©2019 Manufacturer’s Edge
As a child I heeded (mostly) Haven Gillespie’s advice about watching out, not pouting, not crying—I knew which of Santa Claus’s lists I wanted to be on! My motivation was clear: opening the gifts I wanted under the tree.
The motivation for minding the supply chain gap with respect to resiliency, security, and trust is similar in that the wrong people may be opening our “gifts”. Our adversaries (e.g., competitors, nation-states and para-nation states, organized crime, opportunistic digital thieves) are mining the supply chain gap. That is, they are leveraging the investment that US taxpayers—individuals and organizations—are making in research and development. They are also stealing directly from manufacturing businesses. They are naughty, not nice, and we all need to watch out for them. The US Department of Defense (DoD) is especially concerned and has captured this concern in its push for the Cybersecurity Maturity Model Certification program. Manufacturers throughout the defense and aerospace supply chain, in particular, are paying attention—and watching out.
As customers, we question delivery terms and complain when packages arrive late. We challenge service charges on auto and home repair bills. We expect products and services to be delivered on time, at the agreed-upon price, and in a pre-defined condition. (With respect to the latter, we accept “buyer beware,” “individual results may vary,” “as is,” and “gently used” when time, cost, and convenience seem to merit it.)
But what happens when the customer is the US Government and the expectation is that the product or service will deliver unique performance and the reality is that it contains “covered defense information” or “controlled unclassified information”?
In the context of US national security interests, the adage “imitation is the sincerest form of flattery” does not necessarily apply. Imitations of US technical innovation flatten, not just flatter, our competitive edge and compromise the safety of our armed services men, women, and other resources. Thus, the DoD’s focused attention on enforcing supply chain resiliency, security, and trustedness embraces the recommendations collected in the MITRE Corporation report, Deliver Uncompromised. Performance of products and services (for the latter, consider test scenarios and results, engineering plans, software programming, etc.) should be as expected in all states: as designed, as built, as used. Importantly, they should also not be shared.
Better Watch Out
There are disturbing examples of what happens when products and services are not delivered to the DoD with the intellectual property behind them uncompromised, unshared. On the civilian side, millions of us have been exposed to the potential consequences of compromised retailers, credit scoring agencies, and gaming platforms. Successful hacks, like the attack on Target that was perpetrated through a supply chain partner (an HVAC company), led to the release of customer database information. For individual customers, it was irritating to go through the process of requesting new credit cards, changing customer IDs and passwords, and monitoring monthly statements more closely. Our money and identities were potentially at stake. A successful attack through DoD supply chain partners puts money and identities and lives at stake.
In June 2018, some 600+ gigabits of submarine missile launch information was released by a “lower tier” US Navy contractor based in Rhode Island. Missile launch control system details are not something that should be shared. Granted, we still had full access to the information—but so did adversaries. It seems to me that we respond differently to digital boundary violations than we do to physical boundary violations. The latter triggers a visceral flight or fight response. I don’t see such responses as fully engaged with respect to digital boundary violations. A different survival level of urgency at play? Perhaps our DNA will catch up.
Don’t Wanna Cry
In part, the more limited response may be due to the sense of loss incurred after a digital event. After all, in most cases of digital information compromise (unless certain data-destroying malware is launched) we still have possession of that information. It’s still accessible to us—but not exclusively. It’s just shared now. That was small comfort to the Air Force when approximately one month after the release of the Lockheed X-35 aircraft the Chinese released pictures of its very faithful knock off. Imitation? Theft? National security endangerment? Somehow, it doesn’t feel like flattery.
Such imitation neutralizes US technical innovation and tool superiority in potential combat situations. It also means that US taxpayers have, in effect, funded the Chinese military R&D effort—a kind of unplanned gift (at least unplanned by the US). And we taxpayers (individuals and corporations) will receive no licensing fees or other compensation. Granted, we still have the technology we paid for—and so does a foreign government (and any other foreign government, para-government, commercial, or criminal groups with which the technology is shared or to whom it is sold). We paid the development opportunity costs that the Chinese did not pay, freeing up their funds for other commercial endeavors. And no ITAR—International Trade in Arms Regulations—restrictions were called into play.
How does this happen? How does design information, CUI and CDI, leak out into the marketplace? Compromise can occur along a broad spectrum, from a large-scale hack or insider theft to a thousand tiny cuts along the supply chain that bleed out information pieces that can be reassembled by adversaries. This is why the entire DoD supply chain—more than 300,000 vendors of varying sizes—needs to be cyber resilient, secure, trustworthy. “Safeguarding Covered Defense Information and Cyber Incident Reporting,” clause 7012 of the Defense Federal Acquisition Regulations Supplement (commonly referred to as DFARS 7012) outlines what DoD vendors must implement. It references NIST SP 800-171, a set of 110 security requirements derived from long-recognized best practices. In addition, the 7012 clause includes five sections that describe incident response, recovery, and reporting requirements.
Better Not Pout
As a follow-on enforcement measure, and to audit self-attestations that NIST SP 800-171 security requirements have been satisfied, the DoD is developing the Cybersecurity Maturity Model Certification (CMMC) program. Solicitations will specify required CMMC level (from one to five) for contract in a particular contract Sections L and M. The intent is to use DoD-authorized third-party certifiers to perform audits to evaluate individual company CMMC achievement level. Having the required CMMC level will determine security eligibility: whether a given vendor’s response to an RFP will even be considered. The CMMC is now in its seventh draft (released earlier this week). After an initial ballooning of requirements in the fourth draft, the sixth draft pared down requirements to the 110 contained in NIST SP 800-171 plus an additional set of about 21 that expand incident response, recovery, and reporting requirements.
Primary contractors must “flow down” protection requirements to their subcontractors. In turn, subcontractors flow down security requirements to their suppliers. This chain is logically only as secure as its weakest link. This can represent a seemingly formidable obstacle to small businesses with fewer than 20 people. They usually don’t have the luxury of having someone dedicated to monitoring network, system, database, application, and personnel security. The business case for that expense is a tough one to make! The situation could discourage smaller shops from participating in the DoD supply chain, thus reducing its overall resiliency by limiting supplier diversity (e.g., geography, expertise, processes, ownership) and possibly leading to single points of supplier failure for some components or services.
Telling You Why
Although much of the burden is on the subcontractor—it really, really is time to implement the 110 NIST SP 800-171 security requirements (the deadline was December 31, 2017)—some of the burden can be eased through primary contractor assistance. This could include convening workshops with suppliers and coaching them through requirement implementation, starting with documenting their systems and information flow patterns, training subcontractor employees as “cyber secure workforce” (not “cyber security workforce”), and offering secure platforms (and even tools) for exchanging CUI and CDI.
Primes: Making a List
Primary contractors can also help by reducing the amount of CUI and CDI that flows down. Some information, for example, related to customizable off-the-shelf (COTS) and commercially available components, can be anonymized or “de-identified.” Companies can remove references to certain part numbers and substitute their own, internal reference numbers—numbers that have no meaning for someone doing an online search. Rather than sending an entire design document to a subcontractor whose responsibility is a small part in a bill of material (BOM), just send that unidentified part with quantity. Posting design details to a public-facing website to obtain quotes from suppliers may be convenient and quick, but it also introduces risk:
- Parse the details that can be parsed.
- Decompose the design.
- Use internal reference numbers.
- Contact suppliers individually with quote requests rather than take the quick-and-easy-and-risky route.
Primes and Subs: Checking It Twice
All DoD suppliers, even those at the very tail end of the supply chain, should wrap the following 12 “gifts that keep giving” into their security programs:
- Segment networks to protect and obscure the presence of CUI and CDI.
- Limit access to, and use of, such protected information to those with a specific job-related need to know.
- Make the existence of those protected spaces invisible to all others.
- Choose an identifying name for those hardened (yes, encrypt as needed) files, folders, and drives that are less obvious than something like “Protected DoD Contract Information.”
- Track file and system activity with respect to these assets.
- Impose robust password requirements: unique, user-specific account IDs and passwords never used elsewhere, minimum of 16 characters, difficult to guess (online tools and studies capture the most commonly used passwords globally).
- Use multifactor authentication (MFA). Experts recommend token-based as the strongest, but any out-of-band authentication, including SMS-based, is better than nothing.
- Guard your perimeters by tuning firewalls and staying informed with respect to viable and realistic threat reports.
- Secure your physical environment by tracking who is in your facility, locking up proprietary information, and obscuring on-screen information.
- Change default settings on everything.
- Ensure that your suppliers—including IT service providers and ISPs—agree to and comply with your security standards.
- Train your people and ensure they understand, agree to, and comply with your security standards
Good for Goodness’ Sake
Supply chain resiliency is not just about complying with DoD (or other) customer security requirements. Supplier self-interest should be a major factor. The cost of a ransomware tool kit is modest (as low as $200), so the barrier to entry for the enterprising hacker is minimal. It can affect any size of company. Employees at one Colorado-based company arrived to work on a summer day in 2018 to find a padlocked gate and a notice informing them that the company had shut down due to “the most recent ransomware attack.” Not the first attack, it should be noted. And more than 100 people were out of work overnight.
Small companies in and out of the DoD supply chain are increasingly targeted as the larger targets become more fortified. Attacker motivation is often about intellectual property or design secrets or customer personally identifiable information (PII) for larger companies. With respect to smaller companies, the motivation is often burglary: hard-earned cash. Fraudulent wire transfer or fake invoice requests, ransomware or bogus information validation demands are tedious, frequent occurrences (even with Federal laws that encourage internet service providers (ISPs) to monitor and control such illegal activity).
Whether or not you believe in Santa Claus, there is someone out there watching your company. And that someone might not care whether you’re naughty or nice—just whether or not you have treasures worth, borrowing, or sharing.
Enjoy a safe holiday season!