The news that Japan's top defense contractor and weapons maker, Mitsubishi Heavy Industries, fell victim to cyber attacks in August is likely to increase the pressure to improve information system security from Tokyo to the Pentagon and every government contractor, outside vendor, and supplier in between. As pointed out in the Reuters report, the Japanese contractor–commonly referred to as Mitsubishi Heavy or MHI–builds a lot of stuff for the U.S. military, including F-15 fighter jets and Patriot missiles. The company is also involved in the development of a ship-launched surface-to-air missile for the U.S. ballistic missile shield.
To me this is a good example of apparently separate trends colliding, for example "globalization meets targeted malware." Mitsubishi Heavy has admitted that more than 80 of its servers and computers were found to be infected with viruses (see BBC New video and BBC News report). For a company working on such sensitive projects, that is an alarming number. Clearly, the outsourcing of product development and manufacturing in defense and other industries has increased the number of potential entry points for malware. In keeping with defense industry tradition, this vector of attack against a country's military secrets deserves an acronym. I'm thinking COVS for Contractor, Outside Vendor or Supplier. That would be pronounced "coves" (rhymes with treasure troves).
A further trend collision I see in the news out of MHI is "cybersecurity meets human nature." One of the attack vectors in this case appears to be spear phishing, the use of malicious email targeted at specific individuals or organizations in order to trick them into revealing passwords or visiting infectious websites (see SC Magazine).
This particular type of attack is very difficult to prevent using technology alone. Most of us have been tempted to click on a link in email without verifying if the link is legitimate. That is why user education and ongoing awareness training are needed to prevent people falling for phishing attacks (a fact that ESET has addressed by adding a training component to the latest versions of its security products).
The next trend collision I see in the Mitsubishi Heavy story is "security policy meets outsourcing." The economic benefits and efficiencies of outsourcing can be considerable, but no organization can ensure the secrecy of its sensitive data if it shares that data with contractors who are not equipped to secure it. In this context "equipped" means adequate information protection policies are in place, and are enforced, and are supported by appropriate employee training. Of course, those policies include the imposition of similar standards on the contractor's sub-contractors, and so on, all the way down any lines of communication which, if compromised, could provide access to the good stuff, the data that is confidential and needs to stay that way.
One more collision of trends occurs to me in this case: incident response versus human nature. For whatever reason, Mitsubishi Heavy did not inform its customer, the Japanese ministry of defense, about the breach before said customer saw it reported in the news. Obviously this is not the best way to respond to a serious security incident, but it is not hard to imagine events unfolding in this manner. In a crisis of this kind we are all buffeted by factors like ego, fear, and pride. Reluctance to acknowledge our mistakes, and fear of the consequences of having made them, are natural human reactions. It takes discipline, backed by a plan, to overcome these obstacles to doing the right thing.
Sadly, I fear there are too many COVS serving the defense industry who have failed to think through what they should do when they find malicious programs on their servers trying to "phone home" the secrets they have found.
Author Stephen Cobb, We Live Security