Cyber security executive Sarah Sloan explains why defense policies must keep pace with technology to secure networks and platforms.
In the contemporary battlespace, cyberspace is a key terrain. Today, almost every aspect of our national defense is connected, whether it’s the desktop computers that manage military logistics, or the weapons and military platforms such as tanks, ships, and planes.
All of these systems are connected and vulnerable to security threats. Even most “air gap” environments will have products or applications running in them that were once Internet-facing, making them potentially vulnerable to cyber threats and supply chain vulnerabilities.
Defense’s rapid adoption of force-multiplier technologies, such as the Internet of Things (IoT), artificial intelligence (AI), and 5G, has accelerated this interconnectivity and exponentially increased the cyberattack surface.
An increasing variety of sensors that acquire data will feed more algorithms that operate at the tactical edge, where low-latency decisions will need to be made in an increasingly contested and congested communications environment.
As the volume of data acquired grows, a growing backbone of intelligent edge devices will present an increasingly attractive target to a variety of cyber adversaries.
To secure Australia’s tactical advantage, Defense must be in a position to rapidly acquire and deliver emerging and mission-critical technologies, while ensuring its cyber resiliency.
However, Defense faces a number of challenges, including its reliance on an increasingly complex supply chain to deliver mission-critical systems and platforms, as well as its reliance on legacy IoT devices found on many older defense platforms. but also mission critical.
To ensure that it can defend Australia and its national interest, Defense should consider modernizing its policies in the following three key actions:
- Update Defense procurement policies to recognize and manage cyber and supply chain security risks earlier in the procurement process.
Defense should review its acquisition policies to increase awareness of cybersecurity and supply chain risks and ensure these risks are identified and managed early in the acquisition process.
Subscribe to the daily Defense Connect newsletter.
Be the first to hear about the latest developments in the defense industry.
As an example, the Australian Standard for Defense Contracting (ASDEFCON) set of tender and contract templates contains very few references to “cyber security” and most references to “security” refer to physical security controls or the security classification of the data.
Defense should consider a review of key acquisition policies – as ASDEFCON – to strengthen reference to the importance of cybersecurity and supply chain resilience. In particular, Defense procurement policies should:
- Learn about the integrity measures of the company’s ICT products – Governments around the world are increasingly focused on identifying and mitigating risks to the information and communications technology (ICT) supply chain. Indeed, efforts to disrupt or exploit supply chains have become a “primary attack vector” for adversary nations seeking to exploit vulnerabilities for espionage, sabotage, or other malicious activity. Therefore, it is essential that Defense, as part of its acquisition, ask key questions of its suppliers. These could include:
- What internal processes and monitoring mechanisms does the company have to mitigate the risk of modification of ICT systems during the development life cycle?
- Where is the hardware manufactured and how does the company ensure the safety of this process?
- How does the company ensure secure tamper-evident delivery of hardware products?
- Does the company perform third-party testing to ensure security vulnerabilities are identified earlier in the process?
- Does the company have vulnerability disclosure and remediation practices?
- Does the company have executive management buy-in of the importance of secure supply chains?
The Australian Cyber Security Center has also published guidance on how to secure the supply chain that could be further integrated into defense procurement policies.
- Create a registry of company source code disclosure practices – Increasingly, we have seen cases of countries implementing new requirements, in particular mandates to review or even maintain source code, as a condition of selling technology to certain parts of their market. However, widespread disclosure of source code could weaken security. – as the source code can be exploited to detect and exploit vulnerabilities in software used by organizations globally.
Defense currently has limited insight into whether the companies they deal with have shared their source code with foreign governments. – posing a potential security risk. Defense should amend its procurement policies to identify companies that have shared the source code of their unique intellectual property (IP) with governments as a condition of access to certain markets. The US government has taken a similar approach.
Defense must ensure it has the proper mechanisms in place to assess cyber security and supply chain risks early in the procurement process.
In the later stages of the procurement process, which in some cases may be years later, a supply chain or cybersecurity risk may become apparent and Defense may be too “committed” to the chosen solution. – forcing them to pay significant costs to eliminate risk or attempt to manage it.
Strengthening references to the importance of cyber and supply chain risks in key procurement policies would help Defense make more informed purchasing decisions and integrate risk management practices early in the procurement process.
- Adopt secure software supply chain practices
As the 2020 SolarWinds attack demonstrates, our adversaries have learned that traditional and non-traditional vendors in our software supply chain are often “weak links” in cyberattacks.
The attack on SolarWinds, carried out by suspected nation-state operators, involved malicious code embedded in legitimate IT performance and statistics monitoring software.
This allowed the attacker to gain widespread and persistent access to several critical networks.
This attack underscored how software supply chains can present significant risk to mission success and that they must be well defined, protected, and monitored.
Current data exchange processes and tools are not designed to manage and identify distributed supply chain risks for Defense programs and platforms. However, there are two key security initiatives Defense could take to significantly improve its security posture and accelerate capability delivery:
- DevSecOps: DevSecOps integrates security into all stages of the software delivery process. This ensures that developers think about security when they write code, that software is tested for security issues before deployment, and that project teams have plans to address security issues quickly if they appear after deployment. The security value of DevSecOps is realized when security is continually “shifted left” and built into the entire fabric of software artifacts from day one.
- Zero Trust: Securing the modern software supply chain throughout the entire lifecycle of an application is a complex task, and that complexity cannot be sufficiently addressed with legacy security toolsets and approaches, such as additional security and defenses centered on the perimeter. Zero Trust is a security model developed specifically to address the security of sensitive data and critical applications. Zero Trust addresses the shortcomings of perimeter-focused strategies and the legacy devices and technologies used to implement them.
The security posture and integrity of the software supply chain in an agile environment will greatly benefit from adopting a mature DevSecOps practice and toolset and adopting a zero-trust philosophy.
The safety capacity should always be “baked in” instead of “screwed” and it should focus on protecting data and services wherever they are rather than an ever-expanding perimeter.
- Promote network-level IoT security at scale
Defense, like many other industries, has many IoT devices already in place (legacy) that cannot be protected or retrospectively designed for security.
Some of these devices are continuously running mission-critical devices that may receive security updates infrequently because they cannot have downtime. In addition to this, manufacturers of IoT devices – in particular those who hire the defense – they face threats to their supply chains that may see weaknesses inserted into devices through the manufacturer’s supply chain that may not be visible when the device is shipped.
Given the dynamic nature of IoT and the environment in which devices are deployed, it is critical that Defense adopt policies that go beyond embedded device security and have the ability to dynamically protect the entire network, from deployed IoT devices to corporate environments, in real time. time and at any time.
Networks can and should be a priority point of detection and enforcement for IoT security, and today there are technologies, based on machine learning, that are appropriate to achieve this goal.
As the speed of warfare increases and emerging technologies further support warfighter capabilities, the requirement to evolve quickly and safely will be key to maintaining a capability advantage.
Securing defense networks and platforms is increasingly challenging as a variety of adversaries seek to exploit vulnerabilities in cyber and supply chain security.
Defense must keep pace with technology and recognize the threat landscape – encourage the adoption of best practices to create resilient platforms and networks. In future operations, securing the infrastructure, systems, and data that support military decision-making and power projection will be key.
Sarah Sloan is director of government affairs and public policy at ANZ in Palo Alto networks.