Those vulnerabilities are dangerous for the companies, but they’re even more concerning when you consider the nature of the defense sector — a massive interlocking web of contractors and subcontractors all sharing sensitive information on military projects worth billions of dollars.
That means an adversary who hacks into any one of those smaller defense companies would have a far easier path to infecting one of the larger and better- protected companies it works with.
“We want [this sector] to be better protected because it’s so important and critical to national security, but it’s not,” Austin Berglas, global head of professional services at BlueVoyant, told me.
Indeed, it was just such a supply-chain breach of the network monitoring firm SolarWinds that allowed Kremlin hackers to compromise a slew of major companies and federal agencies.
Supply-chain hacks have been top of mind for cyber analysts since the 2013 Target breach — the largest known hack at that point compromising customer information — in which hackers wormed in through the retailer’s HVAC vendor. But such breaches have only become more common since then.
“Cyber criminals aren’t targeting the big dogs on the block,” said Berglas, who was formerly an assistant special agent in charge of the FBI’s New York cyber branch. “They’re not targeting the prime contractors that have the money and resources to build up firm and solid cybersecurity. What they’re targeting is the smaller subcontractors down the supply chain.”
The study examined publicly available data of about 300 small and medium defense contractors.
That’s just a fraction of the approximately 100,000 to 300,000 companies that contract directly with the Defense Department and its components.
Here’s what the researchers found:
- More than half of the companies had vulnerabilities that put them at high risk for ransomware attacks, in which hackers lock up the victims’ computers and demand payment to unlock them.
- Nearly half had vulnerabilities BlueVoyant considers “severe,” such as running software that’s outdated or known to be insecure.
- Nine of the companies had still not protected themselves against a major flaw discovered in Microsoft’s email software more than six months after it was first discovered and raised alarms across the federal government.
- The vulnerabilities were worst among defense contractors focused on manufacturing and research and development.
BlueVoyant didn’t share names of any of the 300 companies.
The report comes amid rising concern about widespread cyber vulnerabilities across large swaths of critical industries.
However, U.S. officials typically have declined to endorse limits on hacking that is for purely espionage purposes, which would include nations spying on each other’s defense contractors.
Government agencies could have stymied SolarWinds hackers just by following firewall guidance, CISA said.
If those agencies simply had blocked all outgoing connections, they “would have neutralized the malware” that Kremlin-linked hackers used to steal reams of their sensitive data, Cybersecurity and Infrastructure Security Agency acting director Brandon Wales told Sen. Ron Wyden (D-Ore.) in a June 3 letter. The letter was first reported by Reuters’s Raphael Satter.
Indeed, some SolarWinds victims were able to evade the hackers stealing their data by doing just that, the letter states. But Wales warned that for some agencies adopting such measures “may not be feasible given operational requirements.”
CISA said it does not comment on congressional correspondence.
The SEC is probing possible violations by some SolarWinds victims.
The financial regulator last week sent letters to companies asking whether they were affected by the hack and probing whether they didn't disclose the breach to investors, Reuters’s Katanga Johnson reports. The letters come six months after news of the breach emerged.
The SEC also is looking at whether companies had sufficient protections against the breach, policies to protect consumer information and whether executives traded on insider information about the breach, a person familiar with the investigation said. The SEC declined to comment.
SolarWinds itself has faced scrutiny by the regulator, telling investors early this year that it was cooperating with a commission inquiry.
The director of the Pentagon’s “SWAT team of nerds” violated Defense Department policies by using Signal, a watchdog said.
Defense Digital Service Director Brett Goldstein “used and condoned” the encrypted messaging app, the Pentagon’s inspector general said in a report. The app has not been approved for use by DDS employees, although Goldstein told the watchdog that he was working with Defens officials to get it approved.
There was a perception that Goldstein and other DDS officials used Signal to discuss classified or sensitive information, five of 11 subordinates who spoke with the watchdog said. There was also a perception the app was used to evade discussions being captured by the Freedom of Information Act and government records retention policies, four subordinates said.
Goldstein declined to provide a comment to the watchdog, which also concluded he did not mistreat DDS employees.
“We’ve worked hard to create a positive and secure work environment at DDS, especially during the pandemic and while working remotely," a DDS representative said. "Brett has always held DDS employees to an extraordinarily high standard due to the nature and importance of the projects we work on. We are pleased that the report confirms this and shows there was no evidence for the allegations.”
Officials in Goldstein’s office also joked about hacking the government technology media organization FedScoop’s annual competition to find the “Best Bosses in Federal IT” in 2020, the office’s legal adviser told the watchdog. The officials were “told that doing so would be inappropriate, which resolved the issue,” according to the report. Goldstein ultimately made the list. His “nerd tour of duty” ends at the end of the month, a DDS official said.
Securing the ballot
Silverado Policy Accelerator Chairman Dmitri Alperovitch and James A. Lewis, senior vice president at the Center for Strategic and International Studies, discussed the Biden administration's forthcoming cyber talks with Russia — but not China:
- Bob Kolasky, the director of the National Risk Management Center, discusses supply chain cybersecurity at a Billington Cybersecurity event today at 9 a.m.
- Columbia University hosts a virtual screening of the film Colossus: The Forbin Project and panel discussion as part of a hacking-focused film festival today at 6 p.m.
- The Senate Armed Services Committee’s cyber panel holds a hearing on ransomware on Wednesday at 2 p.m.
- The House Small Business Committee holds a hearing on CMMC cybersecurity implementation on Thursday at 10 a.m.
- Cybersecurity and Infrastructure Security Agency officials discuss ransomware at an Infosec webinar on Thursday at noon.