Defense Contractors Must do More to Conceal Their Attack Surface

The world is entering a new era dominated by the rise of peer competitors like China and Russia, who are increasingly exerting their geo-political influence. After two decades of fighting a counter terrorist focused war where the tools of the US and its allies were far superior, the competitive landscape is changing significantly.  

The rise of quantum computing, hypersonic weapons and criminal groups acting on behalf of nation states have changed the calculus and the stakes of twenty-first century warfare. The US and its allies are having to prepare for potential conflicts in Eastern Europe and/or the South China Sea. Both adversaries in such a conflict already possess significant knowledge of US cyber infrastructure and have a consistent history of exploiting these weaknesses.

Meanwhile, the US defense contractor community is charged with building hardware and software that will provide clear strategic and tactical advantages on the battlefield. However, the continuing rise of social engineering tactics as well as risks associated with embedded vulnerabilities in contractor networks makes keeping this technology confidential and out of the hands of adversaries increasingly difficult. 

In fact, threat actors have already demonstrated the ability to infiltrate government networks through supply chain attacks such as Solarwinds that compromised at least nine Federal agencies. The close working relationship between defense contractors and the US government poses a significant risk for data leakage in the event of a data breach. In November of last year, a phishing attack against Electronic Warfare Associates confirmed that defense contractors are actively being targeted by adversaries.

While storing information in a classified environment can ensure greater security, it also impedes collaboration and innovation due to the access constraints it creates for users. 

There are several alternatives that defense contractors can implement to protect secrets from falling into the wrong hands. 

One is to use deception technology to share and transmit data, in addition to traditional security controls. Defense contractors should implement a level of obfuscation and non attribution in both their cloud storage and data transfer capabilities.  

In addition, unclassified but sensitive information should be stored in cloud enclaves that do not reflect the name of the defense contractor or government agency with which they are working. For example, when that data is moving to the cloud or between companies extensive IP address obfuscation should be used to unlink information streams from its origin.  

Finally, end-to-end encryption should be an overarching requirement for all defense contractor data, as well as a zero trust security model to prevent unauthorized access to sensitive information.  

Margins are always tight in the defense business, but that is never an excuse not to invest in appropriate cyber defense measures. The defense contractor community must continue to implement state of the art cyber security technology in order to protect our national security and competitive advantage. One cost effective way to do that is by incorporating obfuscation techniques that conceal their attack surface.