United States Defense Contractors and Cybersecurity Challenges
In the United States, a sizable amount of the overall federal budget is allocated to defense spending. The 2018 Defense Budget was signed into law on December 12, 2017, by President Trump, which authorized just under $700 billion in defense spending (Blankenstein, 2017). In contrast to just a few years ago where the fiscal year defense spending was set at $593 billion, the amount of money set aside for defense continues to grow. Traditionally a lot of this budget has gone into supporting the military, purchasing equipment, machinery, and paying salaries. In recent years, more money has been set-aside for defense contractors, who in turn provide products and services to the Federal Government. In 2016, nearly half of the defense budget was allocated to defense contractors. The biggest beneficiaries included Lockheed Martin- $36.2 billion, Boeing- $24.3 billion, Raytheon- $12.8 billion, General Dynamics- $12.7 billion, and Northrop Grumman- $10.7 billion (Hartung, 2017). A more detailed table of the defense sector follows.
There are many defense organizations within the United States that provide services to the Federal Government and military institutions. A concentrated amount of the budget each year is typically reserved for the major players, which include large established organizations in this sector. In 2016, Business Insider wrote an article that highlighted the top nine largest defense contractors in the United States. This came from data published by the U.S. General Services Administration that lists, in addition to federal contractors, allocations to agriculture, commerce, interior, justice, labor, navy, state, and treasury. The table that follows lists the top nine defense contractors along with the amount of funds obligated, contracts awarded, employees, and a summary of the current work carried out (Choi, 2016).
Table 1: Top 9 biggest defense contractors in 2016
|Defense Contractor||Amount Obligated||Contracts Awarded||Employees||Current Work|
|Lockheed Martin Corporation||$29.4 billion||66,353||126,000||Terminal High Altitude Area Defense (THAAD) missile defense|
|The Boeing Company||$14.6 billion||12,645||148,750||Additional EA-18Gs and associated airborne electronic attack kits|
|Raytheon Company||$12.3 billion||10,000||61,000||464 Excalibur extended-range precision projectiles|
|General Dynamics Corporation||$11.8 billion||20,822||99,500||Additional DDG 51 Class Destroyer for the US Navy|
|Northrop Grumman Corporation||$9.5 billion||10,397||65,000||Long-Range Strike Bomber (LRS-B) project|
|United Technologies Corporation||$6.6 billion||24,626||197,200||Additional batch of F-35 fighter jet engines|
|L-3 Communications||$5 billion||7,622||38,000||Holographic optical sights settlement|
|BAE Systems||$4.2 billion||10,133||83,400||M109A7 self-propelled howitzer and M992A3 ammunition carrier for the US Army|
|Humana Inc.||$3.5 billion||206||52,000||Healthcare services to service members and veterans|
The list above only includes those largest players in the industry. There are many other government contractors that engage with defense work, but a sizable portion of the defense budget goes to these organizations. Because of the nature of the business conducted by defense contractors, a thorough understanding of the security landscape is essential for national security. Over the past few years, there have been numerous breaches reported affecting millions of individuals across the country. Everyone remembers the infamous leak at Booz Allen Hamilton involving the National Security Agency (NSA), perpetrated by Edward Snowden several years ago. This was one of the most impactful leaks in the history of defense contractors. One doesn’t have to look too far to come across news articles from organizations, such as the New York Times: ‘At Booz Allen, a Vast U.S. Spy Operation, Run for Private Profit’ (Rosenberg, 2016). Cybersecurity needs to be taken seriously in all corporations. In the defense sector, national security needs to be considered in paving the way for different approaches from the traditional organization. This is true now more than ever before, especially in terms of not only the damage caused by the breach itself but of the aftermath and reputation damages.
There have been other negative impacts in this sector in recent years ranging from Amazon Web Service Simple Storage Service (S3) Bucket leaks to other breaches affecting both defense contractors as well as Federal Government agencies. One of the largest Federal Government breaches in recent history involved an incident with the Office of Personnel Management in 2015. This was the largest case of sensitive data exposure, which initially reported as affecting 4 million individuals. Later it was estimated to have compromised sensitive information of 21.5 million (Finklea, Christensen, Fischer, Lawrence, & Theohary, 2015). In the same year, the Department of Defense mandated that all organizations doing business with them must implement Information Technology (IT) security best practices for their corporate systems. The initial announcement was made in 2015, allowing defense contractors until Dec. 31, 2017, to implement these requirements (Pal, 2017). The requirements listed in the National Institute of Standards and Technology (NIST) publication 800-171 (Ross, Dempsey, Viscuso, Riddle, & Guissanie, 2018) focuses on policy, processes, and proper configuration of IT security within the organization.
Critical Vulnerabilities Facing this Sector
In the defense sector, as with most other organizations, operational and informational assets should be paramount to being protected. Confidentiality, integrity, and availability must be considered when looking holistically at the entire infrastructure. Literature can help provide insight into the top or most commonly reported security risks. The Open Web Application Security Project (OWASP, 2017) published their updated list, The Ten Most Critical Web Application Security Risks. Within the publication, injection is listed as the top risk. Some of the other risks highlighted by OWASP include broken authentication, sensitive data exposure, broken access control, security misconfiguration, cross-site scripting, using components with known vulnerabilities, and insufficient logging and monitoring (“OWASP Top 10 Most Critical Web Application Security Risks,” 2017).
While injection is listed as the top application risk, one of the top vulnerabilities the defense sector is continually keeping on their radar is that of sensitive data exposure. The information contained within defense contractors is highly sensitive and critical to national security. Chris Vickery, a cyber-risk analyst at UpGuard based in Mountain View, California, recently found the exposed data in publicly accessible Amazon Web Services S3 buckets. The data belonged to the Department of Defense (Heller, 2017). There have been other reports of S3 data being leaked due to sensitive data exposure as well as security misconfiguration. With regards to access, availability, and confidentiality, confidentiality is the highest priority for defense contractors. SQL Injection, as well as other forms of malicious code injection, are also vulnerabilities the defense sector must continue to keep on top of in order to fully protect their systems, which contain highly classified military secrets.
Traditional business organizations may be concerned mostly with protecting intellectual corporate assets, while defense contractors are tasked with caring for defense technology. Such technology, if accessed by the wrong personnel or foreign interests, could be catastrophic for national security. There is a lot of evidence that shows many looking for vulnerabilities to exploit within the defense sector. Not listed in the OWASP report are those vulnerabilities inherent to people within organizations. Whether malicious or unknowingly, they can become vulnerabilities themselves (Conrad, Duran, Conrad, Duggan, & Held, 2009). This shows that within an organization, the employee population is a susceptible source of potential malicious insiders, leading to vulnerabilities within the infrastructure. Employees that cause deliberate harm, as in the case of Edward Snowden, are fewer in number to those victims who unwillingly do so via phishing and social engineering attacks.
Ongoing Cybersecurity Threats
As recently as February 2018, it was reported that Russian cyber-spies had been pursuing secrets of military drones and other sensitive U.S. defense technology. Through social engineering practices, they had tricked defense contractors into exposing email addresses (Donn, Desmon Butler and Raphael Satter, 2018). While it was unclear as to the extent of damage, or information that was stolen, the story continues to reinforce the challenges defense contractors are facing from foreign actors. As mentioned earlier, in the defense sector, confidentiality plays a huge role in not only protecting intellectual assets, but also military secrets and technologies. This data must not find its way to unauthorized persons or groups that would seek to do harm to the United States.
There are several types of cybersecurity threats that continue to be a concern for this sector. These include, but are not limited to Advanced Persistent Threats (APTs), zero-day attacks, code execution exploits, and other ransomware attacks that have become common practice in recent years.
In an article by SC Media (Barth, 2017), the top cybersecurity threats were outlined, offering a high-level view of the current landscape. Of that list, three of the threats identified were ransomware, two Bluetooth and Wi-Fi related, one heap overflow, one Distributed Denial of Service (DDoS), and one code execution related (Barth, 2017). While all of these are of concern to any organization, in the defense sector specifically one threat stood out among the rest. EternalBlue is an Advanced Persistent Threat (APT) in the form of a remote code execution tool created by a group called the Shadow Brokers. This group had been successful in leaking secrets and cyber weapons from the National Security Agency, since 2016 (Barth, 2017). EternalBlue has been one of their most successful and damaging tools to date.
Zero-day attacks are rare because they require an unknown, unpatched vulnerability in order to succeed. They are, however, a real threat that must be taken seriously. The famous Stuxnet digital weapon comes to mind when thinking about zero-day attacks. Renowned journalist Kim Zetter wrote the book ‘Countdown to Zero Day’, which provides a detailed overview of how this tool was used to sabotage Iran’s nuclear program (Zetter, 2014). APTs in recent years have been more focused on siphoning restricted confidential data from defense organizations, often carried out by foreign actors, but sometimes by those who want to simply gain from profit. Ransomware has been gaining a lot of impact on business operations in recent years and continues to cause disruption and damage to both foreign and domestic organizations.
The defense sector has become heavily dependent on cyberspace through complex systems and communications networks, as well as research tools and platforms to build military tools and equipment. The benefit from this has not only brought new advanced defense capabilities but also better programs for military operations. However, the downside can be observed through breaches, loss of sensitive data, and impact on individuals as can be seen through the OPM breach in the past few years. As threat actors become more advanced, so too must the defense sector’s contractors and agencies in the field of cybersecurity. Newer cybersecurity technologies, methods of obfuscation, and Moving Target Defense (MTD) must be embraced, while these newer strategies face threats head-on must be implemented. The defense sector and particularly large defense contracting organizations will continue to be held to a higher standard and must continue to remain ahead in security policy, process, and technology.
Barth, B. (2017, December 22). The Top Cybersecurity Threats for 2017. Retrieved March 1, 2018, from https://www.scmagazine.com/the-top-cybersecurity-threats-for-2017/article/720097/
Blankenstein, K. (2017, June 17). 2018 Defense Budget. Retrieved March 17, 2018, from https://militarybenefits.info/2018-defense-budget-overview
Choi, D. (2016, May 25). The top 9 biggest defense contractors in America. Retrieved March 1, 2018, from http://www.businessinsider.com/the-top-9-biggest-defense-contractors-in-america-2016-5
Conrad, S. H., Duran, F., A., Conrad, G., N., Duggan, D., P., & Held, E., B. (2009). Modeling the Employee Life Cycle to Address the Insider Threat (p. 27). Office of Scientific and Technical Information. Retrieved from https://www.osti.gov/biblio/1142114
Donn, Desmon Butler and Raphael Satter, J. (2018, February 6). Russian hackers exploit key vulnerability to go after secret U.S. defense technology. Retrieved March 1, 2018, from http://www.chicagotribune.com/news/nationworld/ct-russian-hackers-defense-technology-20180206-story.html
Finklea, K., Christensen, M., D., Fischer, E., A., Lawrence, S., V., & Theohary, C., A. (2015). Cyber Intrusion into U.S. Office of Personnel Management: In Brief (p. 10). Congressional Research Service. Retrieved from https://digital.library.unt.edu/ark:/67531/metadc743551/
Hartung, W., D. (2017, October 10). Here’s Where Your Tax Dollars for ‘Defense’ Are Really Going. Retrieved March 17, 2018, from https://www.thenation.com/article/heres-where-your-tax-dollars-for-defense-are-really-going/
Heller, M. (2017, November 20). DOD exposed data stored in massive AWS buckets. Retrieved March 1, 2018, from http://searchsecurity.techtarget.com/news/450430426/DoD-exposed-data-stored-in-massive-AWS-buckets
OWASP Top 10 Most Critical Web Application Security Risks. (2017). Retrieved March 1, 2018, from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Pal, G. (2017, December 5). Department of Defense contractors must implement IT security controls by December 31. Retrieved March 1, 2018, from https://www.csoonline.com/article/3239925/compliance/department-of-defense-contractors-must-implement-it-security-controls-by-december-31.html
Rosenberg, M. (2016, October 7). At Booz Allen, a Vast U.S. Spy Operation, Run for Private Profit. Retrieved March 1, 2018, from https://www.nytimes.com/2016/10/07/us/booz-allen-hamilton-nsa.html
Ross, R., Dempsey, K., Viscuso, P., Riddle, M., & Guissanie, G. (2018). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. SP 800-171 Rev. 1 (p. 83). NIST. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
Zetter, K. (2014). Countdown to Zero Day. Crown.
Image Credits: Photo by Joshua Earle on Unsplash.