New risks threaten defense industry's cybersecurity, report claims

NOTE: This article first appeared on FCW.com.

The defense industry base was pummeled with new cybersecurity vulnerabilities in 2020, increasing the contractors' supply chain risk, according to a new industry report.

The National Defense Industry Association recently released its 2021 Vital Signs report, in partnership with Govini, addressing key areas that affect the overall health of the defense industry base, including issues like information security, demand, productivity, workforce diversity and financial performance.

Overall industrial security, which includes threats to information security and intellectual property took a hit, scoring 56 out of a possible 100 points, according to the report, which evaluated scores from 2018 through 2020.

That score is just a point lower than what was reported in 2019 but was also solely due to the sheer number of new cybersecurity vulnerabilities reported in 2020: 17,305, which is up 18% since 2018. That number was 6,447 in 2016, according to the report.

As a result, gains made by increased security for intellectual property rights, which saw a boost FBI investigations, were erased.

"American industry faces persistent, increasing threats of intellectual property theft, economic espionage, cybercrime, and other forms of attacks," the report states. Additionally, the drop in an already low score is part of "larger trends in the erosion of industrial cybersecurity despite increasing attention and resources being dedicated to combating the threat."

The report comes as the Defense Department works to implement a unified cybersecurity standard for contractors called the Cybersecurity Maturity Model Certification program, and as defense companies work to comply with the China-made telecommunications equipment ban.

Industrial base security is a pressing concern of many in Congress. Sen. Joe Manchin (D-W.Va.) brought up the issue Feb. 2 during the confirmation hearing for Kathleen Hicks to be deputy defense secretary, saying prime contractors needed to be responsible for the network security of their subcontractors.

"The big boys, the Boeings and all that -- hold them accountable for basically the security of their networks down into their subcontractors. That's where we're getting picked off," Manchin said, seemingly alluding to the DOD's CMMC program that would require all defense contractors to meet certain cybersecurity standards before getting contracts.

"That's where basically the hacking -- that's where all the information is being stolen from. That has to be secured and it has not," he said.

Manchin went on to say that there was no financial penalty for prime contractors that suffered a security breach through a subcontractor.

Hicks' response: "we have to improve the accountability and change the incentives."