Nothing Seems to Stop Relentless Hackers Exfiltrating Trade Secrets
This is part five of a five-part special report on the health of the U.S. defense industrial base.
The National Defense Industrial Association’s second annual Vital Signs report on the health of the U.S. defense industrial base was released Feb. 2. To download a copy, please click HERE.
The news shocked the cybersecurity world: FireEye, a leading security company with 9,600 customers across 103 countries, had been hacked.
The perpetrator was not your run-of-the-mill hacker on his laptop, but a “highly sophisticated threat actor, one whose discipline, operational security and techniques lead us to believe it was a state-sponsored attack,” said CEO Kevin Mandia.
The attack was led by a nation with top-tier offensive capabilities, he said in a blog post in early December announcing the breach. The attack was consistent with a nation-state cyber espionage effort, with the hacker primarily seeking information related to certain government customers.
While Mandia did not call out a specific country, experts were quick to suggest it was conducted by Russia.
The country is one of the leading perpetrators of cyber espionage alongside China. Both nations are listed as great power competitors by the 2018 U.S. National Defense Strategy.
The FireEye attack is indicative of a growing trend: cyber espionage has become an increasingly pervasive threat and is on the rise.
For the U.S. defense industrial base, companies are increasingly worried about adversaries attempting to siphon off critical information and glean insights into Defense Department weapon designs.
Contractors are bolstering their defenses, and the Pentagon is implementing new regulations through its Cybersecurity Maturity Model Certification, or CMMC, to help. But experts say that the defense industrial base remains vulnerable to attack.
In the National Defense Industrial Association’s annual report “Vital Signs 2021,” which grades the health of the defense industry, industrial security scored the lowest among eight different dimensions that shape the performance capabilities of defense contractors. It received a score of 56 out of 100 for 2020.
“Industrial security has gained prominence as massive data breaches and brazen acts of economic espionage by state and nonstate actors plagued defense contractors in recent years,” said Wesley Hallman, NDIA vice president of strategy and policy and Nick Jones, NDIA director of regulatory policy, in a summary of the document.
According to a recent report by the Center for Strategic and International Studies and security firm McAfee, the “burden” of global cybercrime has reached more than $1 trillion dollars — with more than $945 billion in monetary loss and global spending on cybersecurity expected to exceed $145 billion in 2020.
The report — “The Hidden Costs of Cybercrime” — is in its fourth iteration. Since the 2018 version was released, the cost of cybercrimes has increased by more than 50 percent.
IP theft can represent a significant loss to agencies and companies and pose a national security risk, noted the report, which was released in December. It can be even harder to fight against when attackers are backed by a resourceful nation-state.
The defense industrial base is made up of more than 300,000 companies and only a small percentage are large, multi-billion-dollar firms, said Armando Seay, director and co-founder of the Maryland Innovation and Security Institute.
Those large “companies are pretty resilient. They’re not impervious — no one is — but they have the dollars to invest substantially in cyber resilience,” he said. But most of the firms that make up the DIB are small- and medium-sized businesses that average 50 employees or less.
Smaller firms are more vulnerable, he noted.
“They’re interested in making that widget. That’s what they do,” Seay said. “They’re not computer people, they’re not internet folks.”
And adversaries are taking note, he added. “When it comes to weapon systems, when it comes to software, satellites, space, data, the adversary is crawling all over the supply chain.”
According to a RAND Corp. report, “Unclassified and Secure: A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks,” cyber attacks designed to steal IP from U.S. companies are on the upswing.
The Pentagon’s approach to thwarting attacks is based on the Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication 800-171. However, it “appears to be inadequate,” the report said.
The document — which was released in 2020 — said that as of July 2019, no defense industrial base firm had been able to fully implement the cybersecurity controls specified in NIST SP 800-171 and that some medium-sized firms will not have the resources to comply with it.
Further, it noted that DFARS 252.204-7012 assumes that controlled unclassified information, or CUI, “flows down from the prime contractors, with primes responsible for denying a subtractor access to CUI if the subcontractor does not comply with regulation.
“However, many subcontractors are in business because of their trade secrets. CUI exists at all levels of the supply chain,” the study noted.
CUI on unclassified defense industrial base networks are vulnerable to theft by foreign actors. “The persistent attacks and hemorrhaging of critical information and technology from unclassified networks, coupled with associated significant financial losses, erodes the U.S. DIB and threatens U.S. military advantage over the long term,” the report said.
Even the Pentagon’s much talked about CMMC effort — which requires the defense industry to better protect CUI — is not sufficient, RAND said.
“Our cost analysis indicates that most small DIB firms may not be able to afford the cyber defenses that could be mandated by the CMMC, and many medium-sized DIB firms may face the same challenges, especially if held to the highest compliance levels of the CMMC.”
Additionally, the cybersecurity architectures of small firms are likely to be “deficient” in several areas including authentication, network defenses, vulnerability scanning, software patching, and security information and event management, the report said.
RAND recommended the Defense Department establish what it called a DIB Cyber Protection Program, or DCP2, that would improve the monitoring and real-time health of industry networks, bolster cybersecurity, and offer data and legal protections.
“The DCP2 would be a voluntary program under which DoD would provide [cybersecurity tools] to DIB firms either free of charge or at significantly reduced licensing costs,” the report said. “In turn, the DIB firms would agree to provide sanitized data … to a security operations center — either one run by DoD or a trusted third-party SOC — devoted exclusively to defending the DIB.”
This security center would provide dynamic intelligence, security alerts and recommendations to defense contractors to identify and remediate advanced persistent threat incursions.
China is the leading actor behind global cyber espionage, according to the CSIS report.
“Economic espionage to benefit national industry has long been a hallmark of China’s economic policy,” the report said. “China accounts for roughly 80 percent of all economic espionage cases in the U.S., and it has cost the U.S. economy around half a trillion to a trillion dollars of damage.”
Doug Howard, CEO of Pondurance, an Indiana-based cybersecurity company, said China is the adversary that gets the most press and attention.
Beijing takes a “shotgun” approach to its cyberespionage tactics, he said.
China’s thinking is: “I’m going to go after everything, and I’ll never worry about them seeing me. I’m just going to try to get in, and I’m going to break in, because ... the hygiene of [the] security is pretty weak,” Howard said.
Maiya Clark, a research assistant at the Heritage Foundation’s Center for National Defense, said China’s interests are widespread. It is looking for information on capabilities such as autonomous vehicles, semiconductors, cloud computing, aviation, space and maritime technology.
To determine what Beijing is after, officials need only take a look at the country’s “Made in China 2025” strategy, said a report by the Harvard Kennedy School’s Belfer Center for Science and International Affairs titled, “Confronting China’s Effort to Steal Defense Information.”
“The industries identified in this strategy either directly or indirectly impact the United States’ ability to wage — or defend against — military action against its adversaries,” said author Jeffrey Jones in the May 2020 report.
The report estimated that $300 billion per year is lost due to Chinese cyber espionage activities.
“The sheer magnitude of the value of the theft is alarming; however, the Chinese government is compounding the severity of the problem by releasing the results of this corporate theft to leading Chinese companies so that they can accelerate their research-and-development efforts without having to spend any money or devote the massive amounts of time and resources necessary to arrive at the information on their own,” it said.
Russia takes a stealthier and more sophisticated approach to its cyber attacks compared to China, Howard said.
“They will take years and years and years to compromise something,” he said. “Their dwell time is extremely high relative to ... somebody like China.”
Moscow is looking for assets such as code from the U.S. defense industrial infrastructure, he said. It also focuses on broad compromises of organizations, targeting network and security providers, he noted weeks before the FireEye breach was announced.
Those companies “would be high value targets because if they can compromise a security technology that is broadly deployed, you can imagine the havoc that that would attain,” he said. “That’s not an easy thing to do. You’re not just going to hack into the average security company and steal their code. But if you were successful, and if you spent two years or three years doing that and had great success, you can imagine the havoc that would happen.”
Cyber attacks are also coming from the Korean Peninsula and the Middle East, but China and Russia remain the most pressing concerns, Howard noted.
Meanwhile, the U.S. government is taking note. At the Pentagon’s Joint Artificial Intelligence Center, officials are reminded every day that the AI space is a competitive environment and that adversaries are interested in stealing its work, said Marine Corps Lt. Gen. Michael Groen, director of the organization.
“We are wide awake to the threat posed by foreign actors especially who have a proven track record of stealing intellectual property from wherever they can get their hands,” he said. “We’re going to try to provide an effective defense to ensure that doesn’t happen.”
The organization has developed a number of cybersecurity tools that can help industry better detect threats in their networks, he noted during a briefing with reporters in November.
“We have to be able to ascertain our data,” he said. “We have to know its provenance. We have to know that the networks that we pass that data on are sound and secure.”
What can contractors do to help stem the hemorrhaging of critical information? They should always assume that they are being targeted, said Richard Chitamitre, a federal sales engineer at Corelight, a network security company based in San Francisco.
“You should always assume that you are compromised and that adversaries are hiding in plain sight and pretending to look like normal traffic,” he said. “The moment that they start to take data it’s ... usually going to be a bit too late because by the time you find out and you’ve installed the security camera, they’ve already walked out the door.”