AMERICAN SECURITY AND THE CYBERSECURITY MATURITY MODEL CERTIFICATION

A Look at 2020 and Why CMMC is a necessity for National Defense

By Ken Michael

With the world focused on the global COVID-19 pandemic in 2020 and so many people turning to remote work, cybersecurity became more imperative than ever before. Even with the increased awareness regarding cybersecurity in 2020, there were still a multitude of attacks against businesses and governments around the world that left many reeling.  There is hope though of thwarting future attacks with the implementation of the new Cybersecurity Maturity Model Certification (CMMC).

U.S. & Worldwide Cyber Attacks

Cyberattacks around the world continued to climb in 2020 despite the global pandemic that kept so many people isolated at home. According to the Center for Strategic and International Studies (CSIS), Chinese hackers launched a broad-ranging cyber espionage campaign targeting more than 75 organizations globally in industries from media and healthcare to manufacturing and nonprofits starting in March 2020.

Just a month later in April 2020, as the World Health Organization (WHO) was focused on battling COVID-19, government-backed Iranian hackers attempted to break into the accounts of WHO staff. Also in April 2020, Chinese hackers one again launched attacks against healthcare providers including the U.S. Department of Health and Human Services as the pandemic continued.

By May, Japan’s auto manufacturer, Mitsubishi Electric, along with operations at an Iranian port, had been attacked. Science and technology ministries, government-owned companies, and foreign affairs ministries across Australia, Indonesia, and Vietnam, and several other nations have been targeted by a suspected Palestinian Liberation Army (PLA) hacking group.

The United Kingdom’s airline group EasyJet saw the travel records of nine million customers accessed by Chinese hackers. In the same month, cyber criminals stole $10 million from Norway’s state investment fund and German officials found a Russian hacking group associated with the FSB had compromised network of energy, water and power companies. In May 2020, hackers linked to the Chinese government were accused of trying to steal American Coronavirus research by U.S. Officials.

Summer 2020 Hacks and Attacks

At least two defense firms in Central Europe were compromised by suspected North Korean hackers while posing as representatives from U.S. defense contractors in June 2020. North Korean state hackers also sent COVID-19-themed phishing emails around the world to more than five million businesses including the United States.

In July, President Donald Trump confirmed that he directly authorized a 2019 operation by U.S. Cyber Command to take the Russian Internet Research Agency offline. The media also reported that in 2018, the president had authorized the Central Intelligence Agency (CIA) to conduct cyber operations against Russia, China, North Korea, and Iran which include the leaking of information to the public. The U.K. also announced Russia has attempted to interfere with its 2019 general election by stealing and leaking documents associated with the U.K.-U.S. Free Trade Agreement.

By late summer, seven semiconductor vendors in Taiwan found they had been targeted by Chinese state hackers as part of a two-year espionage campaign. In August 2020, an Iranian hacking group was found creating back doors to access major U.S. companies and government agencies through exploiting vulnerabilities in network equipment. Officials in the U.S. also announced North Korean government hackers were operating a campaign to steal money from ATMs around the globe.

More Trouble in the Fall

September started with Georgian officials announcing one of its biomedical research facilities was targeted by cyberespionage for its COVID-19 research. Also in September, the Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Federal Bureau of Investigation (FBI) announced Iranian hackers had been exploiting publicly known vulnerabilities to target the government sector and industries including healthcare, finance, IT, and even the media.

The U.S. Department of Justice also indicted five Chinese hackers with ties to Chinese intelligence service for attacks against more than 100 organizations in America. Sadly, a patient seeking treatment at a German hospital was redirected to a more distant hospital for treatment due to a ransomware attack. That patient later died and the attack could have contributed to the death.

A Cyberattack Winter

By October 2020, U.S. government officials had revealed suspected Chinese hackers were behind a series of attacks on entities in Russia, India, Ukraine, and several others. The U.S. Department of Homeland Security revealed hackers had targeted the U.S. Census Bureau in attempt to collect data, compromise the census infrastructure, and conduct denial-of-service (DoS) attacks. Both Microsoft and U.S. Cyber Command took measures to stop a Russian botnet prior to the U.S. election.

The FBI and CISA announced a Russian hacking group breached U.S. state and local government networks from which data was stolen. That attack also included aviation networks. The FBI, CISA, and U.S. Cyber Command jointly announced a hacking group based in North Korea had conducted a cyber espionage campaign against government think tanks and other government agencies within the U.S. and other nations to collect intelligence regarding national security issues, sanctions, and nuclear policies related to the Korean peninsula.

In November, one Russian and two North Korean hacking groups launched attacks against several companies conducting COVID-19 research for vaccines. A North Korean hacking group also engaged in software supply chain attacks against South Korean companies.

Attacks on the U.S. Government

December spelled disaster for U.S. companies and government agencies. Just as the good news that vaccines were being injected into the arms of Americans, the U.S. was hit hard by a suspected Russian cyberattack that included several U.S. entities such as:
  • The U.S. Treasury
  • The U.S. National Telecommunications and Information Administration
  • The National Institutes of Health
  • The Cybersecurity and Infrastructure Agency
  • The Department of Homeland Security
  • The U.S. Department of State
  • The National Nuclear Security Administration
  • The U.S. Department of Energy
  • Several State and City Governments
  • Microsoft and Other Private Companies
  • Canada, Mexico, and Other Nations
The attack was so heinous, it has taken ongoing investigation and response that is ongoing to date according to The Lane Report.

Even billionaire businessman Warren Buffet addressed the issue of cybersecurity in 2017 as a larger threat to humanity than nuclear weapons during Berkshire Hathaway’s annual shareholder’s meeting that year.
“I’m very pessimistic on weapons of mass destruction generally although I don’t think that nuclear probably is quite as likely as either… biological and maybe cyber,” Buffet said during the 2017 shareholder’s meeting, according to Business Insider. “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.”

Where CMMC Comes In

With the escalating proliferation of attacks against businesses and government agencies around the world, the U.S. government is working to ensure our nation’s security with the implementation of CMMC. This newer federal cybersecurity regulation requires U.S. military contractors and subcontractors to employ minimum digital and physical security measures. The CMMC requirements also extend to contractors and subcontractors working with the National Aeronautics and Space Administration (NASA) as well.

The ultimate goal is to keep U.S. military data, products, and weaponry away from the prying eyes of cybercriminals and state actors. With such information, enemies of the U.S. could create havoc from shutting down our energy grid to using our own weaponry against us. The CMMC requirements weave together a number of previous security requirements from the National Institutes of Standards and Technology Special Publication (NIST SP) 800-171, Defense Federal Acquisition Regulation Supplement (DFARS), the International Traffic in Arms Regulations (ITAR), the Federal Acquisition Regulation (FAR), and others in order to achieve the best cybersecurity results for securing U.S. data, secrets, and products.

The CMMC requires transparency by vendors and manufacturers working with the U.S. government regarding their cyber risks and measures taken to prevent breaches. The CMMC requires higher security measures at each of the five levels of the CMMC model starting with the minimum measures at Level 1. While the cost to implement CMMC does lie with contractors and subcontractors, government representatives have said the cost of CMMC can be included in contract proposals.

According to the aforementioned piece by The Lane Report, President Joe Biden has proposed $10 billion in government funding to improve cybersecurity within U.S. government agencies. That funding would be earmarked for upgrading the federal IT infrastructure and security as well as address the recent breaches to government networks.

The CMMC framework is now being rolled out in a pilot program through contracts with the U.S. Department of Defense (DoD). The Pentagon is also conducting an internal review of the CMMC program to ensure it’s up to par for ensuring national security. The CMMC Accreditation Body (CMMC-AB) has also just named its first CEO which took the helm as of April 1.

All of this work to research, develop, and implement the CMMC at the highest levels of the defense industrial base (DIB) through government contracts is meant to secure America’s physical and digital well-being. With the rollout of the CMMC, there is hope that the U.S. is moving toward a more secure future.

To learn more about the CMMC and its implications for manufacturing businesses and DoD contractors, contact Dox Electronics at (585) 473-7766.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions