Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.
The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.
Security starts with people
The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.
Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.
Consider the well-publicized Sea Dragon hack. In that incident, Chinese hackers obtained sensor data, signals data, an electronic warfare library and more. The hackers targeted a contractor of the Naval Undersea Warfare Center, a research and development organization that is part of the Defense Industrial Supply Chain. They used that person’s credentials to access the treasure trove of data on the NUWC network, and the supply chain was compromised.
Behavioral analysis can mitigate risk
The incident may have been avoided had there been a mechanism in place to monitor users’ behavioral patterns. Being able to detect a change in human patterns — unusual access to sensitive information, for example, as was the case with Sea Dragon — can help suppliers prevent unauthorized access to information and systems. It’s an added layer that can help the supply chain remain clean and less susceptible to vulnerabilities.
The supplier can set up a system that monitors risk based on user behaviors, which can be measured against an established baseline. For example, a person might ordinarily access a particular subset of information, or have rights to make certain modifications to a solution within the supply chain. A deviation from this normal pattern of behavior could set up a trigger that signals that an anomaly has been detected. That anomaly could indicate a potential security threat — for instance, perhaps the user’s credentials have been compromised. In this scenario, the user could be automatically blocked from accessing information or performing further actions that could compromise the supply chain.
Being able to detect anomalous user behavioral patterns can be essential in protecting Controlled Unclassified Information, which many contractors are using to create new defense programs and solutions. CUI is information designated as unclassified information that must be protected from public disclosure.
For example, a supplier could be working on key components for a new aircraft. The information pertaining to those components may not be classified, but it may also not be something that the Air Force wishes to disclose for public consumption. An enterprising hacker could potentially access the credentials of a user working on this program and obtain its CUI data. They could then infiltrate the supply chain network that feeds into the program, potentially putting the entire effort at risk — even the pilots who will eventually be operating the plane.
Security: the top supply chain priority
A risk-adaptive behavioral analysis approach exemplifies the type of extensive effort that Deliver Uncompromised proposes. Deliver Uncompromised warns against doing the bare minimum when it comes to security. Indeed, it elevates security as a “4th pillar” of the acquisition process, making it equivalent to cost, schedule and performance.
In fact, the collective message the DoD is sending out with Deliver Uncompromised and its counterpart, the Defense Federal Acquisition Regulation Supplement, is that securing the supply chain must be a top priority. The DoD is telling its contractors to engage in “security-by-design,” not “security-as-an-afterthought.” Companies that do not adhere to this policy will no longer be considered trusted partners.
Those companies’ most valuable assets are their people. But those same assets can also be a vulnerable point of entry. Supply chain security must start and end with them. The DoD should consider partnering with organizations that show a commitment to securing their people as much as their technologies.
George Kamis is chief technology officer for Global Governments and Critical Infrastructure at cybersecurity company Forcepoint.