Under Cyberthreat: Defense Contractors

Northrop Grumman's info security chief addresses the "well-resourced, highly sophisticated" attacks against makers of high-tech weaponry

Tim McKnight is well acquainted with threats to cybersecurity. A former special agent with the FBI, he specialized in corporate espionage and foreign counterintelligence. He's also handled information security for Cisco Systems (CSCO) and BAE Systems and has participated in a group called the Transglobal Secure Collaboration Program, whose mission is protecting intellectual property in the aerospace industry.

Those security chops are tested daily in McKnight's role as chief information security officer at Northrop Grumman (NOC). The defense industry faces "a near-existential threat from state-sponsored foreign intelligence services" that target sensitive IP, according to a report by the Internet Security Alliance, a nonprofit organization on whose board McKnight sits.

Northrop Grumman experienced the implications of that threat firsthand recently. According to a Frontline investigation that aired June 23, reporters were able to purchase an unencrypted hard drive of a Northrop Grumman employee in Ghana for $40. The drive reportedly contained hundreds of documents about government contracts.

"Detailed Asset-Disposal Procedure"

McKnight recently spoke with BusinessWeek.com writer Rachael King. A Northrup Grumman PR representative wouldn't let McKnight address the issues raised by Frontline, instead issuing a statement that said: "We believe this hard drive may have been stolen after one of our asset-disposal vendors took possession of the unit. …We have a detailed asset-disposal procedure in place. Despite sophisticated safeguards, no company can inoculate itself completely against crime. The fact that this information is outside our control is disconcerting." But McKnight was able to discuss other threats facing his industry. Edited excerpts follow.

Are defense contractors being singled out in highly targeted attacks?It's gotten to a point where it has a name for itself: the APT or "advanced persistent threat," meaning that they are well resourced, highly sophisticated, clearly targeting companies or information, and they're not giving up in that mission.

Where is this coming from? Is it state-sponsored or organized crime?Attribution is probably one of the biggest problems for our nation, both from a defensive and an offensive posture as a country. Obviously we know that the likes of China and Russia have the greatest capabilities, like the U.S., from an espionage perspective. But we are starting to see quite a capability in the organized crime, criminal aspect. Clearly you're seeing this with a lot of the credit-card or financially motivated crimes that are occurring.

I've heard that phishing attacks against executives are getting more sophisticated. Do you see evidence of that?The [phishing e-mails] look more and more authentic in the last couple years. There's definitely targeting of either executives in corporations or in government or specific roles in organizations. We see targeting of our contracts people because they have a lot of knowledge of the marketplace, what's out there, what are our big opportunities and what we're going after, whether that's from a competitive intelligence perspective or a nation-state perspective. We have a special training program just for our executives and their admins.

We had recently done a test within our organization where we did a spear phishing on our management to ascertain how knowledgeable they are. It was pretty common that 65% to 70% didn't click it, reported it, deleted it, handled it in the appropriate way. But we still had that good 30% that clicked on the link and went to the bad Web page where we said, "This was a test and unfortunately you failed." …Social engineering and the use of e-mail will continue to be a systemic problem for all network defenders and security folk going forward.

What kind of tools do you use to keep your network secure?We've focused a lot on…capabilities where you're capturing all traffic, not just bits and pieces of it. With the sheer number of viruses and malcode that's out there, most antivirus [software] is probably only hitting about 60% of what's out there at this point. We're moving toward more behavioral-based technology, based on what's the normal behavior of the system. Does it normally run its CPU at 80% on a Sunday evening at 11:55 p.m.? Does it usually have traffic going outbound with large data sets beyond the normal Web traffic?

Most of the attacks in about the last three to four years have [involved] legitimate credentials. The analogy would be that they had a set of keys to your home and they know the codes to your alarm system at home so they can enter and leave as they please, without leaving a track unless you're looking for things like entering during an abnormal hour of the day when you're at work. Obviously, Northrop is a world-class operation when it comes to both offensive attack and exploitation of networks and defense, which is my area of expertise.

What other trends are you seeing now?As companies and governments have begun to do a better job of the health care of the security of their networks, the sophistication has gone up. So, the attacks are more "stealthy," more sophisticated. They really become a needle in the haystack as you're trying to find them in a large network.

Before it's here, it's on the Bloomberg Terminal.