LAS VEGAS — The Chinese government has such vast hacking resources that it’s targeting tiny companies in the U.S. defense industrial base that never imagined they would end up on Beijing’s radar, a National Security Agency official said here Wednesday.
“China's hacking resources outnumber those of the U.S. and [its] allies combined, and China has stolen more corporate data from the United States than any other nation in the world,” Bailey Bickley, chief of DIB defense at the NSA’s Cybersecurity Collaboration Center, said during a session at the Black Hat USA cybersecurity conference.
Although best known for its intelligence-collection role, the NSA is also responsible for helping defense contractors safeguard their systems. Recently, the agency has been doing that through free security services — including classified information sharing and a protective DNS offering — from the Cybersecurity Collaboration Center.
“When we engage with small companies” in the defense industrial base, “they often think that what they do is not important enough to be targeted” by China, Bickley said. “But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small.”
Major U.S. weapons suppliers and other large defense contractors have vast cybersecurity budgets and massive teams of security personnel working to protect sensitive data — including designs for classified military technology — from hackers working for Russia, China and other U.S. adversaries. But “the defense industrial base is 80% small businesses,” Bickley said, and those companies have only meager, if any, cybersecurity resources and “minimal awareness of security best practices.”
Bickley in her presentation showed a picture of the headquarters of a small defense contractor she had visited. Printers and filing cabinets cluttered the unassuming, wood-paneled room, with taxidermied animal heads mounted on three walls. The company makes “custom radio frequency solutions” for military personnel stationed in “very austere locations across the globe,” according to Bickley. “Although they are an incredible manufacturer,” she said, their IT environment was maybe not quite what I had had in mind for a defense contractor.”
“These are the companies that are actually facing off against nation state–backed actors in what has fundamentally been a very unfair fight,” Bickley said. “They're not thinking about two-year-old vulnerabilities. They're thinking about building the best antenna for DOD that money can buy.”
Another challenge the NSA faces in supporting the defense industrial base is the growing diversity of companies that make up that sector.
“The DIB is no longer a handful of traditional defense contractors,” Bickley said. “It now includes a lot of companies from nascent and emerging industries.” Among them are artificial intelligence companies, commercial transportation firms that move supplies in wartime and foreign-owned infrastructure operators like water treatment facilities that serve overseas military bases.
“The battle space is really changing,” Bickley said, and “we recognized we needed to find new solutions that were really scalable to cover all of this new ground.”
As part of that effort, the NSA signed a contract with the penetration-testing firm Horizon3.ai to offer free penetration tests to small firms. In that and other instances, Bickley said, the NSA has “worked with up-and-coming companies to offer their capabilities to small businesses within the defense industrial base.”
Read more news from Black Hat USA 2025 here.
