Readers of the North Carolina JOLT Blog may recall that back in October, I published a piece on the Russian use of Kaspersky—a Russian antivirus program—to search for sensitive American cybersecurity programs and methods from a National Security Agency (NSA) contractor. Despite the known risk posed by Kaspersky (the NSA did not allow the program on its computers), other government agencies used Kaspersky until the Trump administration prohibited its use last year. One of the most significant concerns is who the American government can trust with its cybersecurity. As the entity that protects massive amounts of sensitive information, the government absolutely must be able to protect that information, especially from hostile actors.
In addition to seeking cybersecurity secrets from the intelligence community, the Associated Press reported last week that Russian operatives have been obtaining sensitive information from defense contractors. The group known as Fancy Bear (also Fancy Bears), an anonymous and nefarious cyber entity that has been involved in hacking various countries and agencies since 2008, is believed to be behind the most recent revelation. Assuming this to be the case, it would not be surprising: Fancy Bear is generally believed to work on behalf of and receive funds from the Russian government. Moreover, Fancy Bear targeted and hacked the Democratic National Committee during the 2016 election and accessed Clinton campaign chairman John Podesta’s emails.
In the recent attacks, Fancy Bear made a specific effort to seek contractors working on advanced military technology, such as “militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms [and] other sensitive activities.” The targets worked at large defense contractors as well, such as Lockheed Martin and Boeing. According to the report, the hacking activities took place between March 2015 and May 2016; there was also a peculiar focus on obtaining information on drone technology. It appears that the hackers generally attempted to compromise the Gmail accounts of many of the contractors to gain access to the sensitive information; personal email accounts are an easy access point for hackers. Although it remains unclear how successful the effort was and whether Russia will be able to capitalize on the efforts, it is safe to assume that the United States military has a reduced advantage at this point relative to where it should have been.
From a legal perspective, this incident speaks volumes to the cyber risks facing the United States government as well as the contractors that work for it. The Defense Federal Acquisition Regulation Supplement (DFARS), designed to protect controlled unclassified information handled by contractors, lays out security requirements that contractors must meet on any project. To be in compliance with DFARS, contractors must comply with National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171) beginning December 31, 2017, which explain additional requirements that contractors must meet. These include, for example, the widespread use of encryption, limiting access to authorized users, and monitoring remote access, among many others. With this in mind, however, the Department of Defense evidently considers it impractical to expect all contractors—as well as potential contractors—to have implemented all of these standards by now, and thus is not yet mandating each requirement to be fully implemented, though contractors do need to demonstrate progress on their cybersecurity mechanisms.
While these requirements address controlled unclassified information (whereas Fancy Bear appears to have accessed classified information), the recent hack is still useful to highlight the critical importance of enforcing compliance among contractors. Although it is unclear whether earlier implementation of these measures would have prevented or mitigated the damage incurred from the contractor hack,
the mere possibility that the requirements may have reduced the harm should be sufficient to serve as a warning to current and future contractors.
To prevent another attack such as this, defense contractors need to be more cognizant of their cybersecurity efforts. This likely means that they need to be better prepared to implement the DFARS requirements as well as those of NIST 800-171. It also means that the Department of Defense needs to enforce its requirements. In other words, the Department of Defense needs to select as it contractors those who can provide adequate cybersecurity for its projects, but contractors also must be able to give the Department of Defense options—they need to show the government that they are capable of protecting sensitive information.
This blog post should by no means be considered a critique of the Department of Defense’s decisions relating to contracting and cybersecurity. Rather, this post serves as a caution to contractors that they need to make all possible efforts—however costly and time-consuming they may be—to comply with the government’s requirements insofar as protecting sensitive national security information is concerned. The United States depends on its contractors to ensure the safety of this country, and we must hold defense contractors to the same high standard that we hold the military.
Russia and other enemies are actively seeking military information and any advantage they can achieve; if contractors truly want to serve the Department of Defense—and thus the United States—then they need to take steps to protect sensitive information from our enemies.