The U.S. defense industry supply chain is highly vulnerable to cyberattacks, with more than half of the 300 small-to-medium sized business (SMB) subcontractors reviewed showing evidence of critical vulnerabilities to ransomware, according to a report from BlueVoyant released this week. To conduct the research, BlueVoyant used third-party datasets and proprietary research.
Almost half (48%) of companies had severe vulnerabilities, including unsecured ports vulnerable to breaches, unsecured data storage and software that was no longer supported. About 10% of companies showed critical vulnerabilities, including evidence of targeted threat activity or compromise.
More than one-quarter (28%) of companies reviewed in the study would likely fail to meet even the most basic requirements of the Cybersecurity Maturity Model Certification (CMMC) program, a Department of Defense initiative designed to raise the standards of prime and subcontractors in the defense industry.
Months after the launch of CMMC, the defense industrial base remains highly vulnerable to cyberattacks. Significant hurdles remain before the Pentagon is able to more fully secure the industry against persistent threat activity that has repeatedly targeted the weakest links in the chain.
"SMBs are a vital part of the DIB [defense industrial base], yet are also often the weakest link," Austin Berglas, head of professional services at BlueVoyant, said.
"Adversaries know this. Why spend time and resources to compromise a large, well funded, well secured prime contractor when you can exploit an open, unsecured port on a smaller subcontractor in a very short amount of time, with little to no effort?" Berglas said.
Several ransomware groups, including Babuk, Ryuk, Maze and DoppelPaymer, have hit defense industry contractors, according to the report. Ransomware attacks caused two defense contractors to shut down operations and malicious actors targeted other defense contractors, including F5 and Microsoft, through zero-day vulnerabilities, according to the report.
Smaller contractors have faced some headwinds since the launch of the CMMC program. CMMC was designed to create a higher level of security standards to prevent threat actors from exploiting vulnerable subcontractors who may work on sensitive federal contracts, but often lack the personnel and financial resources needed to secure their environments from cyber intrusions.
"The report is definitely accurate in that SMBs typically lack the resources and dedicated security and compliance teams to be able to implement security controls or tools that the larger prime contractor counterparts can," said Victoria Mosby, federal sales engineer at Lookout.
Smaller companies have raised concerns for months about their inability to meet some of the more stringent requirements demanded by CMMC. Many subcontractors still have to make significant security enhancements to avoid losing out on lucrative defense contracts, according to the report.
"Non-IT tech companies have a higher risk profile and fewer resources to address shortfalls — technical resources, and if size is factored in, financial resources as well, " Michael Cardaci, CEO of FedHIVE, said. "This has been an ongoing issue throughout discussions about CMMC and with manufacturers."
The defense industry has faced a major round of new attacks from advanced persistent threat actors who exploited zero-day vulnerabilities in VPNs.
"In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the department remains deeply committed to the security and integrity of the defense industrial base," a spokesperson for the Pentagon said in response to the report.