Defense contractors routinely undergo system audits. But no assessment can ever offer total security assurance. All it takes is one threat actor to breach a system, and with enough time, patience and manpower, readily available to nefarious nation-states, they will succeed. For defense contractors whose work makes them a prime target for hackers, this sobering reality is only getting worse.
Brian Neely keeps this realization at the forefront of his work for AMERICAN SYSTEMS, the major defense contractor where he began two decades ago, principally as chief technology officer and chief information officer, and where he now assumes chief information security officer functions as well. The company easily passed five independent security audits this past year, yet Neely stresses the importance of going beyond conventional approaches, even if, as in the case of AMERICAN SYSTEMS, those audits are performed by high-end firms, with hefty price tags.
In the past two years alone, AMERICAN SYSTEMS has booked nearly $1 billion in federal government contracts. Neely helps foster trusted collaborations with critical government agencies by thinking beyond traditional security and audits.
“Audits are a single snapshot in time, that’s why they’re not sufficiently effective,” Neely says. There are additional limitations, he adds. For instance, a firm may “bait-and-switch” — bringing in a seasoned professional at the outset to win a defense contractor’s business, then switch to a “greener team” to actually conduct the audit.
Lingering Questions About Audits
Once the audit occurs, a contractor faces lingering questions.
“You may pass an audit with flying colors, but does that mean you have a solid security strategy in place, or that you simply didn’t have the right skills auditing you?” Neely says.
“Just like in everyday operations, you could see zero signs of a breach, which could mean you have a top-notch security posture, or you have no idea what’s actually happening.” The questions don’t end there. “Both look the same at a high level, but both have drastically different impacts, so how do you know which one you may have?” Neely says. “Being able to validate cybersecurity effectiveness — determining if the security tools are deployed and configured properly, that the controls safeguarding critical assets are effective, that your team reacts and responds like you expect — is a significant challenge facing all organizations.”
Recent events amplify the urgency of addressing this issue. In September, Deputy Secretary of Defense Patrick M. Shanahan said the Defense Department will place greater emphasis on strong cybersecurity practices by contractors, including their suppliers and subcontractors, in determining contract awards.
This same year, Director of National Intelligence Daniel Coats stated defense contractors and IT communications companies have become the prime cyber targets for China, suggesting the escalating need for contractors to fortify their systems. Neely emphasizes that failure to act doesn’t simply endanger business prospects, either.
“Getting cyber ‘wrong,’ or not having visibility into what is actually happening, could also damage the country, and even cost lives,” he says.
In the midst of these high stakes, regulations continue unabated. New mandates like the European Union’s General Data Protection Regulation require companies to perform ongoing data protection impact assessments — an unavoidable requirement for defense contractors with a global presence. Closer to home, regulations are equally complex.
“There is a growing list of compliance requirements and industry best practices that you have to consider now — it’s all about risk mitigation,” says Neely, whose team was awarded the General Services Administration’s new Highly Adaptive Cybersecurity Services Special Item Numbers to expand agencies’ capacity to test their high-priority IT systems, rapidly address potential vulnerabilities and stop adversaries before they impact critical networks.
Neely cites additional regulations that contractors must adequately address. These include the NIST Cyber Security Framework, the DOD Risk Management Framework, ISO 9001:2015, FAR 52.204-21, and DFARS 252.204-7012 / NIST 800-171, government-mandated security controls, with 110 requirements, which went into effect in December 2017.
“And that’s all just on the unclassified side of the business,” Neely says. “I now spend the majority of my time on cybersecurity and compliance,” adds Neely, citing an environment accompanied by a wide spectrum of concerns. “We deal with threats that range from high-volume, very basic ‘script kiddies,’ to fairly complex hacktivists and cyber-criminal groups, all the way up to highly sophisticated state-sponsored threat actors.”
Beyond “Traditional” Approaches
In the midst of these escalating threats, Neely advocates a multifaceted approach to cyber defense.
“You have to constantly evolve not only in the audit teams you select but with the tools and technologies you employ to protect your digital assets,” Neely says. “In the past, organizations would spend a lot of money on people, and the latest tools, usually highlighted in the top right corner of Gartner’s Magic Quadrant. You can’t be satisfied with these traditional methods anymore. But don’t get me wrong, you can’t ignore the ‘basics’ of core cybersecurity, you have to get that right as well. A lot of companies get breached because they didn’t properly patch a vulnerability from six years ago, or forgot to close down a port that is no longer in use, or simply fat-fingered in a wrong DNS entry.”
Cost considerations and strong cyber response aren’t mutually exclusive, he adds.
“There are some evolving and unique approaches where people can spend very little money and get a huge return from a cyber perspective,” Neely says. These approaches, he adds, span three critical areas. “Crowdsourced techniques, artificial intelligence and community participation can help significantly and break from traditional methods of cybersecurity.”
Bug ‘Bounty’ Platforms
Defense contractors can “crowdsource” independent hackers who only get paid if they discover vulnerabilities in a system — the more critical the vulnerability, the higher the “bounty” they are paid. Private companies such as Twitter and Airbnb have employed this strategy when testing software security for many years.
Earlier this year, the Pentagon once again invited independent “researchers” to try to attack the military complex’s network, resulting in 65 vulnerabilities being discovered, 28 of which were classified as high or critical in severity, bringing the total to over 3,000 vulnerabilities discovered in just the last two years.
Bug bounty platforms include HackerOne, which attracts 160,000 “researchers” from over 100 countries; Synack, founded in 2013 by former National Security Agency agents; and Bugcrowd, another platform for crowdsourced security testing. In all cases, hackers are paid only when they find vulnerabilities in a company’s network.
It’s a “highly incentivized approach,” Neely says. “These entities aren’t sending you a six-figure invoice saying, ‘You guys did great, you have a strong cyber in place,.’ It truly is ‘pay for performance,’ which is a fantastic model.”
Companies, Neely adds, can tap a massive pool of skills. “You’ve got hackers with unique and highly specialized skills, using diverse tactics, techniques and procedures attacking your own very specialized environments — it’s as close to the real world as you can get,” Neely says.
Artificial intelligence represents one of the “biggest evolutions” in cyber defense, says Neely, who adds, “the future is autonomous defense.” Federal agencies share this view. While U.S. Cyber Command previously stated a human “operator” was critical to both offensive and defensive operations, the Pentagon’s cyber warfare division has since employed AI to keep pace with threat actors.
Technological advances by the private sector help inform this decision. Google’s subsidiary AI program, DeepMind, recently made headlines when its computer program, AlphaZero, beat out humans and all other computer algorithms to become the best chess player in the world, in just hours — not by learning the intensive history of chess play and tactics, but after receiving just the basic game rules.
AI’s “reinforcement learning” approach extends well beyond chess, and can help not only defend networks but attack them, too. This capability was showcased at the Defense Advanced Research Projects Agency’s first-ever Cyber Grand Challenge conducted at DEFCON, which pit computer against computer. The competition provided a look at autonomous offensive and defensive systems that are capable of reasoning about flaws, formulating and deploying patches, discovering vulnerabilities, and then trying to take them offline — all at machine speed and scale.
A Carnegie Mellon graduate, Neely smiles as he mentions the winner, Mayhem. A Carnegie Mellon team, and on the “human side,” Carnegie Mellon, have now won the “world series of hacking” at DEFCON four out of the last six years — just barely missing the top spot last month as the school was edged out at the last minute by the very formidable Korean hacking team, DEFKOR.
However, you have be careful with autonomous systems, Neely says.
As an example of AI “behaving badly,” MIT scientists recently created Norman, the first AI algorithm trained to be a “psychopath.” The technology currently has limitations, too.
“As far as AI tools being able to assess a network for vulnerabilities, it’s not quite there yet,” Neely says. “Crowdsourcing is certainly a better option right now.” Yet AI can still address “99.9 percent” of all threats, Neely says, using signatures that adapt to network activity and promptly respond to threats. This automation spells AI’s strength in cyber defense.
“And that’s the beauty of machines,” Neely says. “They can run 24/7, 365 days a year. Unlike us humans, where you have a family, take vacations and need sleep, AI just runs.”
Larger Cyber Community
Small- and mid-sized defense contractors are more likely to face resource shortages in addressing cyber concerns. Joining a larger community, focused on cyber best practices, helps to level this playing field, Neely says.
“You can be involved in a community where you have access to the same information and resources that a big, multinational conglomerate has, even if you only have a dozen or so employees — in other words, you are not in it alone,” says Neely, citing the Defense Industrial Base Cybersecurity Information Sharing Group.
“It is one of the most formal and mature organizations out there,” he says. “You may not have a cybersecurity organization within your company that can reverse-engineer malware, but organizations like the DIB can help you with that, even providing guidance during incident response — practices that are extremely expensive to do if tapping a commercial entity for help.”
“The best part about groups like the DIB are that they help you stay informed of the latest threats and provide a great medium for peer discussions,” Neely adds. Additional cyber-focused communities include the National Defense Information Sharing and Analysis Center and Homeland Security’s Cyber Information Sharing and Collaboration Program, all of which AMERICAN SYSTEMS participates in. The premise of these groups is simple, Neely says.
“Companies get together, and when they see signs of threat actors, they share information,” says Neely, speaking to a core cultural belief at AMERICAN SYSTEMS, called “Better Together.”
“There is a lot of information sharing that goes on,” Neely says. “It’s not just government that offers valuable community participation.”
Partnering with important technology players, such as Amazon, Microsoft and Cisco, is also important, Neely adds. Keeping up to speed on the latest technologies and evolving adversarial tactics is critical, so active participation in cross-industry events like the RSA Security Conference, Black Hat, B-Sides and DEFCON can go a long way in developing a modern, effective security strategy, too.
Community involvement is a crucial component to an overall security program.
“AI and crowdsourcing are also evolving rapidly,” Neely says. “I think these are going to make a tremendous impact on helping our community boost cyber security over the next few years—defense contractors can’t afford to wait.”