Unsurprisingly the defense industry requires the most secure information sharing environment in the world, but what implications does this have for ensuring the effective mitigation of cyber risks? There is something of a paradox between the need for complete information governance in the defense sector and the rise of IoT, BYOD, cloud computing and the democratization of data in today’s blurred personal/enterprise world. Emerging technologies bring with them new risks, making it more difficult than ever to regulate the sharing, creation and security of data.
For most organizations, the consequences of data loss although significant are limited to financial implications and reputational damage. Data loss for defense organisations and its supply chain are for obvious reasons a far greater concern. The capability of assured secure data is of paramount importance, as its functioning and effectiveness relies largely on reliable, robust systems that are well-armoured against the many potential avenues of attack.
Defense is a key pillar of any nation’s Critical National Infrastructure (CNI) and as such it must adapt quickly to new threats in order to keep the nation and its citizens safe – and these threats now include those to its information security. With that in mind, here are five ways to help secure data in the defense supply chain:
Assess the threats and risks
When evaluating emerging technologies, the first consideration for any organization should be the impact on cyber security. What data is created and how is it accessed? What would happen if it was compromised? Who would have thought that a running/cycling app would reveal the layout of a defense base? Or that a photo taken on a mobile phone would reveal the exact co-ordinates of an outpost? Of course, this isn’t just about personal devices, solutions across the whole organization should be assessed. Microsoft Office 365 allows new ways of working and advances the cooperation between employees and organizations, but it also creates new avenues for increasingly sophisticated cyber-criminal attacks.
The burden is, unfortunately, on organizations utilizing new technologies to scope out the potential risks. It’s only natural that new solutions are measured on the value they bring rather than the risks they pose. However, a careful look at the long-term implications will normally uncover one or two potentially serious downsides that would either require immediate action to mitigate, or the immediate removal of the solution.
Vet and monitor partner organizations
The adage ‘you are only as strong as your weakest link’ may be cliché but it holds true in many cases. There have been successful cyber-attacks on both physical and information supply chains, where the supplier has been infiltrated as a means to reach the primary target, for example, as seen in the RSA/Lockheed Martin event. While vetting may occur on current personnel, contractors and consultants, there is a need to ensure that personnel up and down the supply chain are suitably vetted and/or monitored. Ideally, this should take place before on-boarding external companies or beginning collaborative projects, however for many organizations it is a case of needing to retrofit additional security requirements on top of existing relationships.
Media reported incidents should be a warning to other organizations around the world and used as examples to test cyber disaster-recovery and business-continuity plans. It may be that some partners need to be swapped out for others in order to ensure the right risk profile for the organization.
Invest in technology to ensure sustainable protection
Cyber-attacks on defense organizations and government bodies tend to be the early indicator for the next generation of advanced threats. The challenge for decision makers is to keep abreast of them and the new technologies that can be used to mitigate them. It is also worth investigating existing solution capabilities. Most of today’s security solutions are constantly being upgraded, and sometimes these new features go unnoticed and therefore are not deployed. So before looking at new technology, take a close look at what could be done with existing solutions. For example, traditional Data Loss Prevention solutions focus on preventing information from leaking out of an organization. The next generation of DLP solutions are direction agnostic, so can also apply policy to prevent unwanted data coming in (helpful for GDPR, but also with ITAR compliance, or information sent in error by a partner).
Pay attention to subtle details
Organizations in the defense sector should be careful not to underestimate the power of seemingly subtle or innocuous risks to their environments. For example, the relatively recent boom in the use of internal messaging apps such as Slack or Telegram introduces risk, particularly when it is used in collaboration with partners in the supply chain – what can start as a relatively ‘informal’ collaboration tool can suddenly become filled with critical information that shouldn’t be shared this way.
Another example are apps installed by users on their phones interacting with the network or a corporate application, through an overlooked access permission, gathering and storing sensitive information and creating a potentially significant threat.
Even after the initial threat assessment of a technology or an application, it is important to go one step further and ‘think outside the box’. No one imagined that a fitness device would be used willingly and knowingly to map a military base, but it did. Likewise, the RSA case wasn’t thought to be an issue, until it was.
It’s not easy trying to predict the unknown, but when it comes to national security it is extremely important to look from all angles and think about the worst-case scenario. What would happen if the enemy/competition managed to get hold of this information? And what would the impact be? A level of pragmatic paranoia will go far when it comes to securing the supply chain, especially in defense. We know there are new ways through which individuals are inadvertently or maliciously breaching security to leak sensitive data every day, the challenge is to try and remain one step ahead, or at least not to fall one step behind.
Challenging times call for robust practices
There are multiple steps defense organizations, and those in the supply chain, can and should take to mitigate the risks introduced by emerging technologies and their associated applications. Assessing and evaluating the new technologies from all perspectives well before they are allowed into the organizations’ ecosystems is the first and most obvious step. Secondly, taking a holistic approach to project partners and collaborating organizations up and down the supply chain is key to maintaining a robust security posture against breaches and targeted attacks. Understanding the risks a secondary or tertiary attack can have is just as important as understanding those on the primary organization.
Finally, technology needs to be considered to enforce policies and ultimately keep information and people safe. In the same way that threats change, so does the technology to mitigate them – but start close to home, perhaps some of your existing solutions can help, you just don’t know it… yet.
Attending NIAS’19 in Mons, Belgium? Visit the Clearswift team on booth G12 to discuss how our solutions can enhance cyber security protection for defense organisations.