BlueVoyant Report Reveals Cyber Security Weaknesses Within Defense Industrial Base Supply Chain

June 22, 2021

More than half of the 300 SMB defense contractors analyzed had critical vulnerabilities to ransomware1and more than a quarter (28%) fall short of basic CMMC requirements.

NEW YORK, N.Y., June 22, 2021 - BlueVoyant, a cyber security services company, today released the findings from its "Defense Industry Supply Chain & Security 2021" report, which highlights critical vulnerabilities within the defense supply chain ecosystem. The report includes evidence of the exploitable cyber weaknesses of small-to-medium businesses (SMBs) within the Defense Industrial Base (DIB) and demonstrates how cybercriminals are becoming increasingly adept at locating and exploiting the weakest link within the supply chain.

As part of its assessment of the scale of the problem for SMB defense companies, BlueVoyant examined the security of 300 subcontractor firms within the DIB using its third-party datasets and proprietary research. BlueVoyant identified the cyber security gaps in the subcontractors’ security practices to garner a better understanding of the security posture of less visible members of the complex defense supply chain.

Key report findings include:

  • More than half of the 300 SMB defense contractors had critical vulnerabilities to ransomware2.
  • More than a quarter (28%) of companies analyzed showed evidence indicating they would fail to meet the most basic, tier-1 CMMC requirement.
  • Manufacturing and R&D companies had the highest risk profiles when assessing email security, IT hygiene, malicious activity, and vulnerabilities. Industry type was a stronger predictor of risk than company size alone.
  • 48% of the companies showed severe vulnerabilities such as unsecured ports vulnerable to breach or exploitation, unsecured data storage and ports, and unsupported software.
  • Almost one-tenth of the companies analyzed showed critical vulnerabilities, evidence of targeted threat activity, and evidence of compromise.
  • 100% of the large R&D companies assessed displayed network vulnerabilities, with 66% of these companies also showing evidence of targeting.
  • More than six months after the F5 and Microsoft Exchange vulnerabilities were announced, nine companies still had the vulnerabilities on their networks.

In the U.S., securing the DIB is one of the most critical national security objectives and policymakers are acutely aware of the high stakes with cyberattacks. Businesses within this sector form the backbone of the U.S. defense industry and are high-value targets for nation state adversaries and other cybercriminals. Although defense contractors face the same opportunistic threats as any business, the DIB’s biggest problem is the complexity of securing such an enormous ecosystem, spanning thousands of companies.

The introduction of new U.S. government regulations and compliance standards, such as the Cyber Security Maturity Model Certification (CMMC), are set to improve the baseline of cyber security requirements. Yet, despite the discipline reflected in the new regulations, many challenges remain for smaller firms, which do not have the resources and budgets to deal with increasing, targeted cyberattacks.

Through its analysis, BlueVoyant identified addressable concerns for DIB companies with low organizational cybersecurity capabilities and provided key recommendations for improving the defense industry’s overall security efforts. Key insights can help Department of Defense (DoD) and defense prime contractors focus their attention and can be used to support and extend recommendations that are present in the 2017 DSB Task Force report and in the 2020 Cyberspace Solarium Commission Report and include:

  • Continuous cyber security monitoring is a key component of a secure supply chain.
  • Prime contractors can reduce their risk exposure by focusing on the most high-risk segments of their supply chain. Findings align with prior reports that R&D companies are particularly vulnerable targets for malicious insertion in the supply chain and focusing on them can reduce risk to all segments.
  • Predictive analysis is possible based on quantitative measures and can provide the DoD and prime contractors with findings to help them identify and more effectively manage risk. However, more research with a larger sample size and wider variables is needed to truly measure the risk of an industry with this scale.

Commenting on the research, Austin Berglas, Global Head of Professional Services, BlueVoyant, said: “As prime contractors and other larger DIB members develop more robust and sophisticated security defenses, it’s no surprise threat actors have pivoted towards targeting SMBs within the same supply chain. In particular, manufacturers and R&D companies are lagging in terms of their own cyber posture, leaving the entire defense industry wide open to the threat of ransomware and other third-party attacks.

“For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain but are partly blind to the vulnerabilities that exist. For smaller companies, identifying ongoing risks and understanding overall supply chain health is a daunting but vital process, and more attention and resources should be dedicated to combating the growing threat.”

Jim Rosenthal, founder and CEO, BlueVoyant, concluded: “The U.S. defense supply chain is a vital national security asset, but the DIB is currently in an inefficiently secure state. In the face of relentless and successful cyber espionage, the nation’s primary focus should be on creating a secure and resilient supply chain. The two Executive Orders: one on American Supply Chains, and the other on Improving the Nation’s Cybersecurity, direct much-needed attention and funding to cybersecurity in the defense supply chain, but they are only the start. Closer co-operation between the DoD and the private sector is required to support a more vibrant, diverse and secure defense sector.”

For more insights, check out BlueVoyant’s "Defense Industry Supply Chain & Security 2021" report.

About BlueVoyant

At BlueVoyant, we recognize that effective cyber security requires active prevention and defense across both your organization and supply chain. Our proprietary data, analytics and technology, coupled with deep expertise, works as a force multiplier to secure your full ecosystem.

Accuracy. Actionability. Timeliness. Scalability.

Founded in 2017 by former Fortune 500 and former government cyber officials, BlueVoyant is headquartered in New York City and has offices in Maryland, Tel Aviv, San Francisco, Manila, Toronto, London, Latin America and Budapest.

For additional information:

Danielle Ostrovsky
C8 Consulting (Americas)
T: 001 410-302-9459
E: [email protected]

Jim Pople
C8 Consulting (EMEA)
T: +44 7955 030191
E: [email protected]

References

1 https://us-cert.cisa.gov/ncas/...

2 https://us-cert.cisa.gov/ncas/...