Published by The Lawfare Institute
in Cooperation With
Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
Cyber-enabled intellectual property theft from the Defense Industrial Base (DIB) and adversary penetration of DIB networks and systems pose an existential threat to U.S. national security. The DIB is the “[t]he Department of Defense, government, and private sector worldwide industrial
complex with capabilities to perform research and development and design, produce, and maintain military weapon systems, subsystems, components, or parts to meet military requirements.” It is a compelling example of a cross-domain challenge that lies at the intersection of cyberspace and conventional domains of warfare. This is because adversary behavior in cyberspace has broader ramifications, such as the potential to erode the United States’s conventional military advantage, undermine deterrence, and provide emerging nation-state competitors with an edge over the U.S. in military contingencies and conflicts. The threat is multifaceted. Intellectual property theft can enable adversaries to replicate cutting-edge U.S. defense technology without comparable investments in research and development. Adversary access to the DIB could inform the development of offset capabilities. It could even provide insights or access points that enable adversaries to thwart or manipulate the intended functioning of key weapons and systems designed and manufactured within the DIB.
As the sector-specific agency for the DIB, the Department of Defense takes the lead within the federal government for working with this critical infrastructure sector. The 2018 Department of Defense Cyber Strategy identifies defense of the DIB as a crucial imperative, noting that the Defense Department will “defend forward to halt or degrade cyberspace operations targeting the Department, and … collaborate to strengthen the cybersecurity and resilience of [the Defense Department], [Defense Critical Infrastructure], and DIB networks and systems.” There are a number of federal entities involved in identifying, prosecuting and thwarting cyber threats to the DIB. These include the recently established Cybersecurity Directorate within the National Security Agency (NSA); the DIB Cybersecurity Program; and law enforcement and counterintelligence entities such as the FBI, the Air Force Office of Special Investigation, the Naval Criminal Investigative Service, U.S. Army Counterintelligence and the Department of Defense Cyber Crime Center.
Nevertheless, vulnerabilities within the DIB persist and there are gaps in existing efforts. Two critical shortcomings are, first, that there is no truly shared and comprehensive picture of the threat environment facing the DIB and, second, that efforts to rapidly detect and mitigate threats to DIB networks and systems are lacking. Adversaries operate in cyberspace across multiple areas and sectors within the defense industry. This means that, while an advanced threat actor may be targeting a number of entities within the DIB, any given target can only observe the adversary—its capabilities, tools, techniques and indicators of compromise—as it operates on its own assets, if at all. However, to gain insight into adversaries as strategic organizations, the Defense Department needs a consistent and coherent picture of where, how and why they are operating.
These gaps drive two important recommendations advocated by the Cyberspace Solarium Commission. First, through legislation, Congress should require companies within the DIB, as part of the terms of their contract with the Defense Department, to participate in a threat intelligence sharing program that would be housed at the department component level. Information sharing programs do exist, but they are insufficient. For example, the department’s Cyber Crime Center and the DIB Cybersecurity Program are largely voluntary, although DIB entities have some mandatory reporting requirements. Existing programs also tend to benefit the larger prime contractors, which have the ability to share and consume threat information. But small and sub-prime contractors play vital roles in the supply chain, and vulnerabilities within these entities can have cascading negative implications. Finally, the Defense Department lacks a complete view of its supply chain, which may include non-U.S. companies. There are no mandatory reporting requirements that require prime contractors to disclose to the department the identities of their subcontractors.
The ultimate end state of this information sharing program is to leverage fused, real-time information from DIB network owners and operators, coupled with U.S. government intelligence collection products, to create a comprehensive picture of adversary organizations and an improved understanding of the adversaries’ own intelligence collection requirements. This would help the Defense Department and the intelligence community anticipate where adversaries will seek to collect against DIB targets. And, importantly, this information would need to be communicated to DIB network owners and operators so that they can proactively defend against impending threats, as well as support the threat-hunting efforts described further below.
The program should contain a number of key elements. First, drawing on the Defense Department’s new Cyber Maturity Model Certification (CMMC) regulation, the requirements associated with participation would be tied to a firm’s level of maturity. In addition, there should be incentives around participation, particularly for small- and medium-sized companies. Second, there should be defined frameworks that guide specifically delineated information sharing, such as incident reporting and reporting on the use of subcontractors. Third, participation in the program should automatically entail consent by DIB entities for the NSA to query in foreign intelligence collection databases on DIB entities and provide focused threat intelligence to them, as well as enable all elements of the Defense Department, including the NSA, to directly tip intelligence to the affected entity. Finally, as it develops, the program should aim to support joint, collaborative, and colocated analytics, as well as drive investments in technology and capabilities to support automated detection and analysis.
The second committee recommendation is that Congress should direct regulatory action that the executive branch should pursue, through the Defense Federal Acquisition Regulation Supplement, to require companies within the DIB to create a mechanism for mandatory threat hunting on DIB networks. This would be as part of the terms of a company’s contract with the Defense Department. Threat hunting is the act of proactively searching for cyber threats on assets and networks. This recommendation is meant to address the detection and mitigation of adversary cyber threats to the DIB, going a step beyond the intelligence sharing recommendation described above. As reflected in the new CMMC regulation, companies at different levels of maturity vary in their internal capacity to conduct threat hunting. There are several vehicles to support threat hunting, such as allowing Defense Departmententities to conduct threat hunting on DIB networks—with prior coordination with network owners and operators—or enabling companies to contract with department-approved third-party entities to conduct threat hunting. Data generated from these activities should be fed back to the department and to the NSA’s Cybersecurity Directorate. Threat hunting on these networks, particularly those that are assessed to be of interest to an adversary, enables network owners and operators, as well as the Defense Department, to have increased confidence in the security of such assets. Additionally, if threat activity is identified, it brings all parties’ attention to the breach so that they can work in concert to contain, remediate, and assess any potential damage and information exposure.
Every major U.S. strategy document frames the current environment as defined by a revival of great power competition. During historical periods of great power competition, strategic outcomes were often driven by advantages and innovation in military weaponry and technology. Therefore, failure to protect and secure the DIB, which drives the United States’s technological edge and military advantage, could have deleterious long-term consequences and is an example of how adversary activities in and through cyberspace on a routine basis can affect strategic outcomes.