Defining a Cybersecurity Strategy for the Defence Industrial Base
Intellectual Property (IP) theft in the Defence Technological and Industrial and Base (DTIB) has become a critical strategic issue for NATO allies and partners. In an alarming U.S. Navy report on Cybersecurity Readiness published in April 2019, it was highlighted that, against a backdrop of declining U.S. military and technological dominance, now ‘every differentiating idea or intellectual product gained or lost is material’ and ‘will have compounding effects in [military] advantage or disadvantage’.
Cybersecurity Strategies for the Defence Industrial Base
Whilst targeted towards commercial entities - prime contractors, SMEs or technology start-ups - cyber espionage emanating from peer adversaries has strategic implications for the defence community as a whole. Recognising that the threat is increasing given the growing number of IP theft incidents worldwide, governments are reinvigorating their cybersecurity policies and encouraging closer military-industry collaboration.
A report from The Information published this year claimed that Huawei Technologies had been stealing data and replicating products from Apple. Source: E&T
One example is the UK's Defence Cyber Protection Partnership (DCPP), a joint Ministry of Defence (MOD) and industry initiative designed to improve the protection of the defence supply chain against cyber-attacks and data breaches. Of course, there is still room for improvement. SME's have become a more significant part of the UK's defence supply chain, for example, however it has been highlighted that most not have the resources or procedure in place to deal with disruption or cybercrime.
The 2018 Australian Defence Industrial Capability Plan also highlighted this as a weakspot. One of the primary initiatives put forward by the Department of Defence is 'enhanced cyber security measures for SMEs', as well as the need for defence industry as a whole to 'work closely with Defence in assuring their security – including cyber security – resilience and sustainability domestically and in respect to exports'.
Meanwhile, the U.S. National Security Agency has set up a new department focusing on the enhnacing the DIB's cybersecurity posture. Last month, General Paul Nakasone, NSA Director, urged government to start ‘working closely with the defence industries and those who provide cybersecurity solutions to them’.
The Evolving Cybersecurity Landscape
One such solution provider is iFORCE Security, a UK-based techno-physical and cyber security SME. Defence IQ spoke with their Operations Director, James Harrison, to get his perspective on the threat. Prior to founding iFORCE James spent 20 years in the military, with over a decade attached to specialist units as a subject matter expert in Covert Method of Entry, physical, and electronic security.
“It is the proliferation of connected devices, the speed of global connectivity and the increasing value of IP that have all dramatically altered the cybersecurity landscape and, as a result, increased the threat of cyber espionage against the DITB”, argues James.
“We are technically, digitally and electronically better connected now than we have ever been, but it has come at a cost. The global expedience and hunger for instantaneous information transfer, both personally and professionally, has forced us to take incalculable risks with our own data and how we choose to transfer it. We must all take more time to digest what we are sharing, how and with who; a moment of contemplation, before we commit to propelling ‘code’ into the cyber realm”.
Addressing the Vulnerabilities in Physical Security Infrastructures
However, James explained, whilst a lot of emphasis is placed on safeguarding networks and data centres inside prime contractors and more work is being done to support SMEs and start-ups inside the supply chain, not enough attention has been paid to physical infrastructures and their increasing vulnerabilities.
“If I have low equity solutions within my portfolio to infiltrate and penetrate a data centre or server room and circumnavigate all of the digital security to elicit information, I’ll always take the path of less resistance, and more so if I can do it without raising an alarm or alert to a SOC or autonomous system. The risk of physical penetration to steal IP and company data is quickly becoming the biggest threat to companies”.
Physical security is often neglected in the context of information security. Source: allcooper
Addressing Cultural Barriers to Cybersecurity in the Defence Industrial Base
The U.S. Navy’s cybersecurity strategy is underpinned by five ‘pillars’: culture, people, structure, processes, and resources. I asked iForce Security to recommend some practical steps the defence community could take to improve in these areas.
“In the first instance, the U.S Navy, by acknowledging that it could do better, is making positive steps to improve its cybersecurity posture. In turn, this will influence the wider defence community to follow suit. Complacency can often lead to a less effective force and vulnerabilities begin to appear which remain undetected in both people and process, at a time when resources are stretched to meet omnipresent, sophisticated and hostile state-sponsored threats”.
“A cultural change is key to ensuring we inform, prepare and equip our people, practices, and procedures to meet future challenges, many of which are unconventional, nuanced and subtle, and far more potent and devastating than current fielded capabilities”. IP theft inside the defence supply chain is a perfect example of a hybrid attack with strategic consequences.
A Whole Force Approach to Physical and Network Security
Similar to the Navy’s model, iForce takes a ‘whole force’ approach to data security because “no single threat,” argues James, “can be viewed or addressed in isolation, and each pillar must contribute in equal measure to have a demonstrable effect”.
This ‘whole force’ approach to stress testing and strengthening government or industry security includes a series of tactics. Firstly, appraisals of techno-physical access i.e. the circumnavigation, bypass or surreptitious defeat of access control measures, CCTV, sensing systems or physical barriers. Secondly, cyber-physical access, which could involve close remote access or physical interaction with network devices and the IoT at large. Finally, Human Hacking i.e. socially engineering people and the environment to facilitate access to areas that would otherwise be ‘off limits’.
iFORCE's 'Whole Force' Approach to techno-cyber security
“Each core component is not applied in sequence but rather in parallel. Physical security and the re-education of the workforce must be in lock step with cyber security. They must complement one another, forming an inter-conscious synergy."
When asked to consider the challenges which cybersecurity decision-makers face working within the defence supply chain face, James concluded: "CIO and CISOs must ensure they keep pace with the shifting security landscape and build equilibrium into centralized frameworks that guard IP, information, its workforce and their personal security, shared equities of trusted partners and everything that is sacrosanct”.
“It is imperative that they identify all the pillars and act on them accordingly; no one single threat can be defeated in isolation”.