A recent ransomware attack against a Canadian construction company is raising questions about the level of cyber security controls required, or apparent lack thereof, for industry to win federal contracts.
While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.
Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.
Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.
Luckily no sensitive files were compromised in the attack. However, one has to wonder how a government contractor has allowed this to occur. Are there no minimum security requirements for Canadian government contractors? Maybe the bar is set so low that a simple ransomware attack is capable of being executed?
While no company can 100% ensure they are safe from attack, there is no reason why a standard ransomware attack should be successful. There are a myriad of endpoint security controls - from next-generation antivirus to endpoint detection & response - capable of either preventing or providing visibility on attacks like ransomware.
Buried within the article is this note:
"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.
Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."
Threat adversaries are not stupid; they do the reconnaissance required to find vulnerable targets. Those tiny shops supplying widgets are, more often than not, the weakest links in the supply chain.