Last week, the Wall Street Journal reported a troubling series of cyber breaches at a US Navy contractor connected to the Naval Undersea Warfare Center. Over the last eighteen months, hackers made off with sensitive military information such as ship maintenance data and missile plans. These incidents prompted an official review of the Navy’s cybersecurity posture, and will likely result in additional requirements for government contractors down the line.
The contractor cybersecurity challenge
Government agencies continuously grapple with the challenge of securing contractor networks. As more of the day-to-day administration of government networks is contracted out (even on high security systems), agencies are increasingly worried about the cyber implications. Repeated incidents have shown that contractors don’t feel the same obligation to secure their networks as government agencies do.
Subcontractors present an even greater problem. Most large-scale government IT contracts are a tangle of technical alliances, small business partnerships, and outsourced task orders. Even the most diligent government contracting officers and compliance staffers can have a hard time securing these “flow-down” networks.
Up to this point, contracting language has been the government’s cybersecurity mechanism of choice. DFARS (NIST 800-171), Kaspersky-related provisions, and other standard terms and conditions are used to prompt action at the contractor level. The threat of disbarment, fines, and legal action is supposed to keep contractors and their subs in line.
As the Navy incidents and many other case studies demonstrate, this strategy clearly isn’t working. Contracting language is no substitute for an active, coordinated cyber defense.
In reality, the threat of disbarment and severe financial penalties actually carries very little weight. Most government IT contractors are “too big to fail” in the sense that few agencies would be able to move to another provider quickly. Given the vagaries of the Federal IT employment market, the same personnel and processes would migrate from any disbarred or disgraced contractor at any rate.
Exhibit A: the contractors involved in the Navy cyber incidents will probably get off with little more than a slap on the wrist. None of the other contractors involved in major government breaches have faced any meaningful sanction.
In the absence of a workable proxy accountability mechanism, it seems increasingly likely that the government will have to take a more active role in securing contractor networks. While this approach will certainly be more work-intensive and expensive to create, it is also more likely to produce lasting results. In this case, if the government wants cybersecurity done right, it will have to put that system in place itself.
Is there a technical solution?
Visibility is the primary challenge in securing the tangle of government contractor networks. SOCs at the agency, contractor, and subcontractor level need a common picture of what’s happening and a common mitigation strategy to stop threats in a coordinated way.
DNS offers an intriguing solution to this shared visibility challenge. As the foundation of every network action and a clear indicator of intent, DNS can provide the earliest warning signs of a cyber incident.
Unfortunately, few if any government agencies or contractors currently use DNS to monitor their operations. Most don’t keep comprehensive DNS logs (or any DNS logs) to track malicious activity as it moves within a network. Even fewer actively use DNS to monitor, block, or redirect known malicious activity.
The EINSTEIN program was an attempt to bring DNS data under a single roof and leverage it for security purposes. Unfortunately, that effort is hampered by lack of client-level visibility, procedural challenges which effectively prevent real-time mitigation, and limitations of government networks. With the ongoing challenges to government and contractor networks, decision-makers would do well to reconsider the scope and application of EINSTEIN, moving to a more comprehensive, hands-on model which brings DNS to the forefront.
DNS Edge is a proven solution which is already making a significant difference in securing the networks of US government agencies and the contractors they depend on. Learn more about how DNS can provide a new level of visibility and control on your network.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Six non-hype network automation lessons from IT pros
Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more
A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.
BlueCat Overlay for Microsoft
With BlueCat Overlay for Microsoft, get visibility into Microsoft DNS and DHCP servers by relaying information back to your BlueCat Address Manager server.
With the ServiceNow Adaptive Plug-in, enable self-service IT requests with automated fulfillment, such as hostname and IP address provisioning.