AMERICAN SECURITY AND THE CYBERSECURITY MATURITY MODEL CERTIFICATION
A Look at 2020 and Why CMMC is a necessity for National Defense
By Ken Michael
With the world focused on the global COVID-19 pandemic in 2020 and so many people turning to remote work, cybersecurity became more imperative than ever before. Even with the increased awareness regarding cybersecurity in 2020, there were still a multitude of attacks against businesses and governments around the world that left many reeling. There is hope though of thwarting future attacks with the implementation of the new Cybersecurity Maturity Model Certification (CMMC).
U.S. & Worldwide Cyber Attacks
Cyberattacks around the world continued to climb in 2020 despite the global pandemic that kept so many people isolated at home. According to the Center for Strategic and International Studies (CSIS), Chinese hackers launched a broad-ranging cyber espionage campaign targeting more than 75 organizations globally in industries from media and healthcare to manufacturing and nonprofits starting in March 2020.
Just a month later in April 2020, as the World Health Organization (WHO) was focused on battling COVID-19, government-backed Iranian hackers attempted to break into the accounts of WHO staff. Also in April 2020, Chinese hackers one again launched attacks against healthcare providers including the U.S. Department of Health and Human Services as the pandemic continued.
By May, Japan’s auto manufacturer, Mitsubishi Electric, along with operations at an Iranian port, had been attacked. Science and technology ministries, government-owned companies, and foreign affairs ministries across Australia, Indonesia, and Vietnam, and several other nations have been targeted by a suspected Palestinian Liberation Army (PLA) hacking group.
The United Kingdom’s airline group EasyJet saw the travel records of nine million customers accessed by Chinese hackers. In the same month, cyber criminals stole $10 million from Norway’s state investment fund and German officials found a Russian hacking group associated with the FSB had compromised network of energy, water and power companies. In May 2020, hackers linked to the Chinese government were accused of trying to steal American Coronavirus research by U.S. Officials.
In July, President Donald Trump confirmed that he directly authorized a 2019 operation by U.S. Cyber Command to take the Russian Internet Research Agency offline. The media also reported that in 2018, the president had authorized the Central Intelligence Agency (CIA) to conduct cyber operations against Russia, China, North Korea, and Iran which include the leaking of information to the public. The U.K. also announced Russia has attempted to interfere with its 2019 general election by stealing and leaking documents associated with the U.K.-U.S. Free Trade Agreement.
September started with Georgian officials announcing one of its biomedical research facilities was targeted by cyberespionage for its COVID-19 research. Also in September, the Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Federal Bureau of Investigation (FBI) announced Iranian hackers had been exploiting publicly known vulnerabilities to target the government sector and industries including healthcare, finance, IT, and even the media.
The U.S. Department of Justice also indicted five Chinese hackers with ties to Chinese intelligence service for attacks against more than 100 organizations in America. Sadly, a patient seeking treatment at a German hospital was redirected to a more distant hospital for treatment due to a ransomware attack. That patient later died and the attack could have contributed to the death.
A Cyberattack Winter
By October 2020, U.S. government officials had revealed suspected Chinese hackers were behind a series of attacks on entities in Russia, India, Ukraine, and several others. The U.S. Department of Homeland Security revealed hackers had targeted the U.S. Census Bureau in attempt to collect data, compromise the census infrastructure, and conduct denial-of-service (DoS) attacks. Both Microsoft and U.S. Cyber Command took measures to stop a Russian botnet prior to the U.S. election.
The FBI and CISA announced a Russian hacking group breached U.S. state and local government networks from which data was stolen. That attack also included aviation networks. The FBI, CISA, and U.S. Cyber Command jointly announced a hacking group based in North Korea had conducted a cyber espionage campaign against government think tanks and other government agencies within the U.S. and other nations to collect intelligence regarding national security issues, sanctions, and nuclear policies related to the Korean peninsula.
December spelled disaster for U.S. companies and government agencies. Just as the good news that vaccines were being injected into the arms of Americans, the U.S. was hit hard by a suspected Russian cyberattack that included several U.S. entities such as:
The U.S. Treasury
The U.S. National Telecommunications and Information Administration
The National Institutes of Health
The Cybersecurity and Infrastructure Agency
The Department of Homeland Security
The U.S. Department of State
The National Nuclear Security Administration
The U.S. Department of Energy
Several State and City Governments
Microsoft and Other Private Companies
Canada, Mexico, and Other Nations
The attack was so heinous, it has taken ongoing investigation and response that is ongoing to date according to The Lane Report.
Even billionaire businessman Warren Buffet addressed the issue of cybersecurity in 2017 as a larger threat to humanity than nuclear weapons during Berkshire Hathaway’s annual shareholder’s meeting that year.
“I’m very pessimistic on weapons of mass destruction generally although I don’t think that nuclear probably is quite as likely as either… biological and maybe cyber,” Buffet said during the 2017 shareholder’s meeting, according to Business Insider. “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.”
Where CMMC Comes In
With the escalating proliferation of attacks against businesses and government agencies around the world, the U.S. government is working to ensure our nation’s security with the implementation of CMMC. This newer federal cybersecurity regulation requires U.S. military contractors and subcontractors to employ minimum digital and physical security measures. The CMMC requirements also extend to contractors and subcontractors working with the National Aeronautics and Space Administration (NASA) as well.
The CMMC requires transparency by vendors and manufacturers working with the U.S. government regarding their cyber risks and measures taken to prevent breaches. The CMMC requires higher security measures at each of the five levels of the CMMC model starting with the minimum measures at Level 1. While the cost to implement CMMC does lie with contractors and subcontractors, government representatives have said the cost of CMMC can be included in contract proposals.
According to the aforementioned piece by The Lane Report, President Joe Biden has proposed $10 billion in government funding to improve cybersecurity within U.S. government agencies. That funding would be earmarked for upgrading the federal IT infrastructure and security as well as address the recent breaches to government networks.
All of this work to research, develop, and implement the CMMC at the highest levels of the defense industrial base (DIB) through government contracts is meant to secure America’s physical and digital well-being. With the rollout of the CMMC, there is hope that the U.S. is moving toward a more secure future.
To learn more about the CMMC and its implications for manufacturing businesses and DoD contractors, contact Dox Electronics at (585) 473-7766.