Wednesday, February 5, 2014

Can we learn from the non DoD Industry about protecting national security?

 It seems like we should be able to. The lessons are obvious, but the application may not always be so clear. The same threat methodology applied credit cards, customer data bases, and financial transaction websites exist for the defense industry. The products may be diverse, but the result is usually the same; very sensitive information is released and those slow to react are in the business of performing damage control.

Last December, Target shoppers were disheartened to discover that their private information became available to bad guys as a result of some pretty detailed scheme to get that information. Now these shoppers 'credit information is vulnerable, threatening possibilities of data theft many times over. Many, such as my family, suddenly found ourselves in possession of newly issued credit cards as our banks cancelled suspect credit cards in response to the data breech.

According to the article in the Wall Street Journal, Target Says Hackers Used Credentials from Vendor, it wasn't even Target's mistake. Further reporting determined that a vendor for Target transactions actually were the targets of the hacking. They were the ones exposed and leaking the Target customers' sensitive information.

In another article in the same issue of The Wall Street Journal, Cruel Letter Shows Big Data Gone Bad is taking heat for mailing information to"Mike Seay Daughter killed in  car crash." Once again, Office Max was not the culprit of hacking, but the victim of an irresponsible vendor hired to mail information, using a poorly vetted mailing list.

Those in the defense industry understand the responsibility of protection sensitive information at all locations.  Whether prime contractors or 5th level subcontractors, the requirement to protect sensitive information falls equally at each location. Classified, OPSEC, personal Identifiable information, for official use only and other sensitive information protection is a defense contracting and acquisitions requirement. What is not dictated is the exact countermeasure to use leaving each location to apply their best practices in an ala carte approach to applying any of a list of approved protection measures. 

The application here is that the prime contractor may not be the primary target of scams to get sensitive information. As learned in these Wall Street Journal reports, hackers may target vendors and subcontractors that are easier to get to than the perhaps better prepared prime contractors. The defense chain is only as strong as the weakest link. The same sensitive information should be protected with equally effective countermeasures, training, and awareness no matter where it resides.

Facility Security Officers and security professionals should review contracts requirements imposed by customers to determine protection requirements. As such, don't just read the DD Forms 254, but engage the entire contract to include statements of work for all acquisition transactions. This includes design, engineer and security specifications. How else will one truly understand what is required by the customer? At the same time, what requirements does the organization flow down to teaming vendors and subcontractors?

Specifying security requirements leaves less to chance. If Target either specified how vendors shall protect customer information, OR worked only with vendors that are known to protect customer information with the same strict controls as they themselves employ, the data breech may have never happened. Until each teaming unit employs the same protection measures to protect the same information, there will always be a weaker link. 

For more ways of setting up a security system in a Cleared Defense Contractor, see Red Bike Publishing's book, DoD SecurityClearance and Contracts Guidebook

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: