Better shape up fast, civilian!
The CC2 – NISPOM and DFARS compliance updates may lead one to perceive DoD as a bit of a bully, carrying a big stick, as discussed in the previous post. Consider what’s probably driving these compliance updates. DoD has recognized a rapidly escalating threat environment and the urgent need to protect CDI-Covered Defense Information. To do that it must also contain attacks against defense contractors. The compliance and cyber security investments contractors make, should be considered for their adequacy in regard to the following:
- Protection of DoD Data – No Dod supply chain partner should be a vulnerable downstream intelligence gathering point for adversaries. Even unclassified information – CUI shared by DoD, can potentially be used in aggregate, to predict or infer sensitive information or situations.
- Protection of DoD – Adversaries can use stolen credentials from any point in the supply chain, such as third party partners and service providers, as a pivot point and conduit to attack major end targets, such as DoD networks.
- Protection of the Supply Chain – Every link of the supply chain requires protection to ensure continuity of service and product availability and delivery. Attacks on secondary and tertiary supply chain partners, can disrupt prime contractor operational capability and timely delivery of products to DoD. Stolen access credentials from a contractor can be used to target another partner’s network and use it as a pivot point to attack others, and potentially disrupting critical operational contract support. (See my post, here.)
DoD’s expectation now, is for contractors to take the protection of DoD data share and used in partner’s networks – seriously! Hence, the raised standards, and the big stick! With the stakes seen as so high today, does anyone still think we can still get away with the same-old, do-as-little-, spend-as-little-as I can- get-away-with … strategy?
To read a nice example of a vendor with a responsible attitude and the benefits of a mature cyber security program see, “Let’s Muse on CyberSecurity as a Business Enabler. Because It Is“.
Time to Pay the Piper?
In the eyes of DoD, the minimalist approach to protecting DoD data transiting contractor networks is probably not working out. Another way to look at this might simply be that it’s time to “Pay the Piper”. By that, I’m alluding to the operational equivalent of paying down decades of technological or technical debt. Technical debt may also be known as design debt.
Rather than doing something about vulnerabilities and their contribution to attack surface at the time of their formulation, it’s too long been the habit of deferring dealing with them until they surface as a pain point. With vulnerabilities everywhere, this practice is starting to hit the wall. We have also recently been seeing NIST pump out nice controls standards and calling for actual system engineering and design to produce trustworthy systems. In this standard NIST even says that this would call for a cultural shift regarding cyber security. This is what this post is talking about.
High Level Security Isn’t Something New
A better level of defensive capability than that typical of discretionary access commercial systems, such as Windows, has been available for many years. The addition of necessary internal controls might mean more complexity, administrative overhead, and resulting expense, but it has been possible for anyone with the goal and commitment to higher security. But companies have usually chosen not to because it might be too hard, costly, or because companies usually choose convenience over security
Fundamentally, defense contractors employ very smart technical people able to develop sophisticated, technical products. Don’t you think some of them are technology and computer geeks who may be Linux enthusiasts or hobbyists? Linux has never been more user-friendly than it is now. Just about any business function can be performed on Linux, and SELinux is available to secure them. The mandatory access controls provided by SELinux deliver controls that facilitate compliance with DFARS and other regimens.
(Pro-tip: KSE by Trustifier is an SELinux equivalent, which we estimate to have only about 1% of the complexity and resulting administrative overhead of SELinux. KSE can be used for just about any OS as well, not just Linux.)
Trustifier is sympathetic to SMBs selling consumer widgets who are overwhelmed, and under-served by the security industry. Many SMBs believe they don’t possess important data and are not a target, but does this really apply to the defense vertical? There is no doubt …that this vertical is a target! The point is, contractors could have done a better job at defending networks and data, if they had decided to try.
Is DoD now telling everyone, … that it’s time to
put their cyber security big boy pants on,
to be vigilant!! To some, this may be an unpleasant new reality. But if DoD is doing this now, how long until the rest of the public and private sectors have to follow?
For example, this week US-CERT just announced that starting in April 2017, discovered incidents must be reported – within one hour!! I think that soon everyone will be called upon to step up their defensive game, in all verticals, especially healthcare, and the Internet of (hackable) Things.
No Point in Complaining
The new compliance requirements might seem like bad medicine to many, but perhaps they’re just long overdue! The compliance updates set by DoD are difficult because of higher levels of security controls that need to be integrated during implementation. They add more complexity, cost and disruption. Some folks seem to think that the updated compliance regimens and additional controls standards amount to a cure that is worse than the disease. They think that if the burden of compliance results in fewer innovative SMB contractors in the defense ecosystem competing for sensitive DoD contracts, the quality of end solutions and amount of innovation may suffer.
That might be true, but is an innovative technology at risk, if the adversary can access technical specifications, or has the opportunity to tamper with them? The upgraded requirements are here for a reason. Better ways to comply with them are what’s needed.
<— Previous: Compliance Regimens – All Stick and No Carrot!