department has focused on and actively promoted development and implementation of cyber regulations for the past few years, and continues to debate the best approaches to protecting America’s critical cyber infrastructure.
Despite this attention, a large portion of the defense industrial base remains unprepared for DFARS 7012 compliance. When asked if their company was prepared to comply with DFARS 7012, 72 percent of large businesses agreed they were prepared while only 54 percent — a slight majority — of small businesses reported readiness. Rates of actual compliance drive greater concern. Currently, 44 percent of prime contractors do not have system security plans from their subcontractors, a central tenant of DFARS 7012 compliance, and only 5 percent of prime contractors have taken corrective action against their subcontractors, allowing the risk to continue unchecked.
While adoption and compliance levels with current cybersecurity standards may concern government officials, industry’s perspective on the impact of these policies is a notable bright spot. Data from NDIA’s survey show signs senior defense industry managers are prioritizing DFARS 7012 compliance and large and small companies believe implementing DFARS 7012 standards will help them achieve a comprehensive level of security. Industry also assessed government regulations as superior to their security policies, and felt implementing these regulations would help to deter and prevent attacks from even the most determined adversaries.
While the current state of cybersecurity across the defense industrial base needs improvement and will remain a focus area for policymakers in the Pentagon and Congress, there are some clear initial steps that can immediately strengthen cyber infrastructure.
The government should begin by increasing communication and access to resources available to lower-tier, smaller members of the defense industrial base. Communication should focus on the business case for compliance. Resources should help companies achieve and maintain compliance. Pairing individual compliance requirements with communications about risk and reward strengthens the case for implementation.
For industry, prime-level contractors should amplify government communications about risk and reward. Primes should routinely and broadly share best practices, cost-saving efforts, and methods of cyber regulation compliance with not only their supply chain, but with their competitors. Overall, defense industrial base members both large and small must increase their level of preparedness to deter, defend and recover from cyber attacks. In this era of the hyper-connected battlefield, delivering superior, uncompromised capabilities to our warfighters begins by ensuring availability and reliability.
For more information about this survey and to read the full results, visit NDIA.org/CyberStudy2019.
Corbin Evans is director of regulatory policy at NDIA.