Thursday, April 11, 2019

Preventing Adversary Targeting; Reduce Your Acquistion Footprint

By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP

A few years ago I wrote an opinion peace on the Washington Post article: Leaks in high-tech fighter? I wrote with the intent of providing insight to vulnerabilities and possible mitigations. This month out of curiosity, I decided to revisit the article. While I could not find a link to the original article, I have found many other articles providing more insight into the reasons why the Chinese were capable of producing the J-20 stealth fight that looked a lot like our F-35. 

The original article made many pointed remarks blaming government agencies, including the Department of Defense as not providing the proper oversight. While it is easy to blame those who own the stolen information (the federal government) one must also recognize that there is myriad regulations and guidance, designed to prevent unauthorize disclosure of classified information. The National Industrial Security Operating Manual (NISPOM) gives guidance on how to properly disseminate classified material to those with need to know and protect from unauthorized disclosure. The International Traffic In Arms Regulation (ITAR) instructs how to properly release technical classified and unclassified information to non-U.S persons.

If anyone were to ask whether or not policies to protect sensitive and classified information were in place, there would be a resounding yes, and plenty of it. The article even points out “government and its contractors appropriately controlled the export of classified technology to foreign companies”. What’s missing is how to apply these regulations to ever evolving information systems, storage, and well connected enterprise networks.

Years later learn even more about how the Chinese obtained the information. Evidence support that these may not be entirely “leaking” in the traditional sense. This “leaking” definition originally used may lead one to conclude that someone inadvertently or with malice provided information to Chinese actors. However, recent articles redefined this “leak’s” definition includes the traditional model, plus the additional action involving a 2007 hacking of Lockheed Martin in a complex cyber-attack operation.

Now, we see additional evidence of how the Chinese targeted the technology and walked away with valuable inside information. In the article Top Gun takeover: Stolen F-35 Secrets Showing Up In China’s Stealth Fighter, the Washington Post reports a complex cyber espionage operation that stole sensitive technology and F-35 secrets that were incorporated into the Chinese J-20 stealth fighter jet.
In another article Briton Arrested Over Alleged Plot To Leak F-35 Fighter Jet Secrets To China, a BRITISH man has been arrested for allegedly passing on top-secret military information on Britain's F-35 jets to China, illegally exposing classified UK military intelligence to Beijing.

There were many additional articles and publications covering the cases and facts leading up to the conclusion of a deliberate effort to target and acquire information on the F35. One could spend a lot of time using the various articles to put together pieces of a detailed espionage and cyber-attack story providing at least two avenues of approach to acquire sensitive U.S. data; exfiltrating data during a cyber-attack and targeting insiders.

Some actions Facility Security Officers (FSO) and other executives could take is to prevent the release of indicators that their organization is building specific weapon systems. This simply means, take action to reduce the adversary’s ability to build an acquisition footprint. While there are many more countermeasures, some effective measures include the following that may help prevent an adversary’s ability to target a contractor facility and its employees:
·       Require purchasing and subcontractors to practice blind buys when acquiring weapon system items from commercial manufacturers and vendors. For example, create new purchase order numbers and refrain from using actual government contract numbers.
·       Train key employees to send encrypted emails or eliminate key words from their communications that reveal involvement in weapon systems.
·       Segregate program and acquisition documents and protect them from unauthorized viewers. This segregation and authorization should extend to preventing the ability to hack into the enterprise network and access key weapon system documents.
·       Flow down requirements to subcontractors to implement the above recommendations.

It is clear that actors in China were able to build profiles on the acquisition of the stealth fighter. this profile building allowed for the stealing of technology from many attach vectors in the cyber and operator fronts. There are acquisition and programmatic activities that should be implemented to reduce the ability of a malicious actor from building a targeting profile on the organization and its trusted insiders.

Train your employees on the Insider Threat with a downloadable presentation

Did you know that we can personalize NISPOM and ITAR for your employees? Just order your copy from Red Bike Publishing and email a dedication page. A perfect gift to keep your cleared employees informed.



No comments: