WASHINGTON – Twice in the last four years, the national security community warned that hacks through IT suppliers posed grave threats to defense and intelligence agencies. Last month, those warnings proved prescient after suspected Russian hackers infiltrated federal agencies through a contractor’s software.
While intelligence officials said Jan. 5 the hack is an espionage campaign, confirming Russia as the likely source, the two recent reports alerted the community that hackers could disrupt weapons systems by attacking through the supply chain. Those reports suggested the Pentagon must quickly develop methods to reduce risk from its suppliers.
But the steps the department took to strengthen contractor cybersecurity, including its Cybersecurity Maturity Model Certification risk audits, did not come in time to prevent breaches of some DoD offices that media reports have disclosed. The Pentagon says its investigation, expected to take significant time, has not turned up signs so far that hackers entered through SolarWinds software that was compromised at various federal offices and large companies.
Despite the warnings and a budding audit system, government agencies had difficulty fending off the latest intrusion. The problem was not a case of identifying the Pentagon’s vulnerabilities. Instead, the difficulty came in part because military leaders haven’t figured out a comprehensive plan to gauge and eliminate risks from contractors, experts said. The solution isn’t simple.
Now, some of the department’s former IT leaders and industry officials suggest that the DoD has to do more with the tools it has, as well as seek new ones. For example, lawmakers recently told the Pentagon in the annual defense policy law to explore the possibility of a threat-hunting program with the defense industrial base.
“It’s been a focus area for us for some time,” said Jan Tighe, former commander of 10th Fleet/Fleet Cyber Command and deputy chief of naval operations for information warfare. “I think both the public and the private side have not completely solved for how we’re going to deal with hardening our supply chain.”
The recent breach allowed hackers to access networks and move laterally, posing a heightened threat if network connections don’t have comprehensive security controls to prevent burrowing into sensitive systems. To mitigate supply chain risk, experts told C4ISRNET that the Department of Defense and other government agencies need greater insight into potential risks from vendors and stronger tools to defend against these types of attacks.
As the DoD relies more on third-party suppliers for many IT needs and supply chain attacks are likely to continue to increase, the need for fixes increases. The New York Times reported in early January that Russia “exploited multiple layers of the supply chain” to access more networks than previously thought.
“Even if you’re buying things as a service, it doesn’t excuse your responsibility in security and assurance,” said Jennifer Bisceglie, CEO of Interos, a supply chain risk management company. “You will still remain responsible for the risk posture in your operation. And so what are you doing about that, especially if you are sharing or outsourcing the responsibility for a service? What are you doing to make sure that that service doesn’t introduce harm or risk in a way that you weren’t watching for?”
For several years, government commissions have warned about the risk of supply chain attacks. In 2017, the Defense Science Board warned that attacks through software could disrupt weapons systems. In 2019, the National Counterintelligence and Security Center advised that malicious actors were increasingly using the avenue to breach networks.
“Software supply chain attacks are particularly bothersome and insidious because they violate the basic and assumed trust between software provider and consumer,” the NCSC report stated.
One challenge for the department is that risks differ for each vendor, meaning there’s no one-size-fits-all solution. To improve visibility, the department should require vendors to assess and document any risks before it awards contracts, experts suggest. That would give the department more information to make purchasing decisions and to review if a compromise happens.
“It is possible for every vendor to know something about the risks that are present in its supply chain,” said Robert Metzger, a member of the Defense Science Board’s 2017 study on supply chain vulnerabilities. He added, “This idea that we expect each supplier to assess and describe their own supply chain risks and to present their plans for mitigating that risk, that’s a sound idea, I believe, even if it is a new and potentially difficult burden.”
For a variety of reasons, including a shortage of IT and cybersecurity talent and cost savings, the government relies on vendors for IT needs. But the way in which the companies are interconnected poses further unknowns for managing risks.
“We stop at understanding who our supplier is, and we don’t really give a thought to who their customers are, who are their suppliers, where they’re reliant around the world, what countries that they’re relying on, what other companies are relying on,” Bisceglie said.
The Cybersecurity Maturity Model Certification, an audit system to evaluate the strength of contractors’ cybersecurity, will improve the DoD’s knowledge of its suppliers but focuses more on cybersecurity on an organization’s perimeter. CMMC is a solid foundation to build on, Metzger said.
“We will need to examine carefully what attributes of the CMMC control set should be emphasized or even changed, in order to address this kind of supply chain delivered threat,” he said.
What will it take to be secure?
Advanced persistent threats, like Russian hackers, will always have an interest in the DoD. The difficulty for the department is that many suppliers don’t have the skillsets or resources to defend against nation-state hackers.
“It’s a really tough problem to figure out how you’re going to design resiliency against those kinds of attacks,” said retired Rear Adm. Danelle Barrett, former deputy Navy CIO and cybersecurity division director.
However, Barrett said that the suppliers and the department can still improve safeguards against advanced actors through consistent penetration testing, threat modeling and monitoring, as well as establishing a cybersecurity baseline, the posture when the network is fully secured.
Other steps could include increased behavioral analysis on networks to look for people acting unusually and a more collective approach to network defense by the government.
“If you look across multiple networks and correlate anomalous network behavior across the whole government, you might have seen this if you could see across everybody and can sort between what is just anomalous and what is actually malicious,” Tighe said. “If you see anomalous that all looks the same across the whole of government … and potentially even with the private sector, I think that you increase your ability, you use the power of a collective defense to our advantage.”
Today the government doesn’t have the real-time ability to search across networks for early warning signs, Tighe added. However, the 2021 National Defense Authorization Act contains several measures that could eventually improve supply chain security.
Besides a feasibility study on a defense industrial base threat-hunting program, the law directs the department to assess possible programs to share information with the defense industrial base and place commercial off-the-shelf sensors on contractors’ public-facing attack surfaces. The law designates the department’s principal cyber adviser as the top official responsible for DIB cybersecurity issues.
Even with the best visibility into supply chain risks, advanced hackers will still search for new openings, making teamwork key.
“The positive lesson that should be taken from SolarWinds is that supply chain risk is everybody’s problem,” Metzger said. “It is a very large and complex problem, and it will not accommodate anything like a business-as-usual approach.”
Mark Pomerleau contributed to this report.
Andrew Eversden is a federal IT and cybersecurity reporter for the Federal Times and Fifth Domain. He previously worked as a congressional reporting fellow for the Texas Tribune and Washington intern for the Durango Herald. Andrew is a graduate of American University.