Blog

Nation-state Cyber Attackers aiming at the US Defense Industrial Base

Pres. Biden calls for strengthening cyber defenses with Zero Trust architecture

President Biden’s recent statement on our nation’s cybersecurity highlighted intelligence indicating that “the Russian Government is exploring options for potential cyberattacks” on US targets. While this most recent threat is seen as potential retaliation for the economic sanctions the United States and its allies have imposed on Russia for its invasion of Ukraine, the threat of Russian-backed cyberattacks is nothing new. Indeed, as Biden’s statement put it, cyberattacks are “part of Russia’s playbook.”
 
In early 2020, for example, hackers connected to the Russian foreign intelligence service, the SVR, were identified as perpetrators of the massive SolarWinds cyberattack. The Russians were able to penetrate several US federal agencies, including the Treasury, Justice and Energy departments, the Pentagon, and even the Cybersecurity and Infrastructure Security Agency (CISA). Experts estimated that the hackers had been roaming undetected in these networks—as well as those of several large private US companies—for at least nine months. The SVR was gathering intelligence or laying the groundwork for future attacks, or both.
 

 
We know that Russia’s ability to disrupt US networks and steal sensitive data is only getting more powerful. If your organization does work for the Department of Defense (DoD), there’s no question that the Controlled Unclassified Information (CUI) you’re responsible for is a target too. That’s as true for prime contractors as it is for smaller suppliers far down the supply chain. In fact, DoD officials have noted that supply chain vulnerabilities are most prevalent six or seven levels down from prime contractors. Simply put, cybercriminals know that prime defense contractors are well protected, and save themselves time and effort by going after their subcontractors.
 
Moreover, Russia isn’t the only state actor conducting sophisticated cyberattacks against US targets. China, Iran, North Korea and others are in the arena too.

Defending with Zero Trust architecture

It comes as no surprise that the Biden administration is focused on strengthening US cyber defenses. In a May 2021 Executive Order, Improving our Nation’s Cybersecurity, President Biden called for the Federal Government to implement security best practices and to quickly lay out specific plans toward adopting Zero Trust architecture.
 
The National Security Agency (NSA) describes Zero Trust as a security model that “eliminates trust in any one element, node, or service” and “assumes that a breach is inevitable or likely has already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
 

Zero Trust is a security model that “eliminates trust in any one element, node, or service” and “assumes that a breach is inevitable or likely has already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.

 
This is in contrast to, as the NSA explains: “Traditional perimeter-based network defenses with multiple layers of disjointed security technologies [that] have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment.”
 
Zero Trust’s greatest advantage lies in its integrated, system-wide, security-first approach. When securing your organization’s data is paramount, compliance with federal regulations designed to protect CUI—including DFARS, NIST and CMMC—is less complex and far more readily achievable.

Implementing Zero Trust through Compliance: The US State Department’s ITAR model

The DoD is intent on upgrading cybersecurity throughout the DIB via key regulatory frameworks that your organization needs to abide by. These include NIST SP 800-171, developed by the National Institute of Technology and Standards (NIST) specifically to protect CUI, and the Cybersecurity Maturity Model Certification (CMMC) framework, among others.
 
While neither NIST nor CMMC mandate a Zero Trust security model, the good news is that properly designed Zero Trust systems meet DoD mandates for securing CUI exceptionally well.
 
In fact the State Department has led the way in incorporating Zero Trust principles into compliance frameworks. Its 2020 revisions to International Traffic in Arms Regulations (ITAR) allow contractors to simplify their ITAR compliance by taking advantage of technological advances that implement Zero Trust and enable the secure exchange of defense-related technical data in the cloud. Specifically:

  • The technical data must be end-to-end encrypted using FIPS 140-2 validated encryption methods, and
  • No cloud services provider (CSP) may be trusted with access to keys, network access codes, or passwords that enable decryption.

The elegance of the new ITAR regulation lies in the fact that defense contractors have a simple and clear two-point compliance mandate to follow, and the mandate’s Zero Trust principles deliver some of the highest levels of data security possible. Furthermore, modern cloud based Zero Trust systems are often simpler and less expensive for companies to adopt, and so the ITAR regulation accomplishes key objectives of both security and rapid adoption particularly well.

Extending the Zero Trust model to supporting NIST and CMMC compliance

The ITAR regulation offers a compelling model for significantly greater adoption of Zero Trust. Nearly 80,000 defense contractors that handle CUI vital to national security are currently embarking on significant security upgrades to comply with the DoD’s CMMC 2.0 and NIST SP 800-171 requirements. CMMC 2.0 and NIST SP 800-171 are closely aligned—both require contractors to meet the same 110 security controls specified in NIST SP 800-171.
 
Contractors that handle CUI have been required to comply with NIST SP 800-171 as part of their DFARS contract obligations since 2017, and to report those scores to the DoD’s Supplier Performance Risk System (SPRS) since 2020. Under CMMC 2.0, they will have to demonstrate compliance via third party audits. Similar to ITAR, the NIST SP 800-171 and CMMC regulations can be particularly well addressed by the use of Zero Trust systems based on end-to-end encryption. That means we have a timely opportunity now to significantly expand adoption of Zero Trust security.
 
PreVeil is an example of a communications platform grounded in Zero Trust architecture. Its end-to-end encryption is FIPS 140-2 validated. And it meets all applicable standards for cloud systems used to handle ITAR or CUI: PreVeil is FedRAMP Baseline Moderate Equivalent, and stores all ITAR and CUI encrypted data on the Amazon Web Services (AWS) Gov Cloud, which is assessed at FedRAMP High. Neither PreVeil nor Amazon have access to keys, network access codes, or passwords to decrypt your data, ever.
 
PreVeil’s Zero Trust platform supports 84 of NIST SP 800-171’s 110 security controls. It’s easily deployed as an overlay to environments such as Microsoft O365 Commercial Email and One Drive or Google Workspace. That’s done without business disruption or the need to rip and replace existing servers, which makes it affordable. A defense contractor using PreVeil to protect CUI recently achieved a 110/110 NIST SP 800-171 score in a rigorous DoD audit, convincingly demonstrating that Zero Trust security seamlessly leads to achieving compliance. And that, in turn, will help your organization meet Pres. Biden’s call to action to defend our nation’s CUI against the very real threats of nation-state backed cyberattacks.

 
To learn more:

Read PreVeil’s briefs: