acm-header
Sign In

Communications of the ACM

ACM News

Raising the Ramparts


Facing the same threats that government agencies do, companies need military-grade cybersecurity.

Credit: careersinthemilitary.com

The global military cybersecurity market will grow from US$25,692.4 million in 2021 to US$ 43,675.2 million by 2031, says Visiongain Research, Inc., a U.K. market intelligence firm.

That growth is no surprise, with commonplace nation-state attacks on critical infrastructure and government data assets. The U.S. federal government and its agencies, with the aid of the Cybersecurity & Infrastructure Security Agency (CISA), are ramping up cyber defenses to combat disabling ransomware and complex attacks. They are using approved security products that the government and the military vet specifically for these purposes.

However, government organizations are not the only ones in jeopardy.

Nation-states target private enterprises, too, with support from their military and insidious Advanced Persistent Threat (APT) groups. Facing the same threats that government agencies do, companies need military-grade cybersecurity.

Military-grade cybersecurity proceeds from a Military Specification (MIL-SPEC) purchasing process, with rigorous testing to ensure cybersecurity components are the most secure, resilient product the military can get, says Peter Hay, Lead for Instruction at SimSpace Corporation, a military-grade cybersecurity risk management platform. The military uses extensive mission-based training to ensure its human cybersecurity talent adheres to MIL-SPEC security requirements, too.

MIL-SPEC cybersecurity products are a necessity, as high-profile cases of military-level attacks demonstrate. The Indian APT group ModifiedElephant stealthily attacked dissidents for 10 years without detection. The group used military-grade remote access trojans (RATs), keyloggers, and other attack tools, according to SC Media, a publication of the CyberRisk Alliance, an organization that, according to its Website, was "formed to help cybersecurity professionals face the challenges and obstacles that threaten the success and prosperity of their organizations."

The APT group Shadow Brokers stole the EternalBlue military-grade exploit from the U.S. National Security Agency (NSA) in 2017. It released the exploit to criminal hackers globally via subscription-based access to data dumps, according to The New York Times. Cybercriminals have since used EternalBlue successfully in many attacks.

According to Tom Van de Wiele, a principal of WithSecure, an endpoint detection and response company in Finland, the 2010 Stuxnet attack was the most profound military-level cyberattack on record. Stuxnet used intelligence gathering, local spies bridging air-gapped networks using USB thumb drives, and zero-day exploits to gain access and persist long enough to disrupt Iranian uranium enrichment infrastructure, he says.

With an increase in nation-state data breaches, cybersecurity vendors serving the military are offering comparable products and services to the private sector to maintain the balance of power against nation-state attacks.

For example, CrowdStrike provides its cloud-based endpoint and identity product Falcon to the U.S. Government with FedRAMP authorization, according to a CrowdStrike media release. Falcon also is available to private enterprises.

According to Hillary Benson, director of product management for GitLab Inc, GitLab is part of the U.S. Air Force Platform One program for development, security, and operations (DevSecOps). GitLab provides its military DevSecOps solution to enterprises to deliver secure software to the private sector.

Cyber threat defense firm Mandiant is another military-grade cybersecurity company. In March, Google announced plans to acquire Mandiant to instill military-grade cybersecurity protection in the Google Cloud, according to an article in investment research publication SeekingAlpha. In another example, SimSpace, a contractor in the U.S. Army's Persistent Cyber Training Environment (PCTE), provides cyber ranges (interactive simulations of an organization's network and systems connected to a simulated Internet environment) to the Army and private companies, along with relevant instruction.

Organizations from various industry verticals increasingly are using military-grade cybersecurity to safeguard their data against nation-state attacks. In particular, "Banks, healthcare companies, and large cloud platforms use military-grade cybersecurity," says Benson.

Some enterprises choose to implement military-grade cybersecurity after a significant breach. In 2013, a third-party attack breached a large retail chain right before Christmas. Afterward, the big box chain turned to military-grade cybersecurity, hiring Mandiant to investigate the attack.

With all the evidence supporting the use of military-grade cybersecurity with its high standards, organizations might assume that its existence is widely accepted. However, one expert says there is no such thing as "military-grade cybersecurity." Says John E. Young, a cybersecurity expert emeritus of IBM's Cloud division, "Given the breaches at the VA (the U.S. Department of Veterans Affairs: over 25 million people affected), the National Archives (more than 70 million people affected), and the voter database (close to 200 million records leaked), wouldn't our own government have implemented military-grade cybersecurity if they possessed such a thing?"

The effectiveness of military-grade security depends on how agencies and organizations utilize it. According to Benson, while the best security products are available to the government and private industry, security breaches happen in both sectors. The efficacy of these tools is less about their sophistication and more about how well an organization can execute on information the tool provides, she says.

Looking Ahead

Federal leadership has stressed the urgency of accelerating improvements in government cybersecurity. "The Executive Order on Improving the Nation's Cybersecurity continues to significantly influence the roadmaps of private sector security vendor products," says Benson. Private enterprises continue to leverage cyber products that receive MIL-SPEC status.

 

Still, no cybersecurity is a cure-all for breaches. "I don't care what level of security a company says they have; somewhere, an employee is hiding an exposure under the rug. Military-grade cybersecurity sounds great, but to me, it's the corporate equivalent of whistling past the graveyard," says Young. 

 

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account