The Fifth Column Forum
Not logged in [Login - Register]
Go To Bottom

Printable Version  
Author: Subject: Industry Perspective: NDIA Survey Shows Industry Must Do More For Cybersecurity

Posts: 19900
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 26-10-2019 at 11:56 AM
Industry Perspective: NDIA Survey Shows Industry Must Do More For Cybersecurity


By Corbin Evans

Photo: iStock

Adoption and deployment of cyber technologies have improved the effectiveness of U.S. warfighters across the globe. From reducing the cost and lead-time for high-tech weapons production, to ensuring reliable communications across the battlefield, cyber underlies many defense innovations.

However, despite the numerous advantages of a cyber-connected world, the proliferation of cyber tools presents an array of threats and vulnerabilities that deserve the attention of decision-makers across the defense enterprise. Cybersecurity breaches are increasingly common across industry and government, with the defense industry being no exception. With the cost of these breaches reaching into the billions of dollars, demand for more robust cybersecurity controls and regulations comes from the highest levels of government and Congress.

The Defense Department seeks to address these concerns by placing a more intentional focus on data that falls outside of classified controls but remains valuable to an adversary.
Technical data, ordering information, and instructional materials are examples of data deemed “controlled unclassified information,” or CUI.

While a more exhaustive definition of CUI is still in development, requirements to protect it have been included in contracts since late 2018. The DFARS 252.204-7012 clause requires contractors abide by the 100-plus cybersecurity controls developed by the National Institute of Standards and Technology in Special Publication 800-171. The effectiveness of these controls and their impact on industry is the focus of recent research by NDIA.

The 2019 DFARS 7012 Cybersecurity Survey provides a glimpse into industry’s perspective on cybersecurity regulations current as of mid-2019. Participation from industry varied in sector, size and geographic location to provide a representative cross-section of the defense industrial base.

The survey was developed in conjunction with NDIA’s San Diego Chapter and was distributed via email and to NDIA members. The survey opened in April and ran until July. Approximately 300 responses were collected from industry representatives across the country.

Results measured notable differences in experiences across large versus small companies, primes versus subcontractors, and new entrants versus established actors. Questions gathered data about company financials, information technology processes and corporate views on current policy.

One finding is that cybersecurity breaches are pervasive across industry but range in cost and severity. Some attacks go unnoticed while others debilitate business. The defense industry has experienced a range of cyber-attack events, according to the study results. Overall, one quarter of participants have been prior victims of cyber attacks, with a concentration on businesses larger than 500 employees. Forty-four percent of these companies suffered attacks and an additional 30 percent of this group responded that they were unsure if they had been attacked.

If even half of these unsure respondents are victims, the attack rate for larger firms stands greater than 50 percent. The high frequency of attacks across the defense industry demonstrates the seriousness of the cyber risk. The question is increasingly moving away from if a company has been the victim of an attack, to when a company will experience an attack.

As the number of cyber attacks grows, so does the range of cyber-related threats. Of a list of current threats facing industry, a cyber attack from an outside actor was ranked by 43 percent of respondents as the most threatening, followed by the fear of a dismissed employee wreaking havoc on the company’s systems. Industry participants viewed threats of contract revocation or retribution for the mishandling of sensitive material as comparatively much less threatening, signaling that current mechanisms for discouraging contract violations are not viewed as a serious threat in comparison to other cyber vulnerabilities.

The growing risk to industry from cyber attacks has driven growth in information security companies offering tools and services to prevent or recover from these attacks.

Companies now have a litany of fortification products and consulting services available to help them fend off attackers in the cyber arena. These tools, of course, offer varying levels of protection and range in cost, thus adoption of them across industry varies widely.

Of the security measures presented, the presence of a firewall was cited as the most common for both small and large businesses. A similar level of adoption was seen for the use of multi-factor authentication and VPNs for remote work for large businesses, but the response saw a large drop-off of utilization of these tools among smaller companies.

Across the board there is evidence that small businesses use security measures at a rate of approximately 20 percent less than their large counterparts. Cost, lack of experienced personnel to implement secure practices, and the belief that these tools provide little benefit compared to the cost potentially

explain this lower level of implementation. It is worth noting, however, the NIST 800-171 standard requires a number of these security measures, indicating many of these companies may currently fail to meet requirements.

While the lack of compliance may cause concern, one area that’s more worrisome is the levels of preparedness across industry for an attack. Only 40 percent of respondents expressed lack of confidence in their company’s ability to recover from a cyber attack within 24 hours, 30 percent claimed to not have a good sense of the cost of recovering from an attack, and small businesses are trailing large ones by 15 percentage points in agreement with the statement that “our employees are well prepared to understand and respond to cybersecurity threats.” These indicators should alert government and industry to the continued presence of significant cyber vulnerabilities across the defense industrial base.

Those in government tasked with monitoring cyber threats are clearly concerned about weaknesses in industry’s cyber fortifications. The Defense Department has focused on and actively promoted development and implementation of cyber regulations for the past few years, and continues to debate the best approaches to protecting America’s critical cyber infrastructure.

Despite this attention, a large portion of the defense industrial base remains unprepared for DFARS 7012 compliance. When asked if their company was prepared to comply with DFARS 7012, 72 percent of large businesses agreed they were prepared while only 54 percent — a slight majority — of small businesses reported readiness. Rates of actual compliance drive greater concern. Currently, 44 percent of prime contractors do not have system security plans from their subcontractors, a central tenant of DFARS 7012 compliance, and only 5 percent of prime contractors have taken corrective action against their subcontractors, allowing the risk to continue unchecked.

While adoption and compliance levels with current cybersecurity standards may concern government officials, industry’s perspective on the impact of these policies is a notable bright spot. Data from NDIA’s survey show signs senior defense industry managers are prioritizing DFARS 7012 compliance and large and small companies believe implementing DFARS 7012 standards will help them achieve a comprehensive level of security. Industry also assessed government regulations as superior to their security policies, and felt implementing these regulations would help to deter and prevent attacks from even the most determined adversaries.

While the current state of cybersecurity across the defense industrial base needs improvement and will remain a focus area for policymakers in the Pentagon and Congress, there are some clear initial steps that can immediately strengthen cyber infrastructure.

The government should begin by increasing communication and access to resources available to lower-tier, smaller members of the defense industrial base. Communication should focus on the business case for compliance. Resources should help companies achieve and maintain compliance. Pairing individual compliance requirements with communications about risk and reward strengthens the case for implementation.

For industry, prime-level contractors should amplify government communications about risk and reward. Primes should routinely and broadly share best practices, cost-saving efforts, and methods of cyber regulation compliance with not only their supply chain, but with their competitors. Overall, defense industrial base members both large and small must increase their level of preparedness to deter, defend and recover from cyber attacks. In this era of the hyper-connected battlefield, delivering superior, uncompromised capabilities to our war­fighters begins by ensuring availability and reliability.

For more information about this survey and to read the full results, visit:

Corbin Evans is director of regulatory policy at NDIA.
View user's profile View All Posts By User

Posts: 19900
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 26-10-2019 at 12:03 PM

NEWS FROM EWC: SOCOM Wants ‘Cyber-Secure’ Hyper-Enabled Operators


By Connie Lee

Photo: Navy

ANNAPOLIS, Md. — Special Operations Command is working to ensure that its hyper-enabled operator concept will be “cyber secure,” a top science and technology official said Oct. 23.

In 2018, the command announced an initiative to enhance its warfighters with technologies that would provide them capabilities such as improved situational awareness.

Now, in an era when adversaries are building up their electronic warfare abilities, the command is examining how it can safely field these technologies with a cyber-secure network, said Lisa Sanders, the director of science and technology for Special Operations Forces, acquisition, technology and logistics.

SOCOM is considering questions such as: “Is it something [that requires] an algorithm on top of the communications node in order to make that cyber secure? … Is there a way to throw an encryption key on top of it so that I don’t lose it?” Sanders said.

Many of these technologies fall within the commercial domain, she said during the National Defense Industrial Association’s Expeditionary Warfare Conference in Annapolis, Maryland.

For example, the Android tactical assault kit uses the same processing board that comes with the smartphone instead of one that's specific to SOCOM, she said. The device sits on the operator’s chest and provides them with additional situational awareness.

“We're playing with those commercially available tools to try to understand where does the system break down,” Sanders said.

The command will then work to address capability gaps, she added.

SOCOM must experiment with these technologies because — unlike the commercial market — warfighters may face instances in which adversaries attempt to jam their network.

That’s something the command “does a lot of — just trying things to see how they work,” Sanders said.

Some of this experimentation will include determining how much communication is needed, she noted. SOCOM has become used to working in uncontested environments where it can perform actions such as sending full-motion videos. Now, it must consider the possibility of having no connectivity. Additionally, it is particularly difficult to communicate underseas, she noted.

“What does that do to my ability to achieve that mission?” she said. “We'll play with all [the] extremes of it, ranging from fully available satcom, what's a commercial network look like to ‘Hey look, you’ve got nothing.’”

However, SOCOM will not be able to operate without an electronic signature, she noted.

“The world is different than it was in the past, there's just too much that's out there,” she said. Going forward, operators will need to consider what type of signatures they use and how long they can use it without being detected.

“That's going to become more relevant,” Sanders said.
View user's profile View All Posts By User

  Go To Top

Powered by XMB 1.9.11
XMB Forum Software © 2001-2017 The XMB Group
[Queries: 16] [PHP: 71.7% - SQL: 28.3%]