Lockheed Martin: defence industry suppliers' security flaws exposed our systems to cyber attack

Out-Law News | 14 Nov 2012 | 3:41 pm | 2 min. read

A major supplier of security systems and technology within the defence industry in the UK and US has said that it has been subjected to increasingly frequent and sophisticated cyber attacks in recent years.

Lochheed Martin's chief information security officer, Chandra McMahon, said that about a fifth of the threats the company faces constitute "advanced persistent threats" where attackers are seeking to steal information or harm its operations, according to a report by Reuters news agency.

"The number of campaigns has increased dramatically over the last several years," McMahon said, according to the report. "The pace has picked up".

McMahon said that the company had fallen victim to a cyber attack in 2011 because of security flaws in the computer systems of two of its suppliers, including RSA. However, she said that Lockheed Martin had been tracking the "adversary" for years prior to the attack and had been able to prevent the unidentified hacker from obtaining any data from its systems.

"The adversary was able to get information from RSA and then they were also able to steal information from another supplier of ours, and they were able to put those two pieces of information together and launch an attack on us," McMahon said.

She added that the company had learned to share information with other stakeholders in the defence industry in order to prevent similar attacks from occurring, according to the Reuters report.

The European Commission recently said that it intends to "present a comprehensive strategy on cyber security" before the end of the year. The proposals will contain draft legislation with the aim of improving "network and information security across the EU" and will "provide for a cooperation mechanism amongst the Member States and introduce security requirements for the private sector".

In July the Commission launched a consultation on the issue, seeking the views of governments, businesses and others in a bid to help it form its legislative plans. At the time it said that businesses could be required to report when their "essential" systems have been disrupted due to "cyber incidents". At the time the Commission said its aim is to "enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU." The consultation closed on 15 October.

The Commission is seeking to expand the existing security breach notification regime that operates in the telecoms sector.

Currently telecoms operators and internet service providers are required, under the EU's Privacy and Electronic Communications Directive, to "take appropriate technical and organisational measures to appropriately manage the risks posed to security of networks and services" and take measures to "prevent and minimise the impact of security incidents on users and interconnected networks." The Directive requires that the network or service providers notify national regulators of any "breach of security or loss of integrity that has had a significant impact on the operation of networks or service".

Regulators can share details of the incidents with regulators in other EU member states and can require that the public is also notified of breaches if it is in the public interest for the notification to be made, under the terms of the Directive.

However, last month EU privacy watchdog the European Data Protection Supervisor called on the Commission to more clearly define what cyber security incidents and threats organisations should have to guard against under proposed new laws.

US companies were also recently advised  to stop using telecoms equipment made by two leading Chinese firms, Huawei and ZTE, after deeming the use of technology made by the companies a national security risk. The claims are denied by both firms.

The recommendation was made by a committee in the US Congress following an 11-month investigation into concerns that links between Chinese companies and the Chinese Government provide China with "greater opportunities for foreign and economic espionage".