US defence industries are facing relentless, sophisticated foreign attacks on their computer networks, a threat company leaders say poses a risk of significant damage and may require the government to take greater protective action.
Top US defence contractors speaking at the Reuters Aerospace and Defense Summit said many of the attacks appeared to be state-sponsored and came from multiple countries, but they declined to point a finger at any particular government.
“Every defence company is constantly under attack. If anybody tells you they’re not, it just means they don’t know,” said Northrop Grumman (NOC.N) Chief Executive Wes Bush. “It is a threat that is broad-based. It’s not just from one source … and it’s just unceasing.”
David Hess, the president of engine maker Pratt & Whitney, a unit of United Technologies Corp (UTX.N), said he suspected the attacks against his firm’s network were coming from “foreign countries” but “none that I’d like to mention.”
“I can say the attacks are sophisticated,” he added. “It’s not the result of some guy with sneakers in his cubicle hacking away at a computer screen.”
Linda Hudson, president of BAE Systems Inc, said attacks were “a very real daily threat to what we do and something we spend a lot of our own money on.”
The US government has become increasingly concerned about security in cyberspace. Deputy Defense Secretary William Lynn said in July that a foreign intelligence service stole 24,000 files from a US defence contractor earlier this year.
He revealed the theft as he unveiled a new Pentagon cybersecurity strategy that calls for cyberspace to be treated as an “operational domain” like air, land or sea where US forces will practice and prepare to defend against attack.
Lynn said a recent estimate pegged economic losses from the theft of intellectual property and information from government and commercial computers at more than US$1 trillion.
Lockheed Martin Corp Chief Executive Robert Stevens, whose company thwarted a serious cyberattack in late May, said incursions faced by defense industries are “very persistent.”
“They’re very frequent and they have varying levels of sophistication, but the sophistication seems to be getting greater,” he said. “The agility seems to be getting more adaptable, and the challenges are genuinely growing.”
To explore ways to cope with the problem, the Pentagon and Department of Homeland Security launched the Defense Industrial Base Cyber Pilot, a program for sharing classified and sensitive data about cyberattacks.
Lynn said in August the program, which initially involved about 20 volunteer companies, had already stopped hundreds of attempted intrusions and would be expanded in the coming months to the rest of the defense industrial base, as well as to companies involved in critical infrastructure.
Northrop’s Bush, whose company is one of several defense contractors involved in cybersecurity as a business, said he thought the Defense Department had been “very aggressively” addressing the issue of network security, making “a lot of good progress.”
“But on a broader national level, I think where we’re eventually going to need to end up, and this is something you often don’t hear from industry, but I think we probably need a little bit more of a regulatory perspective brought to this,” he said.
Bush said critical infrastructure industries, such as energy, are not set up like defense companies to deal with the threat of cyberattacks. And they are waiting on the sidelines, knowing they need to take action but not wanting to invest in security several times before getting the right solution, he said.
“How does the federal government help those, particularly the critical infrastructure industries, know that they’re doing the right things,” he questioned.
“No single company can solve this problem by themselves. So it’s a case, a natural opportunity, for the federal government to have a role in creating policies and approaches to help secure the cyber domain that we all depend on,” Bush said.
BAE Systems’ Hudson, whose company also offers cybersecurity services, said she didn’t see the need for regulation of top-tier defense contractors, which are already deeply involved in protecting their networks.
For small contractors or critical infrastructure, she said, “there’s been a lot of talk about requiring a certain level of support and security protection that in fact would generate a market for some of us who have those capabilities.”