In May 2011, Lockheed Martin fell prey to a major security attack. The leading US defence contractor, developing everything from F-22 fighter jets to Titan rockets, it narrowly averted disaster as its remote access system was hacked.
According to a statement, the attack was "significant and tenacious", but it was also difficult to spot. Its danger lay precisely in this subtlety. Rather than exploiting flaws in the company’s own infrastructure, hackers had stolen data from two of its suppliers and used it to facilitate a breach.
Luckily, there was minimal long-term damage. Lockheed Martin had been monitoring the adversary in question for many years and responded promptly to the intrusion. Remote access for employees was disabled that very day, and later in the week all network passwords were reset. "Our systems remain secure; no customer, programme, or employee personal data has been compromised," the company statement affirmed.
Cybercriminals are raising their game
This tale might be interpreted in two ways. On one hand, it serves to confirm the strength of Lockheed Martin’s in-house detection and monitoring capabilities, sounding a note of reassurance about the scope of cybersecurity within defence. On the other, it highlights the growing sophistication of international cyberattacks. No longer adopting a simple mono-layered approach, assailants are raising their game and the onus is on companies to keep up.
"There’s clearly money to be made through criminal activities in exploiting the vulnerability of the technologies that we’re using," says Michael de Crespigny, CEO of the Information Security Forum (ISF). "Criminals are gaining easier access to the tools they need to undertake these tasks, and they can connect, acquire services, and execute attacks at lower and lower costs."
Lockheed Martin, for its part, has seen a dramatic increase in attempted attacks, around 20% of which fall under the banner of ‘advanced persistent threats’. Emanating in the main from nation states seeking to harm operations, campaigns of this kind are targeted, ongoing and often believed to be linked.
"Government defence bodies and their contractors frequently face organised attempts to understand what they’re doing," de Crespigny says. "There’s plenty of media discussion around what I suppose is largely suspicion, because very little is confirmed about where these attacks come from, if they can be reliably identified at all."
But while the issue has suffered its share of sensationalist reporting, there is more to it than scaremongering.
"I think it’s appropriate that a lot of noise be made about the topic," de Crespigny continues. "Non-executive directors in very large organisations need to understand that there’s an issue here, and ensure they’re properly managing the risk."
In fact, the range and complexity of threats looks poised to grow. In March 2012, the ISF launched a report, ‘Threat Horizon 2014: Managing risks when threats collide’, which laid out a sombre forecast. Predicting that traditional risk management strategies would soon be insufficient, the report detailed ways in which organisations might work in order to heighten their resilience.
As a leading authority on information risk management, the ISF doesn’t just deal with defence contractors. Its member base includes clients from the realms of transportation, banking, healthcare, government, media, retail, power and IT. But with 23 years in the security industry, the company is well equipped to offer guidance, both in areas common to all clients and in those faced specifically by defence.
"Security is on the agenda in a way that was not the case five or ten years ago," says de Crespigny. "Organisations are more reliant on the internet, and it’s core to their business success. But the criminal side of the world has identified there are opportunities here for them, which has led to significant awareness at board level about the risks they face."
According to ‘Threat Horizon 2014’, the risks can be broken down into three categories. Firstly, as businesses adopt new technologies, this brings with it new internal challenges. Secondly, as cybercriminals grow better organised, this occasions further external threats. Thirdly, as regulators call for greater transparency, areas of weakness may be brought to light, constituting regulatory risk.
For certain sectors, threats can be easily forestalled. When data was breached at the telecoms company Verizon, a report concluded that the vulnerabilities could have been identified in advance. Unfortunately, within the defence industry, matters are rather more complex. Because of the nature of the information in question, and its implications for national security, government bodies and contractors have historically taken a highly regimented approach. The real problems, when they arise, are apt to lie with third-party services.
"The defence industry is much better prepared than most industries – it understands its risks much more effectively," says de Crespigny. "So generally when you read about security incidents, they’re outside of the defence networks. Just as security is being designed around layers, to protect information and validate the identity of participants, so too attacks are evolving and working on exploiting multiple vulnerabilities."
The Lockheed Martin incident is a good example, stemming as it did from weaknesses in the supply chain. Another might be the attack in June 2012 on the US cloud hosting service CloudFlare. Here, criminals exploited vulnerabilities at four levels to gain access to their desired information.
"It’s quite an interesting example, I think, of this layered approach: clearly thought through, very difficult to anticipate, and the criminals have presumably benefited in some way from the ultimate access they’ve gained," says de Crespigny. "This layering – working one’s way through trusted participants – is likely to become more common."
Another growing area of concern is security breach by stealth, with difficulties in ascertaining an attack has taken place at all. "Individual attempts to break into networks are hard to identify," continues de Crespigny. "Sometimes they are only found quite some time after the event took place."
So as they navigate this increasingly rocky landscape, how can defence companies ensure they don’t slip up? It’s a question being asked at the highest echelons of the industry, with governmental bodies investing heavily in cybersecurity for defence.
For instance, the UK Government has highlighted cybercrime as part of its national cybersecurity strategy launch, ring-fencing over £500 million for the cause. NATO, meanwhile, has revised its policy, setting out a clear vision throughout the alliance and establishing a NATO computer incident response capability (NCIRC) to help it meet emerging and anticipated threats.
Collaboration is key
For contractors and related companies, de Crespigny feels that collaboration is crucial. The ISF brings together organisations to share their experiences and pool ideas, creating a forum in which it’s safe to air concerns. "We bring a high degree of trust between individuals working together," he says. "Internationally we have a common set of rules about protecting information and not divulging identities."
This is a model that he believes can be applied elsewhere. "The defence industry is actually quite advanced in terms of collaborating to provide secure environments around sharing information," he says. "Often, two or three organisations will collaborate to bid for a government contract, and they need to be sure they’re dealing with trusted participants. So they’ve done a lot of work at an industry level in developing security standards."
While there is no room for complacency, equally it doesn’t make sense to panic. Through adopting a well thought-through and practicable strategy, organisations can continue to meet their security challenges. But any such counterstrategy should ripple right the way down the supply chain.
Following the recent attacks, Lockheed Martin has set to work on contacting suppliers, helping them mitigate their risk. And with 5-8% of its revenues in the information systems sector now related to cybersecurity, it is clear that this approach is working. There is a growing need for measures like these: far-reaching and forward-thinking.