The cost of doing business
For hackers, small suppliers provide a path to high-profile targets
The hackers had just stolen a new season of "Orange is the New Black." But they didn't get it from Netflix.
Instead, they found the files on the servers of a small audio production company. Using a security weakness in an old operating system, the hackers wormed their way in and walked out with what they came for – effectively bypassing anything Netflix was using to protect its popular prison comedy/drama.
The data breach illustrated a daunting reality in modern cybersecurity: A company's defenses are only as strong as those connected to it. With hackers exploiting the cyber weaknesses of small suppliers, contractors and vendors, security experts are working with those companies to reduce the risk that they'll become a back door to a big target.
"The numbers are escalating," said Paul Perkinson, president of cyber services at Raytheon. "Everyone that is attacked is a vendor or supplier of someone in the food chain."
In May 2017, the Department of Homeland Security issued a warning that several common models of surveillance cameras contained flaws that hackers could exploit for an up-close look at whatever the devices were watching. The implication was clear: Cameras that businesses had bought to protect their people and their property could actually do the opposite.
The flaw was just one way a supplier's cybersecurity lapse can leave many others at risk – and nowhere are the consequences more serious than in the defense industry. In recognition of that threat, the U.S. Department of Defense has developed a set of cybersecurity requirements for small companies that work on military systems.
The rules require companies to adopt “adequate security” for defense information kept on or sent through internal unclassified information systems, and to report cyber incidents in a timely way.
"Today, more than ever, the Department of Defense relies upon external contractors to carry out a wide range of missions and share sensitive data with these entities," the Defense Advanced Research Projects Agency wrote in describing the requirements. "Inadequate safeguards threaten America’s national security and put Service members’ lives at risk."
Those requirements cover technical areas such as access control and auditing, but they also include behavioral aspects of cybersecurity such as awareness and training. Addressing the human side of cybersecurity is key – no matter how big or small the organization, Perkinson said.
"Employee size does not matter when it comes to a security breach," he said. "What does matter is if the company has the talent and a culture where cybersecurity is a part of their responsibility to their customers."
Historically, however, that hasn’t been the case. Small companies – even those that work with highly sensitive technologies – are slowly realizing that protecting things like technical data and source code is as important as the quality of the products themselves.
"A lot of these smaller companies just really did not plan on spending any money on this. The closest thing they have to an IT department is when they go to Best Buy and buy a new laptop," said Greg Gorman, senior federal account manager for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. "In a lot of cases, it's really smart people focused on making a great product – and not cybersecurity."
LEARNING FROM HISTORY
What the Department of Defense is trying to prevent is a sprawling cyberattack like those that have rocked some of the commercial sector’s biggest companies.
The highest-profile example was Target, which in 2013 acknowledged that 110 million customers had their credit-card information exposed. The attackers accessed the point-of-sale system by stealing the credentials of a third-party heating, ventilation and air conditioning vendor.
But that breach, while the most famous, wasn’t the first. In 2008, for example, a hack on the credit-card processing company Heartland Payment Systems exposed 135 million credit cards belonging to customers of 175,000 merchants.
One reason third-party attacks succeed is that many companies fail to do their due diligence on contractors, suppliers and the like, said Rebekah Wilke, director of managed detection and response for cyber services at Raytheon.
"It's important to make sure all third-party vendors are playing by your security rules, not theirs," said Wilke, who runs remote cybersecurity operations for Raytheon's customers. "If an organization truly understands its third-party vendor, it will understand its security measures and whether or not those align and are compliant."
Another complication: The sheer number of internet-connected devices that are making networks bigger, broader and more vulnerable. Every cloud-connected security camera, thermostat or smartphone creates a potential point of entry.
Though the threat looms large, there are things businesses and individual users can do to protect themselves. Company-wide cybersecurity requirements should include employee training and a cultural emphasis on strong "cyber hygiene," and administrators should scrutinize software updates before implementation.
And just as people should know about the security of any new device they bring into their home, companies should also do due diligence on new software, tools, suppliers, contractors, acquisitions and other partners.
For the audio production company, the “Orange is the New Black” hack gave them hard-won wisdom – and a prompt to incorporate stronger cybersecurity measures. Companies like Raytheon can help other businesses assess their security culture and determine the best cybersecurity practices. When it comes to cyberattacks, investing in preparedness is paramount, Perkinson said.
"If you do not have the resources to combat today’s cyber threats, you need to look for expertise," he said.