THE BIG PROBLEM IN CYBER DEFENSE IS REALLY SMALL

November 19, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

It shouldn’t be surprising that our major defense companies, known as “the Primes,” in the industry, are among the best at cybersecurity. Indeed, an earlier study by FireEye found that typical industry sectors had a breach rate of 96% while the defense industrial base (DIB) had a breach rate of “only” 76%.

Of course, no one in the industry or government regards that comparative advantage as adequate security. So, while It’s a bit of a stretch to say the large system integrators have solved the problem, it is true that they’ve invested enough in systems and people that they’re generally pretty successful in avoiding major incidents. 

The rest of the defense supply chain cannot make that claim. The DIB is made-up of about a dozen so called “Primes” and literally thousands of critical smaller players. It is these smaller players that are now a much larger percentage of targets and successful attacks and the resulting consequences are much higher.

As we demonstrated in an earlier post on the healthcare industry, it is critical to understand the unique economics of the industry in order to accurately assess the true causes of cyber-attacks and develop a sustainably secure system to manage them.

It turns out that the current approach to cybersecurity in the DIB is not economically scalable to smaller organizations.

The defense industry actually operates under two different economic models. Top-tier system integrators predominantly sell bespoke products to national governments that have few alternatives. Cost is a factor, but the Pentagon is unlikely to opt for a lower cost product from a rival nation, especially if the design suspiciously resembles American-made technology as the result of an intellectual property theft. The cost of a breach in the defense industry is, therefore, less measured in dollars and is more likely measured in the company’s reputation or, more importantly, the margin of our military superiority and our warriors’ safety.

Moreover, the major defense integrators largely populated by former members of the armed forces do truly still invest out of a fundamentally patriotic sense of their responsibility to their fellow  warfighters as well as for the more pragmatic reason that strong data and network security are essential to brand credibility when doing business with the military.

But the weight of patriotic and reputational factors gets weaker further down the supply chain where companies’ mix of defense and commercial business shifts. Small- and medium-sized businesses subcontracting to primes or directly with the government have a larger proportion of commercial business.

The greater the commercial component of a business, the more the traditional economic risk-assessment calculations predominate.  If they believe the damage that could occur and the likelihood of that happening are both small, then cybersecurity funding may not appear above the budgetary cut line.  Financial conditions facing SMBs do not afford them the luxury of what may be uneconomic investments in cybersecurity beyond the minimum required for emerging compliance requirements, and these compliance requirements do not necessarily equate to actual security due to the dynamic threat environment.

This difference in incentive structures has created a two-tiered defense ecosystem. One tier features large, well-funded system integrators. The other contains everybody else. This dichotomy is the single most important factor that needs to be addressed in every aspect of cybersecurity. 

Indeed, as large system integrators have assessed their supply chains, it has become obvious the effectiveness of suppliers’ cybersecurity is directly proportional to size of their information technology budget not the value of the information being protected nor the impact of loss.  For them, the cost of security can be greater than their economic risk.

Over the past decade DOD, working with the DIB, have developed a series of strategies trying to move the resilience of the core systems down through the increasingly vulnerable supply chains starting with a largely voluntary strategy and moving increasingly toward DOD instituting a fairly comprehensive regulatory compliance model.

However, with successful breaches continuing DoD recognized a fundamental flaw in the compliance regime— i.e. cybersecurity is an essentially analog process with “good” existing along an entire spectrum of activity.  So, they are beginning to move to a maturity model that attempts to shift from a perspective of “are you doing it” to the “how well are you doing it” analog question. 

The Cybersecurity Maturity Model Certification (CMMC), instead of being an all or nothing binary compliance model, establishes a tiered compliance model.  It adds to that a measure of process maturity that seeks to show how institutionalized a company’s cybersecurity program actually is. 

However, it is sadly predictable that the CMMC, however much an improvement, is destined to disappoint for the exact same reasons the preceding strategies disappointed.  Small- and medium-sized companies simply cannot afford a sufficiently robust cyber infrastructure or find the cyber talent to become secure even with the Damocles’ Sword of Compliance hanging over their heads.

The empirical evidence is that there is probably no way SMBs will ever be incentivized to invest in cyber defense the same way the large defense contractors are, therefore, we must consider a radically different strategy.  The key will be to implement a system that is dirt cheap and easy to employ and distributable across a much larger base of smaller companies and spreading the costs out over the entire industry, much like co-op farms. 

Once again, it is the economics of the system as much as the technical operations that are the key to creating a sustainably secure cyber system.