Can DNS finally secure government contractor networks?

Last week, the Wall Street Journal reported a troubling series of cyber breaches at a US Navy contractor connected to the Naval Undersea Warfare Center.  Over the last eighteen months, hackers made off with sensitive military information such as ship maintenance data and missile plans.  These incidents prompted an official review of the Navy’s cybersecurity posture, and will likely result in additional requirements for government contractors down the line.

The contractor cybersecurity challenge

Government agencies continuously grapple with the challenge of securing contractor networks.  As more of the day-to-day administration of government networks is contracted out (even on high security systems), agencies are increasingly worried about the cyber implications.  Repeated incidents have shown that contractors don’t feel the same obligation to secure their networks as government agencies do.

Subcontractors present an even greater problem.  Most large-scale government IT contracts are a tangle of technical alliances, small business partnerships, and outsourced task orders.  Even the most diligent government contracting officers and compliance staffers can have a hard time securing these “flow-down” networks.

Contracting language-as-cyber-solution

Up to this point, contracting language has been the government’s cybersecurity mechanism of choice.  DFARS (NIST 800-171), Kaspersky-related provisions, and other standard terms and conditions are used to prompt action at the contractor level.  The threat of disbarment, fines, and legal action is supposed to keep contractors and their subs in line.

As the Navy incidents and many other case studies demonstrate, this strategy clearly isn’t working.  Contracting language is no substitute for an active, coordinated cyber defense.

In reality, the threat of disbarment and severe financial penalties actually carries very little weight.  Most government IT contractors are “too big to fail” in the sense that few agencies would be able to move to another provider quickly.  Given the vagaries of the Federal IT employment market, the same personnel and processes would migrate from any disbarred or disgraced contractor at any rate.

Exhibit A:  the contractors involved in the Navy cyber incidents will probably get off with little more than a slap on the wrist.  None of the other contractors involved in major government breaches have faced any meaningful sanction.

In the absence of a workable proxy accountability mechanism, it seems increasingly likely that the government will have to take a more active role in securing contractor networks.  While this approach will certainly be more work-intensive and expensive to create, it is also more likely to produce lasting results.  In this case, if the government wants cybersecurity done right, it will have to put that system in place itself.

Is there a technical solution?

Visibility is the primary challenge in securing the tangle of government contractor networks.  SOCs at the agency, contractor, and subcontractor level need a common picture of what’s happening and a common mitigation strategy to stop threats in a coordinated way.

DNS offers an intriguing solution to this shared visibility challenge.  As the foundation of every network action and a clear indicator of intent, DNS can provide the earliest warning signs of a cyber incident.

Unfortunately, few if any government agencies or contractors currently use DNS to monitor their operations.  Most don’t keep comprehensive DNS logs (or any DNS logs) to track malicious activity as it moves within a network.  Even fewer actively use DNS to monitor, block, or redirect known malicious activity.

The EINSTEIN program was an attempt to bring DNS data under a single roof and leverage it for security purposes.  Unfortunately, that effort is hampered by lack of client-level visibility, procedural challenges which effectively prevent real-time mitigation, and limitations of government networks.  With the ongoing challenges to government and contractor networks, decision-makers would do well to reconsider the scope and application of EINSTEIN, moving to a more comprehensive, hands-on model which brings DNS to the forefront.

DNS Edge is a proven solution which is already making a significant difference in securing the networks of US government agencies and the contractors they depend on.  Learn more about how DNS can provide a new level of visibility and control on your network.


An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

BlueCat acquires Men&Mice and Indeni to add important capabilities in DDI orchestration and network infrastructure resiliency to improve visibility and management of networks.Learn more