Informing your prime contractor about a cybersecurity incident is like a visit to the doctor’s office: Even if you feel embarrassed by the symptoms, there’s no reason to hide the problem.
Manufacturing firms that are suppliers to prime contractors have an obligation to be upfront about cyber attacks for contractual as well as operational and financial reasons: A single breach anywhere in the supply chain can affect other companies, including the prime contractor.
This means keeping quiet is not an option.
“Whenever you’re caught short, the natural instinct is to try and hide what happened and deal with it in a manner that precludes discovery,” said Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense. “Not only is that an old-fashioned attitude that no security person takes seriously, but a review of your contract probably indicates that you don’t have a choice.”
Tanji said that for government work in particular, most prime contractors have a “flow down” obligation. In other words, whatever federal rules the prime must follow also apply to members of its supply chain. “If you lose data that belongs to the prime, you are legally and contractually required to tell them,” he said.
In this interview, Tanji offers cybersecurity guidance to suppliers on managing prime contractor relationships. It has been edited for space.
Beyond legal requirements, why is it important to notify the prime contractor about an incident?
Michael Tanji: No one likes to be named and shamed. Twenty years ago, getting hacked was something that inevitably led to people blaming the victim. But those days are long gone. Unless it is a clear-cut case of negligence on the part of the victim, no serious person thinks that way anymore.
There is a difference between being discreet and covering up an incident. We can all agree that the less negative publicity you suffer, the better. But hiding what happened prevents partners, suppliers, and others from knowing if they’ve been compromised, which allows malicious activity to spread farther than it otherwise would.
Reporting provides data and context that can be analyzed and reported on so that others can avoid falling victim as well. The more people know, the more attention they can pay to their defenses, and the better chance we have of stopping malicious activity.
What’s the likelihood a supplier will experience an incident?
M.T.: The common refrain you hear is “not if, but when,” and that’s true, even if it sounds overly broad. Manufacturing is the most-targeted industry for cyberattacks worldwide. Statistics from last year show that nearly 30% of companies reported an increase in attacks on their supply chains.
It may seem counterintuitive, but smaller suppliers are actually better targets from an attacker’s perspective. They’re the least protected but have trust relationships that go up the supply chain; these can be exploited to gain access to more sensitive (and valuable) data.
In short: The attacks are coming. The only thing you have control over is how severe the impact will be.
Please define ‘cybersecurity incident.’ What magnitude should it be before it’s reported to the prime?
M.T.: People will talk about being attacked “millions of times a day.” Technically speaking, if you go out into the sunshine you’re being irradiated, but it’s not the same as juggling the fuel rods in a nuclear power plant.
Your network might get scanned multiple times a day, but a scan isn’t an attack. It might be a precursor to one, but until you see such action, it’s noise. What you want to look for is an actual compromise of policy (privilege escalation), a defensive mechanism (such as antivirus) being bypassed, or an action by your staff based on a falsehood (business email compromise).
The other success factor to consider beyond the technical is whether the incident is “material,” or how much financial or operational damage is involved. If you lose a lot of money as a result of malicious activity, that’s material. If you have to shut down for some period of time and that affects revenue, that’s material. Material events, especially if you’re publicly traded, must be reported.
What information does the prime need first?
M.T.: If your contract with a prime doesn’t spell out exactly what to provide in case of an incident, that’s OK. Generally speaking, you should cover the “who, what, when, where, and how.” For example:
- Discovery Date: When did you first notice something was wrong?
- Impact: Is your production down? Was any of the prime’s data stolen?
- Containment: Have you stopped the bleeding? (for example, “We disconnected the infected system.”)
- Perpetrator: If it is a malware infection, which one? If it is a ransomware attack, which one? If it is some other type of attack are there any clues that speak to who is behind it, what language they use, or some other identifying characteristic?
- Point of Contact: Who is the one person the prime should call for updates?
What comes afterward?
M.T.: Follow-on questions will come. It’s best to either have these discussions telephonically, or via a secure messaging tool such as Signal that is separate from an infected or potentially infected system. A sufficiently skilled attacker will gain access to and monitor email conversations.
Incident response takes time, so make sure everyone involved understands timelines and levels of detail that are required. Victims have enough going on minute-by-minute they don’t need to be micro-managed, regardless of the contractual relationship that might be in place.
