Earlier this week, The Washington Post reported that US Customs and Border Protection (CBP) suffered a data breach involving hackers gaining access to photos of people’s faces and license plates at a border entry port. The attackers targeted a third-party subcontractor, which had been storing the sensitive files over its own network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.
I was not surprised to read this as all government agencies are at high risk of data breach through their third party contractors, writes Jake Olcott, VP Government Affairs at BitSight.
Government agencies have been spending so much time focused on protecting their own networks that they’ve virtually ignored the evolving threat landscape. But right now understanding and managing cyber risk to the federal government contractor base has never been more critical.
The federal government relies on tens of thousands of contractors and subcontractors who provide critical services, hold or maintain sensitive data, deliver technology, and perform key functions. But these organisations are increasingly under cyber-attack. In fact a growing list of contractors and subcontractors have disclosed that they have been victims of data breaches resulting in the compromise of sensitive government information. In response, US federal agencies have or are considering expanding cybersecurity requirements for their contractor base and adopting best practices for evaluating and monitoring those entities.
The first step in this process is to gain visibility into the security posture of critical third party contractors, but at the moment this isn’t happening. I say this because last year, BitSight published a report highlighting a significant discrepancy between the cybersecurity performance of federal agencies and their contractors.
To undertake the study, BitSight researchers took a random sample of over 1,200 US federal government contractors across various industries: Aerospace/Defence, Business Services, Healthcare/Wellness, Engineering, Technology, and Manufacturing. The cybersecurity performance of these contractors was compared with the performance of over 120 US federal agencies.
What we found was that a security performance gap exists between US federal government and its contractor base. For example, the mean BitSight Security Rating for federal agencies was at least 15 or more points higher than the mean of any contractor sector. What we also discovered through the survey was that:
- Over 8% of Healthcare/Wellness contractors have disclosed a data breach since January 2016; Aerospace/Defence firms had the next highest breach disclosure rate at 5.6%.
- While the federal government has made a concerted effort to fight botnets in recent months, botnet infections are prevalent amongst the government contractor base, particularly for Healthcare/Wellness and Manufacturing contractors.
- Many contractors are not following best practices for network encryption and email security: nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework.
- Nearly one in five users at Technology and Aerospace/Defence contractors have an outdated internet browser, making these organisations highly susceptible to new variants of malware.
Clearly federal agencies, US government contractors and subcontractors need to make third party cyber risk management a key priority, otherwise they could be the cause of significant government data losses. Federal agencies must ensure that their contractors are protecting the sensitive government data with which they have been entrusted. Political, technology, and civil service leaders within an agency must all be involved in addressing this risk.
I would also encourage federal agencies to adopt robust commercial practices for third party risk management, including cyber diligence and continuous monitoring. To do this agencies should consider methods that have gained widespread adoption in the commercial sector, including performing cybersecurity diligence on contractors and subcontractors prior to entering into a business relationship and continuously monitoring the security posture of these organisations during the lifetime of the relationship.
These methods should include collecting quantitative, objective performance measurements rather than relying exclusively on tick-box questionnaires. Adopting these methods will enable the US government to close the cybersecurity performance gap with its contractors and reduce the likelihood and severity of data breaches, outages, or other cyber events involving third parties. And finally they shouldn’t neglect the risk posed by technology service and cloud providers, a severe disruption affecting technology service providers could have a widespread impact on government contractors and subcontractors.