While 2020 has given the U.S. a multitude of challenges to manage simultaneously, a perennial pandemic that has been buried in the headlines must never be ignored — cyber breaches.
The ongoing COVID-19 pandemic has exacerbated cyber risks as corporations shifted operations to a nearly 100% virtual environment.
This has created the perfect environment for cyber criminals, who have increased their attacks drastically since the start of the global pandemic.
There was a 48% increase in cyber attacks the day the U.S. announced its 1st COVID case, a 64% increase when states declared emergencies, a 28% increase when Italy locked down, and a 22% increase when WHO named COVID a pandemic.
High-value targets, like the Department of Defense (DoD) and the 300,000+ government contractors that make up their supply chain, have spent countless years preparing to bolster their cyber security stance to counter such attacks.
Despite these extensive preparations, the old adage that a chain is only as strong as its weakest link has never been more applicable than in 2020.
Defending the Department of Defense
In February, the Defense Information Systems Agency (DISA) suffered a data breach exposing PII for 200,000 people.
While a spokesman for the DoD said its networks are constantly under attack, DISA oversees military cyber security, making this particular breach akin to the “police chief’s patrol car being stolen while parked in front of the station.”
While an unfortunate event, thankfully the DoD has the resources and capabilities to thwart the vast majority of cyber attacks.
Despite the resiliency of the DoD, a supply chain as vast, complex and interconnected as that of the DoD is only as strong as its weakest link. This makes it imperative that every link in the chain of our national defense is not only secure, but resilient as well.
According to Bloomberg, from January 2016 to February 2018, nearly 6% of U.S. military and aerospace contractors reported data breaches. Many of these attacks were the result of foreign adversaries seeking highly sensitive information or national secrets.
Attacks by foreign adversaries seeking to extract national secrets is a growing threat, and in some instances, DoD may require the contractor to let the intruders remain in their system so they can source the attackers’ point of origin. This runs counter to the main tenant of cyber insurance policies that require immediate notification and containment of a cyber breach in the world of PII and privacy notification laws.
The larger contractors were able to invest in adequate preventive measures and early alert systems that help contain the potential fall out of these inevitable modern-day cyber warfare tactics.
Yet, it is the smaller subcontractors that pose the greater risks. The same study found the cause of one very high profile breach, which resulted in the theft of plans of a highly sensitive F-35 fighter, to be caused by a small Australian subcontractor that had never changed its Windows password from the default settings of “admin” and “guest.”
However, it is not just breaches where sensitive data is stolen that are cause for concern. It is also these smaller, more vulnerable subcontractors that can bring the complex supply chain of the DoD to a screeching halt when ransomware attacks take place.
Right as the pandemic’s fist peak was being reporting in March of 2020, NextGov reported that a supplier to many of the major defense contractors including Lockheed Martin, Boeing and SpaceX were the victim of a ransomware attack named DoppelPaymer. This attack shut down the contractor’s systems by encrypting their files — but not before it had stolen the targeted information.
As in most ransomware scenarios, unless the ransom amounts are paid, or the contactor has extensive cyber security experts on its staff, their systems and business operations remain shut down. This has a tremendous knock on effect for the broader DoD supply chain across many of its national security objectives.
Creating A Standardized Approach
DoD understands the importance of cyber security within its supply chain, and the risks that the vast network of suppliers and vendors represents. To help strengthen their supply chain, DoD has implemented new requirements that all contractors must meet known as the Cybersecurity Maturity Model Certification (CMMC) program.
Under CMMC, all DoD contractors must be certified and ranked based on their level of overall cyber preparedness and verified by an independent third party. In addition to securing their own operations, contractors must also ensure that any subcontractors meet the same standards.
Auditing contractors’ cyber security practices to verify they are abiding by the necessary standards is a critical first step towards building a more secure supply chain, yet key vulnerabilities remain in this, if not most, cyber security frameworks — resiliency.
Proactive mitigation is critical, but as we’ve seen time and time again, it is not a matter of if a cyber attack will occur, but rather a matter of when. For this reason, it is also imperative to measure a contractor’s resiliency to withstand a cyber attack and maintain operations with as minimal downtime as possible.
This critical component is often facilitated not just by response plans but also risk transfer and insurance products that help build up the financial capacity, especially of smaller contractors without fortress balance sheets, to withstand the costs associated with breach mitigation and business interruption that often arise out of a cyber-attack.
Ransomware attacks, for example, can not only brings the contractor’s operating capabilities to a halt, they can also render them unable to perform their duties as outlined by the contract and therefore create a cascading effect throughout the DoD supply chain. This can result in the DoD, or its other strategic contractors, having to source key materials, parts and other goods from different suppliers delaying missions or critical objectives.
The verification process of adequate cyber insurance coverage to address business interruption and breach response issues remains ambiguous. In many instances it is more of a “check the box” model rather than a “verification process,” as CMMC aims to accomplish.
Cyber Insurance the CMMC Way
Some contractors that have taken the proactive measure of securing cyber insurance still do not meet the proper requirements. The sourcing of inferior or inadequate cyber insurance is not entirely their fault, nor a cost cutting measure.
This lack of proper coverage is due to the complexity and multitude of available options on the market. Yet not all cyber coverage is created equal, and not all cyber policies are designed to address the specific needs of the government contracting community.
The insurance industry needs to become better aligned with the requirements of DoD contractors so they can provide coverage which address the key areas of risk.
Standalone cyber policies, as the most robust cyber insurance options available, can address key components like breach response capabilities and business interruption, but they may have key coverage exclusions which render them useless in certain claims scenarios.
One such scenario would be covering Confidential Unclassified Information (CUI) that many contractors are likely to store on their systems. Most policies exclude intellectual property, or trade secrets, instead focusing on personally identifiable information (PII) or personal health information (PHI).
Additionally, the types of attacks DoD contractors are likely to face is going to differ from the normal cyber threats most corporations will endure.
Attacks by foreign adversaries seeking to extract national secrets is a growing threat, and in some instances, DoD may require the contractor to let the intruders remain in their system so they can source the attackers’ point of origin. This runs counter to the main tenant of cyber insurance policies that require immediate notification and containment of a cyber breach in the world of PII and privacy notification laws.
To help insurers, contractors and DoD bridge this divide, greater collaboration is needed. While CMMC is a constructive step towards standardization and verification of cyber security best practices being upheld through the DoD supply chain, it has room for improvement.
The integration of risk transfer and insurance must be the next logical area of development. Working together, all parties can understand the critical elements to ensure that insurance policies are designed to address these components.
Closer collaboration on this standard would enable insurers to not only obtain much needed and useful data for underwriting purposes, but to ensure that any coverage designed is addresses the key risks and concerns of both the contractors and DoD.
Additionally, better vetting and incorporation of technology platforms into the security stack will further allow organizations to contain or proactively mitigate these types of attacks so insurers can avoid large scale losses.
Without this type of integration, the CMMC will provide another robust cyber security framework to which companies can adhere, but the small to mid-size providers bidding on contracts will be ill- equipped to face a possible cyber-attack. They will remain the weak link that can break the integrity of the entire chain causing larger scale disruptions and vulnerabilities, leaving our national security at greater risk.