A recent breach affecting over 225,000 UK military personnel has shed light on the security risks associated with external contractors working with defense entities worldwide. The breach, which came to light just this week, exposed sensitive data such as names, bank account details, and other information of current, former, and reserve members of the British Army, Naval Service, and Royal Air Force. This incident highlights the critical need for robust cybersecurity measures in the defense sector, especially when outsourcing certain services to external parties.
The external contractor responsible for this breach has been identified as Shared Services Connected Ltd, a company handling payroll services for the UK Ministry of Defence (MoD). According to reports by the BBC and other UK media outlets, the breached payroll system contained information on military personnel dating back several years. UK’s Secretary of State for Defence Grant Shapps described the attack as the work of a “malign actor” with potential nation-state backing. While speculations have pointed to China as a likely suspect, Shapps refrained from attributing the attack to any specific entity, instead emphasizing the need for the third-party contractor to enhance its security measures.
This incident is not the first time an external contractor has been responsible for exposing sensitive data related to the UK military. In August last year, the LockBit ransomware gang managed to steal data from Zaun, a company providing mesh-fencing services for UK military facilities. While the company claimed that no classified information or military secrets were compromised, the incident underscored the vulnerabilities associated with outsourcing critical services to external parties.
The risks posed by external contractors in the defense sector extend beyond the UK, with similar incidents reported in the US as well. In one instance, a threat actor deployed a novel backdoor named PowerDrop on systems belonging to a US defense contractor, highlighting the global nature of these security challenges. Eric Noonan, CEO of CyberSheath, emphasized the attractiveness of third-party contractors as targets for cyberattacks due to lapses in implementing essential security measures. According to research conducted by CyberSheath, a high percentage of defense contractors lack basic cybersecurity controls, putting the entire supply chain at risk.
The need for mandatory minimum cybersecurity standards in industries like defense has become increasingly apparent. Noonan insists that regulation is necessary to ensure that private companies operating in critical sectors make the required investments in cybersecurity. Stephen Gates, principal security SME at Horizon3.ai, echoes this sentiment, emphasizing the importance of continuous cyber risk assessments for third-party suppliers to mitigate the transfer of risks to organizations.
Initiatives such as the US Navy’s realistic cyber assessments and the Cyber Operational Readiness Assessment (CORA) program from the US DoD are aimed at enhancing cybersecurity measures and ensuring the resilience of critical infrastructure sectors against cyber threats. As organizations grapple with the evolving cyber risk landscape, the implementation of stringent cybersecurity standards for external contractors is imperative to safeguard sensitive data and protect national security interests.