2019 Cybersecurity Report

Beyond Obfuscation

Executive Summary

The adoption and deployment of cyber technologies have improved the effectiveness of U.S. warfighters across the globe. From reducing the cost of and lead-time for high-tech weapons production to ensuring reliable communications across the battlefield, cyber underlies many defense innovations.

However, despite the numerous advantages of a cyber-connected world, the proliferation of cyber tools presents an array of threats and vulnerabilities that deserve the attention of decision-makers across the defense enterprise. Cybersecurity breaches are increasingly common across industry and government, with the defense industry being no exception. As the cost of these breaches reaches into the billions of dollars, demand for more robust cybersecurity controls and regulations comes from the highest levels of government and Congress.

Cyber policies directed at the defense industrial base are continually evolving and increasingly complex. New and established actors are facing challenges regarding the adoption of and compliance with policies disseminating from Congress and the Department of Defense (DoD). Ensuring members of the defense industrial base take the threat of cybersecurity seriously, understand policies, and are adequately fortified against would-be cyber adversaries is a priority throughout the defense community. NDIA—as the go-to convener of industry, academia, and government—stands at a unique position to educate industry while also communicating industry’s views to government.

The Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy report illustrates the risks and vulnerabilities within the cyber domain for the defense industry, educating industry about the evolution of cyber regulations while communicating to the defense community the views of industry.

Section I: Illustrations of Cyber Threats and Vulnerabilities

Throughout the past decade, the global cyber threat level has intensified, subjecting private industry and government alike to an increasing flurry of cyber-related attacks. These intrusions have not only grown in frequency but also in severity as they are now responsible for billions of dollars lost each year. Both state-sponsored and private-actor attacks are on the rise across the globe, grabbing the attention of both the media and policymakers. Despite private industry’s reluctance to share news of intrusions into their networks, we now have a plethora of examples illustrating the range of attacks that have occurred.

In this section, case studies of past marquee cyber incidents present lessons alongside more recent examples, demonstrating the pervasive and varied nature of cybersecurity breaches. Each event either demonstrates a new avenue of intrusion or illuminates a previously unknown vulnerability. Culminating in a presentation of the Threat Matrix, a framework breaking down attacks using the cyber kill-chain method of analysis, these cases are meant to communicate to industry that no individual actor is immune from cyber threats.

Section II: Policy Response to Cyber Risk

As the cost and severity of cyber attacks increase, government has scrambled to develop solutions. Federal, state, and local policymakers have exercised a myriad of policy responses to shore up public and private cybersecurity fortifications, covering a range of executive and legislative actions. Often driven by the perceived need to respond to high-profile cyber incidents, these responses are often spurious and fragmented. Though well-meaning, prescriptive documents like the U.S. National Cyber Strategy propose a broad but lightly specified whole-of-government approach to reducing cyber risk while implementing agencies fall short of adequately hardening government assets, operations, and tools against attacks.

Those in the defense industrial base are left to wade through a complicated, multi-layered set of policy regulations that feature separate authorities and conflicting institutional agents. Intimidating to even the most established of defense contractors, this odious regulatory environment is a worrisome barrier to entry and a major deterrent to better cybersecurity practices. Summaries of the regulatory authorities most directly responsible for such an environment are presented to disentangle and demystify the new wave of cyber regulations. At a time when the Department of Defense aims to roll out a new draft policy through the Cybersecurity Maturity Model Certification (CMMC), understanding where we are is essential to comprehending where we are going.

Section III: Industry’s Perspective (Survey Analysis)

Any discussion of the effectiveness of the policy response to cyber threats is incomplete without the perspective of the defense industrial base. Often serving as the first line of defense and the subject of new and existing regulations, members of this group are uniquely qualified to evaluate the current state of affairs. A survey instrument was developed and deployed to ferret out industry’s perspective. Questions were included to measure the financial impact of cyber policy compliance, to determine industry’s cyber hygiene best practices, and to clarify industry’s opinion on current cyber regulations.

The survey’s results measured notable differences in experiences between large and small companies, prime contractors and subcontractors, and new entrants and established actors.

Key Findings:

  • More than 25 percent of industry professionals work for firms that have experienced a cyber attack
  • 44 percent of companies with more than 500 employees have experienced a cyber attack
  • Industry views cyber attacks from outside actors as the most serious cyber threat, followed closely by the threat of a cyber attack by a former employee
  • Small companies use security measures such as firewalls and multi-factor authentication at a much lower rate than large companies
  • Companies are only marginally confident in their ability to recover from a cyber attack within 24 hours
  • 30 percent of companies do not have a good sense of the cost needed to recover from a cyber attack
  • Small businesses are 15 percent less likely than large businesses to agree with the statement that “our employees are well prepared to understand and respond to cybersecurity threats”
  • 72 percent of large businesses agreed they were prepared to comply with DFARS 7012 requirements, but only 54 percent of small businesses agreed
  • 44 percent of prime contractors have not been able to verify their subcontractors’ system security plans

Section IV: Conclusions and Recommendations

Recommendations for Government

Increased communication, right-sizing the flow of information, and simplifying the current cyber regulatory regime are the first steps that government should take to increase the operational security of the defense industry. A disparity exists between large, established actors and smaller businesses on cyber awareness, preparedness, and compliance. Small businesses need targeted government communications and resources to ensure that they remain a part of the industrial supply chain. New policies must also consolidate regulatory authorities to decrease the compliance burden on industry while accounting for the current experience and expertise of industry partners during policy development.

Recommendations for Industry

Industry must be equally committed to solving the issue of cyber breaches as government. As the source of much innovation relied on to improve the capabilities and lethality of the warfighter, industry must be ready to protect the innovative technologies for which they are responsible to develop. Prime contractors must be willing to share best practices and experiences with lower-tier, more unexperienced companies while working with government to manage the flow of sensitive information within the supply chain. Smaller businesses need to make a more intentional effort to adopt cyber fortifications and ensure compliance with current cyber regulations meant to increase their level of security. All of industry must commit to working with government as the new CMMC program is developed to ensure that the new set of regulations is as effective as possible without an unduly burden on industry.  

Appendix A: San Diego Small Business Task Force, NIST 800-171/DFARS 252-204.7012 Compliance and the DoD’s Small Business Base