As national critical infrastructure and private industry alike have increasingly been targeted by hackers in recent years, it has become clear that nothing is safe from savvy and motivated threat actors. As a result, the U.S. Department of Defense (DoD) has begun rolling out the Cybersecurity Maturity Model Certification (CMMC) to help standardize cybersecurity processes for defense contractors and other vendors working with the DoD. Why is this process necessary? Look no further than the 2007 theft of sensitive technical documents related to the development of the F-35 Lightning II strike fighter jet by the Chinese.
In early 2015, German publication Der Spiegel published a tranche of documents provided to them by former National Security Agency (NSA) contractor Edward Snowden. Snowden was a computer intelligence consultant who leaked extremely sensitive and highly classified information about the NSA to various publications like The Washington Post and the Guardian. These documents confirmed something that was long suspected — that the similarities between China’s advanced J-31 stealth fighter and the U.S.’s F-35 were more than coincidental.
Experts in the aviation field had long argued that the J-31 was heavily influenced by the F-35. Snowden’s documents were the first confirmation that this was the result of a data breach of a Lockheed Martin subcontractor that allowed the Chinese access to top secret data on the F-35. According to The Diplomat, China’s espionage efforts, part on a long-running campaign, were focused on acquiring the radar design (the number and types of modules) and detailed engine schematics (methods for cooling gases, leading and trailing edge treatments and aft deck heating contour maps), among other things.
These sorts of attacks on supply chains, where criminal actors infiltrate a vendor to gain access to its affiliated companies, are becoming more and more common and can be extremely damaging. The SolarWinds attack that impacted government agencies and private industry was a high-profile supply chain attack, and the recent hit on software provider Kaseya, possibly the largest ransomware attack in history, used similar principles.
“The CMMC is necessary because the United States and the U.S. industry are really losing intellectual property to adversaries and competitors at an insane rate,” said Ryan Heidorn, co-founder and managing partner at Steel Root, a national leader in helping U.S. government and defense contractors meet cybersecurity and compliance requirements. “From the Department of Defense’s perspective, our adversaries — Russia, China, etc. — are literally walking out the door with billions of dollars of in intellectual property (IP) and sensitive info. These hackers, if you will, for lack of a better term, they’ve been able to go after these easy targets in the supply chain. So they’re not necessarily just going after large primes like Raytheon and Lockheed; they’re going after small machine shops and part suppliers. These are companies that, generally speaking, probably don’t have a really sophisticated cybersecurity practice. And yet if you’re doing work on a DoD contract, you could be handling really sensitive drawings or contract info or other sensitive info that maybe isn’t classified, but the government still needs to protect it.
“That’s why if you look at things like China’s J-31 stealth fighter, it looks an awful lot like our F-35. And that’s because they literally stole the designs. We have way too many examples of this, even public examples.”
Lockheed Martin’s F-35 is one of the most advanced (and expensive, at a development cost of around $400 billion) aircrafts ever produced, so the theft of its specs and technical details was especially galling. The F-35 has been called a “flying computer” for its advanced, long-range sensors that can detect and target enemy aircraft before it’s even seen or detected. A since-declassified 2014 U.S.-China Economic and Security Review Commission Congressional report cites a Defense Science Board finding that Chinese cyberattacks resulted in the theft of a range of U.S. weapons systems — including the F-35.
“When I talk on the subject, one of my favorite quotes comes from Ron Ross at NIST (National Institute of Standards and Technology),” Heidorn said. “He puts it really bluntly. He says, ‘We’re literally hemorrhaging critical information.’ CMMC is necessary because it’s aimed at stopping that that bleeding, so to speak.”
The Chinese and other adversaries have a long history of attempting to steal weapons and aviation technology. As recently as 2017, Chinese hackers breached Australian F-35 defense contractors to get more information on the advanced fighter jet. While it’s impossible to know whether the CMMC could have prevented these types of thefts, it does mandate a series of cybersecurity best practices to restrict the flow of classified information and to ensure that DoD contractors can keep it secure. Still, much of what’s in the CMMC is nothing new.
“Pretty much any company out there that’s on a DoD supply chain, in some way or fashion probably, has language in their contracts today that’s requiring them to implement these security requirements,” Heidorn said. “There are a lot of these requirements out there. They’ve existed for a number of years. What’s a game-changer and why contractors need to pay attention is that essentially CMMC is a kind of enforcement mechanism. Whereas in the past, you may have had these requirements and had a way to say, ‘Yeah, yeah, yeah, we’re compliant because we understand the requirements are there, and we’ve got a plan to do something about them.’ That worked in the past, but the problem was that people kept kicking the can down the road indefinitely and operating business as usual. CMMC is basically saying, ‘Nope, you need to implement all of these requirements, you’re going to get assessed and certified, and you’re going to have to be certified before you can be awarded a contract if you’re doing business with the DOD.”
As cyberattacks continue to escalate and become more damaging, it’s essential that both government agencies and private industry take the details of cybersecurity seriously to close the gaps and decrease threat, especially when working on sensitive, DoD-related projects like the F-35.