Over the last few years, the push towards achieving ‘digital transformation’ within the defence sector has been something akin to the opening of Pandora’s box. Seemingly overnight, organisations within the sector have implemented new technologies from AI-driven office solutions to military drones.
Many forward-thinking contractors are using new technologies to leverage greater efficiency, service and profitability. But are these contractors exposing themselves – and consequently our armed forces – to new cyber threats?
A fact of life is that with new developments come new avenues of attack. Whether it be the lacklustre security features on the office ‘smart-fridge’, or the wide-ranging access of workplace apps like Skype or Slack, each new innovation carries with it the risk of exploitation. So how do contractors go about mitigating these threats?
Assessing the threat from new tech
When introducing new technologies, the first cybersecurity consideration must be: what can these technological advances access? Organisations should carefully evaluate the risk that new applications may have to their network before beginning to implement them, as not doing so could open up a range of new avenues of attack.
For example, the initial integration of email applications such as Microsoft Office 365 into business processes provided a plethora of new opportunities for better work environments, but also opened up new routes for potential hackers to access a contractor’s network, and consequently steal critical data or financial assets, often with catastrophic effects for the organisation in question. In October 2018, a third-party contractor was found to be culpable for a significant DoD data breach, where the Pentagon lost 30,000 employees’ personal and financial details to hackers, resulting in the termination of that firm’s contracts with the DoD.
Organisations must learn from this example and scope out any emerging technologies to determine where potential avenues of attack for would-be-hackers may lie. Of course, while it’s a great idea in theory to be able to assess new technologies and apps before they are installed on corporate networks and devices, this is not practicable.
One such new type of app that poses a potential threat is the current generation of internal messaging apps (such as Slack or Telegram), or data storage and sharing apps such as Dropbox. As the recent La Liga app scandal has proven, many mobile applications are capable of running a number of functions on a network in the background whilst not always making it immediately apparent they are doing so. It is therefore possible that a phone with an unauthorised or unknown app may be able to interact with the network through an overlooked access permission, gathering and leaking information.
Devices which have unrestricted access to the corporate network need to be carefully managed to ensure that apps are not unknowingly installed. Where this isn’t possible, controls need to be put in place to protect critical information.
However, even when firms have assessed the threat of a programme or device’s intended use, they must ensure they search for every possible threat. IoT devices are particularly relevant in this regard, as these small devices (often with only a single simple task) are easily overlooked, but often provide an easy route into a network. They can gather significant amounts of data, which can be abused if it falls into the wrong hands.
Recent information breaches have exposed vulnerabilities in even the most obscure pieces of IoT tech. One often-cited breach involved the exposition of the exact perimeters of a top-secret US military base, after Strava fitness devices showed the exact location and perimeter of a US military base. Similarly, a casino in North America was the target of a significant data breach after hackers found an overlooked IoT fishtank thermometer connected to the network, allowing 10GB of hacked data to be siphoned to a node in Finland.
These breaches teach us that even if a device appears inconsequential, or seen as secure in its function, it can still pose a threat to the network as a whole.
Protecting the whole supply chain
The MOD must take action to ensure the security of its armed forces, by ensuring the cybersecurity of the devices and networks which protect them. Today, it is not just about the MoD, but rather about the whole ecosystem of contractors and consultants who are involved. In the past, we have seen tertiary attacks on suppliers in order to get to the primary target. While the RSA / Lockheed Martin event gained early notoriety, there are other, more recent examples of similar attacks.
The old adage that you are only as strong as the weakest link still holds true. This has to be taken into consideration when new partners are brought on board, or when new collaborative projects are initiated. While a defence-based regulatory body capable of analysing emerging technologies could help the UK take a steps towards securely integrating such technologies into military contracts, the speed of change in the cybersecurity market presents may challenges.
However, other governments are already acting to try and establish better, more timely regulation, with industry leaders and cyber security experts coming together regularly to advise on national security and determine strategies for protecting critical resources. The UK needs to embrace such ideas from other governments and drive forward its own agenda in this space if it wants to remain competitive.
Assess before you integrate
IT decision-makers at contracting firms must carefully assess the emerging technologies they are integrated into their companies’ or clients’ operations and consider the wider cybersecurity ramifications of a potential breach. As a starting point, decision-makers should investigate the not-insignificant number of solutions which can go some way in mitigating the risks that these new technologies bring.
The use of direction agnostic adaptive data loss prevention solutions can ensure that data cannot be leaked from the network through IoT vulnerabilities, whilst next-generation email and web security software can strengthen defences against information-borne attacks.
Emerging technologies will bring untold new possibilities to armed forces and defence contractors alike, but these will come hand-in-hand with new risks, and a strategic approach to risk assessment and management will be needed to protect both the organisation and the state