U.S. Government Contractors Score Poorly on Cyber Risk Tests
Report Analyzes Cyber Risk of Federal Supply Chain Attacks against the supply chain are not uncommon. It represents the soft underbelly of large organizations that are otherwise well defended.
The federal government is not an exception -- in fact, federal agencies are especially reliant on their supply chain; and the security posture of that supply chain is of national importance. This importance is not unrecognized. The May 2017 presidential Executive Order specified that the supply chain be included in security improvements: it called for a report, "on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks."
BitSight this week published an analysis of the security posture of the federal supply chain following the executive order. BitSight is a firm that examines and rates companies' security posture by analyzing visible evidence. It sees indicators of compromise, infected machines, improper configuration, poor security hygiene and potentially harmful user behaviors.
From such evidence, it is able to see and compare different organizations. It concludes that the federal supply chain continues to provide a soft underbelly for attacks against federal agencies. While federal agencies are improving their own security stance, their supply chain is lagging.
For its analysis, BitSight researchers took a random sample of over 1,200 U.S. federal government contractors across a range of sectors, and compared the results with the performance of over 120 U.S. federal agencies. It found a mean performance gap of at least 15 points between the agencies and their contractors. BitSight's ratings are calculated on a scale of 250-900, where a higher score reflects a stronger security posture. "There is a significant gap between the security performance of U.S. federal agencies and their contractors," concludes the analysis. "The mean rating for agencies as of January 2018 was 725.
This is markedly higher than any of the other sector of contractors for the U.S. federal government observed in this study." This mean rating disguises some concerning specifics. For example, nearly one in five users at Technology and Aerospace/Defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware. "High-profile vulnerabilities like Spectre can exploit outdated browsers as an attack to intercept or compromise data," warns BitSight. "Updating to the latest browser, operating system, or software package is critical to mitigating risks."
Individual risk vectors are graded on a scale from 'A' to 'F'. "Nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework," states the report. "This data suggests that many contractors are not implementing best practices for network security, encryption, and email security." Engineering was the worst performing sector in this area, with only 4% achieving an A rate. This compares to 38% of the federal agencies achieving an A grade (which is almost three times the average second-best rate of 13% for Business Services). Botnet infections are another worrying area.
It was highlighted in the Trump executive order, which demanded action "to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)." Here there is less difference between the agencies and their contractors -- in fact both the Business Services (80%) and Aerospace/Defense (74%) sectors achieved more A grades than the Federal Agencies (73%). However, only Aerospace/Defense equaled the agencies in the low number of F and D grades (both at 4%).
In general, however, far more of the subcontractors scored B and below than did the agencies. For reference, BitSight claims, "an organization receiving a B or lower in this category is more than twice as likely to experience a data breach." It goes on to suggest, "This data suggests that these organizations have ineffective security programs in place and may be experiencing ongoing data breaches."
Security of the supply chain is a problematic issue for all organizations. This BitSight reports suggests that it is a serious problem for federal agencies. "Tens of thousands of government contractors hold sensitive data or perform services on behalf of federal agencies," says Jacob Olcott, VP of Strategic Partnerships at BitSight. "The U.S. government must be focused on evaluating, monitoring and improving the cyber hygiene of these contractors. Recent contractor regulations, like the new DOD requirements, are a start, but are too focused on check-the-box compliance.
Cyber is a dynamic risk. By leveraging objective data and continuously monitoring the supply chain, the federal government will better comprehend the danger within its own ecosystem and begin to meaningfully mitigate this risk." Cambridge, Mass.-based BitSight Technologies raised £40 million in a Series C funding round in September 2016, bringing the total raised to £95 million.