HIPAA for Defense
The United States Department of Defense (DoD) announced in October, 2015 that its more than 100,000 contractor firms were going to have to report any breaches that, “Result in an actual or potentially adverse effect on databases and information pertaining to DoD activities.” It’s like HIPAA for defense contractors. While no explicit penalties have yet been announced for breaches — you can be sure that defense contractors don’t want to be showing up on the naughty list.
The announcement came on the heels of the massive hack of the Office of Personnel Management (OPM), which resulted in the theft of more than 21 million US government personnel records.
The Scope of the Phishing Challenge
The DoD’s stance on contractor notification makes sense, but the new regulation also reveals the shear scope of the DoD’s security challenge: They do business with more than 100,000 companies. How can the DoD preserve security amongst so many entities?
It’s particularly difficult given that one of the most preferred methods of hacking into secure defense contractors is spear phishing, the process of deceiving an email recipient by posing as someone that he or she knows. The problem is that there a few countermeasures to protect against such an attack. Anti-spam solutions won’t stop the emails. Standard web-filtering will not prevent computers and networks from being compromised and anti-virus software is largely useless in the face of spear phishing threats. Only specifically designed anti-phishing and anti-spear phishing solutions can prevent networks from being compromised.
How does the Phishing Threat Manifest?
If you work at the DoD or a large defense contractor, you have many legitimate reasons to receive email from up to 100,000 different email domains. There’s a lot of exposure there with a huge threat profile. Spear phishers can easily pose as any number of contractors to gain access to classified information.
Imagine that your name is Jim and you work at one of the major DoD contractors on a major weapons project. You find yourself collaborating with John Smith, who works at one of the hundreds of small sub-contractors that manufacture components of the weapon. One day, you get an email from firstname.lastname@example.org that says:
“Hey, Jim, listen. I’m on vacation, reaching out to you by mobile phone. I need to check the design of the part we’re producing but I can’t remember the log in for your design server. Can you send it to me?
Thanks a ton!
PS I Hope your mother is feeling better.”
You’ve gotten emails from John’s Gmail address before, so you don’t pay enough attention to notice that this email doesn’t come John’s actual address, which is email@example.com. You send him the log in credentials and forget about it. Guess what? You just gave the Chinese Army access to a top-secret weapons design. How did they know you work with John and that your mother is ill? They saw that personal information on your social media profiles.
At a post OPM hack event, Bill Evanina, Director of the National Computer Security Center (NCSC) — the “Counter-Intel Czar” commented:
“In 91 percent of the breaches we’ve seen in the government and private sector over the last several years, the attacks emanated from spear phishing. As an intelligence official, what that means to me is that our adversaries do not need to use sophisticated techniques to compromise our systems and our people. [They just send] one email.”
Who Stole the F-35 Fighter Jet Design?
If you catch a glimpse of the new Chinese J31 fifth generation fighter jet, you might notice that it resembles the American F-35. This does not appear to be a coincidence. Chinese intelligence operatives allegedly hacked into the servers of a defense contractor associated with the F-35 program and stole the designs. You can draw your own conclusions from the photo comparing the two planes.
Whether or not China actually stole the F-35 design, the scenario is quite instructive about the level of risk faced by defense contractors in the age of spear phishing. For one thing, a weapon is no longer a weapon. It’s data. The F-35 is, in its essence, a massive set of digital documents that drive numerically-controlled manufacturing equipment. It’s not like in old movies where a spy had to break in to a building and covertly snap photos of the secret plans using a tiny Minox spy camera. If you can log in, you can steal the classified information.
Like the greater DoD contractor universe, of which it is part, the scope of the F-35 program also creates risk. The F-35 consists of no less than 300,000 parts built by 1,400 suppliers around the world. Think about how easy it would be to impersonate someone in that environment. Furthermore, some of the connections between people in the program are “command relationships” where junior people may feel a limited ability to question instructions from senior officials, or hackers posing as such.
Economic and Strategic Impacts
Spear phishing and subsequent system penetration poses vast financial and strategic risk for the defense establishment. The F-35 program is going to cost the DoD $400 billion for the first 2,500 planes. Over its lifetime, the program is projected to cost $1 trillion. It’s the most expensive weapons system in the history of the planet Earth. That investment of money and time was intended to achieve a quantum, qualitative advantage over potential adversaries — an investment that now appears to be wasted. At the very least, the program must now enter another costly, time consuming period of redesign to outpace the proprietary technology that was compromised.
It isn’t just money that’s lost when these kinds of breaches occur. It’s our security. Spear phishing is a strategic threat to the United States and our allies. Any military advantage from the highly advanced plane has been yielded to a potential enemy.
Defending Against Spear Phishing Attacks
What can defense industry businesses do to protect themselves from spear phishing? It’s a challenging problem because many existing email spam filters and anti-malware tools are not effective against spear phishing emails. Vade Secure offers a unique solution.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.