One of the top trends that we witnessed covering government and military cybersecurity in 2020 – aside from the massive upswing in threats that accompanied the ongoing COVID-19 pandemic – was a renewed and increased focus on securing the supply chain. This was especially true within the military, with many cyber experts identifying the immense defense industrial base (DIB) as one of the avenues that hackers could use to create weaknesses or vulnerabilities in military networks.
The ability to utilize vulnerabilities in vendor or supplier applications is a real concern among government security professionals.
“I previously ran cybersecurity programs for a number of government agencies and have maintained contact with many people that I worked with. Many of them went on to become agency CISOs,” Don Mclean of DLT Solutions explained to us in a recent interview. “One of their biggest concerns is hygiene and patching. The other is risk management – the risk that they incur when they do business with any other organization. That’s very top of mind for those CISOs right now – especially in the DoD.”
This risk is so great and of such grave concern to government IT and cybersecurity leaders that they’re in the process of implementing the Cybersecurity Maturity Model Certification (CMMC), a certification process that will measure the cybersecurity maturity of government contractors, to help ensure that all vendors that sell products and solutions to the military meet stringent cyber requirements. But the process of rolling out CMMC across the DIB – which includes as many as 300,000 organizations and companies – is still in its infancy.
According to a press release issued in mid-December by the U.S. Department of Defense, some contracts for pilot programs that will be awarded in late 2021 will be the first in which vendors will be assessed by the CMMC requirements. For these pilot programs, “all offerors will undergo the appropriate CMMC assessment, and awardee must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors.”
Depending on how pessimistic you are, the timing of the CMMC rollout either couldn’t be better – or it’s coming way too late. That’s because the exact situation that the DoD is looking to avert with programs like CMMC is happening across the federal government right now.
Third-party software becomes trojan horse for nation-state attack
Anyone that remains unaware of the recently-discovered cyberattack that impacted numerous government agencies and organizations has either been living under a rock, or enjoying far too much holiday eggnog. It’s been one of the largest government IT and cybersecurity stories. And it has the entire government on edge.
For those who have been hitting the spiked ‘nog a bit too aggressively, here’s a quick recap. A popular network management software offered by SolarWinds to IT and network professionals and used widely across the government was hacked by nation-state malicious actors with ties to Russia. This resulted in nation-state hackers effectively gaining access to government networks and moving laterally across them over the course of a number of months – escalating privileges and compromising government data – including email systems.
According to excellent reporting by the Washington Post, “The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR…” and these hackers, “breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months…”
This recent incident is so new that we still don’t know the exact breadth and depth of the breach, and everything that was compromised. However, it is a perfect example of why both application security and efforts to secure the DIB are essential today. Nation-state hackers are becoming increasingly sophisticated and prolific in their hacking attempts, and – while some government agencies and military organizations may be tough targets to compromise – the vendors and solution providers that service these organizations can be a trojan horse into their networks.
If the DoD was looking for a great example of why supply chain security is of such high priority – and why now was the time to implement CMMC – they certainly didn’t have to wait long.