Report highlights serious cybersecurity issues with US defense contractors

When a company engages in business with a government, especially with the defense sector of that government, one should expect that security surrounding the engagement would be a serious endeavor. A recent report offered up by CyberSheath throws cold water on that assumption—indeed, DEFENSELESS – A statistical report on the state of cybersecurity maturity across the defense industrial base (DIB) should embarrass the sector and begs the question: why are some companies still allowed to do business with the government at all?

The CyberSheath report, conducted by Merrill research, surveyed 300 US members of the DIB and judged their results as having a 95% probability of being accurate. Which should give everyone pause, as the results are startling.

US military secrets are “not safe”

CyberSheath CEO Eric Noonan did not mince words: “The report’s findings show a clear and present danger to our national security. We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”

Startling statistics cited in the report included a lack of 24/7/365 security monitoring systems, that 80% lacked a vulnerability management solution, 78% did not use multi-factor authentication (MFA) comprehensively, 73% had no endpoint detection and response (EDR) solution, and 70% did not have a deployed security information and event management (SIEM) system.

Unsurprisingly, 82% of the contractors found that the US government’s cybersecurity regulations were difficult to understand.

At the recent Acronis Cyberfit conference, CSO had the opportunity to meet with the company’s senior-most executives and a good many managed security service providers (MSSP). The data presented by CyberSheath aligns.

Acronis CEO Patrick Pulvermueller noted that “complexity is security’s menace” and that EDR solutions should be considered part of every cybersecurity implementation. Acronis president Ezquiel Stiener tells CSO that supply chain audits should be the norm. To assist their clients, Acronis engages with their MSSPs and the MSSP’s clients with these audits.

CMMC is at the heart of the issue

At the heart of the matter is Cybersecurity Maturity Model Certification (CMMC). As we noted in a September 2021 article, 300,000 entities are striving to be certified in C3PAO by assessors who themselves must be certified to conduct that certification. In September 2021, there were four. In December 2022, there are 31 entities certified by CyberAB to conduct the assessments. To their credit, in October 2022 CyberAB subsidiary the Cybersecurity Assessor and Instructor Certification Organization (CAICO) made available the Certified CMMC Professional exam. A press release described the exam as verifying a “candidate’s knowledge of the DoD CMMC framework and the roles and responsibilities of various positions within it.” 

In August 2022, Coalfire was authorized by CyberAB to conduct CMMC assessments for the defense sector. At that time, Coalfire Federal President Bill Malone observed: “Foreign adversaries are escalating attacks on Defense Industrial Base (DIB) organizations, compromising sensitive information and threatening the integrity of weapons systems, platforms, tools, and materiel. CMMC is consistent with our mission and extends our commitment to provide cybersecurity services that enable and protect the mission of the DoD and its supply chain.”

The learning curve is steep

CyberSheath vice president, security services Carl Herberger told InfoSecurity: “As the government steps into a realization of this [CMMC] and the laws follow, we hope to see far wider adoption. It’s a story of the haves and have nots. Contractors who struggle have successfully grown their businesses without significant technology investments, have not taken advantage of cloud-based economies of scale, and therefore are quite far behind other industries and that learning curve is steep.”

To assist in successfully traversing that learning curve, companies such as Silvereye are available. Silvereye exists to help companies understand how best to use the services of MSSPs. Cameron Way, founder and chief strategist of Silvereye explained to CSO at the Cyberfit conference how they engage with users to help the individual entity to fully define their needs and then assist the companies in acquiring the services of the MSSP which best fulfills their cybersecurity requirements. The message that Way had for MSSPs in his keynote? Find a way to consolidate the tools they are asking their clients to use, as more tools means more complications and problems.

Defense sector CISOs need to step up

CISOs need to strive for lack of complexity in their cybersecurity implementation, as far too often convenience trumps security and modern security needs to be convenient and able to be implemented at all levels. Given the above, there really is no reason that any entity wishing to engage within the US defense sector should not be creating an in house EDR, implementing 24/7/365 monitoring, have one-step restoration and isolation of compromised portions of their network, or have a comprehensive MFA process. To do otherwise is indeed placing US national security at risk.