The Defense Industrial Complex is one of the largest networks of businesses and organizations all focused on improving and elevating the United States’ defense capabilities and systems. Currently, over 220,000 companies of all sizes work in connection with the Department of Defense (DoD) and the various branches of the Armed Forces providing equipment, resources, and services, many of them focused on information technology solutions.

While the Pentagon and those that work in other military branches are constantly monitoring for external physical threats to the country, cybersecurity is rapidly growing in importance. With the recent pandemic and the very public Solar Winds breach, the White House in late 2021 requested over $10.4 billion in cybersecurity budget for the DoD, a sizable increase over previous budgets.

The increasing threat is very real. From January 2020 through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) revealed the targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. In some of these cases, the actors had access to several CDC networks and their sensitive data for up to six months

In late 2021, a report revealed that up to 20% of the United States’ top defense contractors were “highly susceptible” to a ransomware attack, with 42% having experienced a data breach in 2020 alone.

Yet the reality is that the Defense Industrial Complex, both on the government side and in the private sector, still faces many challenges when it comes to monitoring and preparing for potential cyber attacks that could disrupt their daily operations and potentially the country as well.

With that in mind, we will explore the challenges and opportunities defense cybersecurity currently faces and what improvements can be made for all involved.  

Cyber Security Issues and Challenges Within the Department of Defense and Armed Forces

While cybersecurity is a top priority for the U.S. military, how the various branches actually oversee and execute cyber vigilance remains a source of internal debate.  Recently, several top military officials pointed out this fact. The Navy’s Chief Information Officer recently said that he felt the Navy’s cybersecurity approach was too focused on compliance and not on readiness.

By only focusing on compliance, essentially agreeing to a standard response plan in place and not deviating from that plan, any organization can run the risk of delayed response, inadequate protection, and wasted or underutilized resources. A readiness model, when applied holistically, better allows the organization to react quickly and adapt more easily to ever-evolving threats, both internal and external.

Many other former DoD officials who worked in cybersecurity also cited the need to move away from focusing on compliance to one of speed and readiness. While such a transition might cause some early mistakes at the outset of implementation and execution, learning from those missteps would eventually lead to more success and more robust security, although it remains to be seen if the often risk-adverse military will be willing to make such changes soon.

Cyber Security Protocols for Outside Partners Working with the Military

Intelligence sharing is key for successful cybersecurity. The sooner the larger collective knows about an impending threat, the quicker and the better response. That’s especially important for outside vendors and companies that work with the military, especially when it comes to protecting sensitive information.

For any new or current companies that wish to work with the defense industry, several protocols and requirements are already in place to ensure compliance and to protect both sides from potential threats.

Companies are required to complete what is known as the Cybersecurity Maturity Model Certification (CMMC), which sets the minimum cybersecurity requirements for companies. The DoD also requests that companies review the National Institute of Standards and Technology’s publication 800-171 called “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

In addition, if a cybersecurity incident does occur, outside companies must report the breach to the DoD Cyber Crime Center. This website is the prime gateway for a defense contractor to become a voluntary DoD public-private cybersecurity partner for those that have questions or need additional information.

While every company will likely have its own internal cybersecurity protocols, they should also adhere to the DoD’s cybersecurity recommendations.

• Maintain current architecture diagrams with hardware and software inventories to ensure quick threat response.  
• Configure security settings on all devices and software.  
• Employ active defenses for known threat agents and stay informed of the latest intelligence and response actions.  
• Monitor devices and network activity log and look for suspicious behaviors.  
• Activate multi-factor authentication on all devices.  
• Ensure email and browser security is up-to-date.  
• Install malware protection on all networks.  
• Encrypt all data both at rest and in transit.  
• Train staff to respond as needed to suspicious events.  
• Have contingency plans in place and ensure that emergency response/notification can respond to a cyber event.  

Recommendations on Improving Defense Cyber Security Preparedness

As both the DoD and outside organizations work together to ensure cybersecurity preparedness, here are some recommendations that both sides can implement for greater protection.

Make information sharing mandatory rather than voluntary: Currently, the process for DOD partners and companies to share information on recent or potential cyber threats is strictly voluntary. While this is a good start, the problem with any kind of voluntary reporting is that relevant tips or insights will either never be shared, perhaps because an outside company feels that by doing so could jeopardize their business relationship with the DOD, or the information is shared late because the company either gets too busy with other things or takes too long to formalize how they want to share the information.

Mandatory reporting is the answer. However, that will require formal policies and legislation that both the public and private sectors can agree on. While there will likely be some on both sides that will challenge the need for a formal policy, increased and timely information sharing is the first step in staying ahead of potential adversaries.

Cutting costs and streamlining protocols: As the DoD increases its partnerships with new and small businesses, making it easier for them to stay compliant and not letting costs be a deterrent is a priority. In November 2021, the DoD recently shared plans for updating the CMMC program to an updated CMMC 2.0 version. The updates are scheduled to include a streamlined model aligned with widely accepted National Institute of Standards and Technology (NIST) standards, reduced assessment costs, and waiving some CMMC requirements under limited circumstances.

The new CMMC 2.0 program, which is still undergoing review, and user feedback, is scheduled to be fully implemented in 2023. Some uncertainty remains if small companies, especially those who do not handle sensitive data, will still need a third-party assessment of their security instead of a self-assessment before being considered fully DoD compliant once CMMC 2.0 is launched. But any final version that makes it easier and less expensive for companies to become compliant will be a big improvement.

Put the greater defense first over individual interests: While the DoD can at times seem very bureaucratic and its goals to streamline and improve security practices slow, it’s important to note that many in DoD are aware that more needs to be done to prevent the next big cyber attack. For companies that are currently working with, or want to work with the military, don’t wait for the DoD or other agencies to do needed due diligence or upgrades within an organization’s cyber security protocols.

Be proactive. That includes keeping up-to-date with the latest cybersecurity, news, and best practices. Ensure that all employees and management are trained on how to spot and prevent a potential breach, even if they don’t necessarily work in IT or in a technical capacity. As the saying goes, “A chain is only as strong as its weakest link.”

Any company that seeks to within the Defense Industrial Complex must make cyber security a top priority. Doing so will ensure the organization’s success and that our nation’s defense remains strong and secure for everyone.

Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.

While many career opportunities exist in the information technology (IT) and tech fields, it’s no secret that diversity remains a challenge. While progress has been made by women and people of color in not only building careers, but also becoming leaders in the industry, more work needs to be done. That includes schools providing more access to computer science education for students living in underserved communities.

As an estimated 200,000 tech jobs will be created each year to keep up with demand, training, finding, and retaining talent is a key priority. With that in mind, we will explore some of the current challenges impacting diversity in the field and provide some next-step solutions for organizations.

Improving Computer Science Education Opportunities for All Students

Before someone even starts an IT career, they were probably exposed to tech while still a child. Today’s kids are surrounded by technology every day, so it’s not a surprise that many of them would be interested in working in the field. The issue is that gaining necessary core skills can still be a challenge, especially for students from underserved communities. Computer Science (CS) programs have expanded across the country in recent years. Yet, many students lack access or are not encouraged to participate in these courses.

A recent report, “The State of Tech Diversity” from the Kapor Center, revealed many of the current inequities for CS classes in K-12 schools.  

• Currently, Black students represent 6% of students in advanced Computer Science (CS) courses despite being 15% of the overall student population.  
• Students who participate in Advanced Placement (AP) Computer Science courses are 3-4 times more likely to major in Computer Science in college, but Black students only make up 3.5% of participants in those courses. 
• In 2020, just 2,246 Black students took an AP CS course, and just 715 were Black girls.

The issues continue in higher education and even non-traditional “boot camp” or tech apprenticeship programs.  

• Just 8% of CS Bachelor’s degrees were conferred to Black students. 
• Only 6% of coding “boot campers” are Black talent, partly due to high tuition rates for these non-traditional programs and a lack of scholarships.
• Tech apprenticeships, which blend paid classroom and job-based learning, have a participation rate of just 17% of Black talent.

Many girls and young women excel in STEM (science, technology, education, and math) early on in school. But often, they do not finish or pursue a tech education after graduating from high school. A recent study found that women in college are only 21% of engineering majors and only 19% of computer science majors.

STEM fields still are inaccurately viewed as a “male” profession. Too often young women, while still in elementary or middle school, are discouraged from pursuing tech careers and instead are pushed into more “traditional” careers such as education or healthcare.

Addressing Inequality in Hiring and Retaining Diverse Tech Talent

The tech industry still faces the issue of being primarily filled with white men. Recent statistics from the U.S. Equal Employment Opportunity Commission support this fact, despite recent efforts by many tech firms to improve the issue.

Compared to overall private industry employment, the high-tech sector employs a larger share of Whites (63.5% to 68.5%), Asian Americans (5.8% to 14%) and men (52% to 64%), and a smaller share of Blacks (14.4% to 7.4%), Latinos (13.9% to 8%) and women (48% to 36%).

Latino representation in the tech workforce has barely improved, despite overall increasing participation in the total U.S. workforce. Among top-grossing companies like Google, Apple, and Meta all headquartered in Silicon Valley, CA where Latinos make up 26% of the local population, there has been basically zero growth in the Latino tech workforce there. Over the last four years, the Latino tech workforce has only marginally grown by one percent within the 30 largest tech companies.

Black tech talent is also an issue, especially regarding retention. Black men represent only 7.4% of the tech talent pool, and Black women only represent just 3%. Black tech professionals are more likely to leave their current role for a new company position to achieve career progression. On average, Black tech workers move between companies every 3.5 years, compared to every 5.1 years for their non-Black peers. Many Black tech professionals, even with long successful careers, still feel that opportunities to lead major companies or initiatives are limited.

Women in tech also continue to face an uphill battle. According to a new McKinsey & Company report entitled “Women in the Workplace 2021”, only 52 women in technical roles were promoted to manager for every 100 men.

The biggest contributing factor is that entry-level women tech talent are often passed over for promotions or new roles. This is often due to a lack of access in gaining new skills, and a lack of internal support and structure to ensure advancement. Companies that fail to encourage and support their female talent also miss out on financial growth. The research also shows a strong correlation that financial performance will improve as the most gender-diverse companies are 48% more likely to outperform the least-gender diverse companies.

How to Improve Education and Career Opportunities for Diverse Talent

While tech and IT companies may not be able to address all the issues listed above, there are certainly things that can do within their own organizations and the communities they serve to help expand opportunities for more diversity within the industry.

Improve Education Opportunities: One way to get the next generation of tech talent interested in the industry is to give them more opportunities for training and hands-on experience. Companies can reach out to their local high schools, universities, community colleges, and non-profit organizations to find out what computer science or other tech courses they currently offer. Based on the opportunities offered, companies can get involved by either providing needed resources, including computer equipment, scheduling a company representative to speak to a class about IT careers, or potentially teach a class as a guest speaker or lecturer on an important tech topic.

Also, tech firms can find out if current or even prospective students would be interested in internship or mentorship opportunities with someone in the company. Many established tech professionals cite that having a mentor early in their careers as the main reason they pursue opportunities.

Improve Hiring and Retention Process for Talent: Even when professionals gain the necessary tech credentials, training, or a degree, they can still face barriers when seeking employment. Specifically, during the initial application process, when human resource software or hiring programs scan resumes for potential employees. Organizations must consistently review their hiring algorithms and processes to ensure that bias and potentially discriminatory language or criteria are removed to ensure equal hiring opportunities for all candidates.

Once a candidate is hired, ensure that the company’s onboarding and employee growth plan offers a clear pathway to advancement. That includes professional development, mentorship, sponsors, and clear job goals and benchmarks.

Work with Leadership: Often, every level of an organization can benefit from an outside perspective, especially when it comes to creating positive outcomes in professional development, staff retention, and management communications. When providing leadership training, a consultant should address current hiring practices and how leadership can drive change in seeking more diverse talent, whether for full-time positions or on a temporary or contract basis. By making this a priority, leadership will ensure that the organization is competitive and thriving in the long term.

Today’s tech industry needs more talent than ever before. Yet all IT companies must find ways to improve pathways for diverse students and professionals to give them the skills and confidence they need to create successful careers. More diversity, more voices, and more perspectives will ultimately lead to new technology breakthroughs that will advance society.

Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.

Healthcare technology is more critical than ever. The current pandemic has caused many healthcare providers, organizations, and consumers to rely on health tech, particularly virtual and digital tools that diagnose and treat. A significant issue impacting healthcare today is securing sensitive and valuable personal medical information. Data security is paramount with more people accessing this information from home computers and even their cell phones, especially with hospitals and other healthcare facilities increasingly becoming the targets of cyber and ransomware attacks.

The threat is real and growing. According to the federal government, in 2021, over 40 million individual health records were compromised. With this in mind, we’ll explore some of the challenges facing healthcare organizations regarding technology security and offer recommendations specific to this industry.

Healthcare Data Is More Accessible to Consumers and Hackers

In 2016, the federal government passed the 21st Century Cures Act. The law helped accelerate medical product development and innovations for patients and consumers. On April 5, 2021, the 21st Century Cures Act Final Rule went into effect. This provision in the law mandates that consumers have the right to timely access of their electronic health information and can download that information free of charge. It also required health systems and providers to provide the information through various technologies, including online patient portals and mobile phone apps. Ultimately, this shifts more control to the consumer.

While this is good for consumers, it also raises the likelihood that data could be compromised. Poor cybersecurity judgment and practices by a patient using their cell phone, or even an unintended action by a healthcare facility staff member while logging into an office computer, could open the door to a security breach.

Access to health information helps consumers make better health decisions. It also makes it easier for hackers to steal this information potentially. While many organizations are compliant with the Health Insurance Portability and Accountability Act or HIPAA, created to protect sensitive patient data from being disclosed without a patient’s consent or knowledge, HIPAA compliance alone is not enough to prevent a potential cyberattack.

Massive Healthcare Data Breaches Will Happen Again

Medical records are valuable commodities and hackers know this. They also know that healthcare offices, hospitals, and other organizations are particularly vulnerable, mainly due to outdated security systems, lack of cybersecurity action plans, and lack of funding to improve their systems.

Recent statistics bear this out.  

• Hospitals account for 30% of all large data breaches. 
• Since 2009, more than 2100 healthcare data breaches were reported in the U.S. 
• 18% of teaching hospitals experienced a data breach. 
• 6% of pediatric hospitals reported data breaches. 
• A 75.6% chance of a breach of at least five million records will likely occur next year. 
• 34% of healthcare data breaches are unauthorized access or disclosure. 

Though large cyberattacks, like the recent Solar Winds incident, prompted various calls and initiatives to improve cyber security across all industries, much of the healthcare industry has been slow to respond. That’s despite recent large cyberattacks here in the U.S. and other countries.

In 2015, Anthem Health reported that hackers broke into their systems and stole almost 80 million personally identifiable records from current and former policyholders. Anthem was not required by the law to encrypt their data at the time. Though Anthem admitted no wrongdoing, the company was forced to pay out over $115 million due to class action lawsuits.

In 2017, the WannaCry ransomware attack in the United Kingdom took down its National Health Service (NHS). The attack, launched in North Korea, exposed NHS hospitals and offices using computers with vulnerable Microsoft Office software that had not yet received a security patch released by Microsoft. The attack forced those offices affected to cancel surgeries and divert ambulances to other hospitals in the country not involved. The attack ultimately cost the NHS an estimated £92 million in services lost.

As the pandemic stretched hospital capacities here in the U.S., in 2020, ransomware attacks increased. That prompted the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services to issue a joint advisory warning of an imminent cybercrime threat to U.S. health organizations. While the massive attack didn’t happen as expected, the danger is still there.

Recommendations and Solutions for Improving Healthcare Cybersecurity

By expanding the number  of vulnerable devices and networks, a very clear financial incentive for potential hackers, and ineffective or outdated cybersecurity practices, the current data security diagnosis within the healthcare system is not good.

Cybersecurity is unfortunately still a lower priority for many healthcare organizations, mainly due to a lack of resources and funding. A 2020 survey found that the average healthcare organization spends about 6% of its IT budget on cybersecurity while spending more money on new technologies. While adding new technologies can be beneficial for patient care, the reality is adding new medical devices, from computers, monitors, and diagnostic machines increase the chances that these could be hacked.

Increasing funding in healthcare security is undoubtedly a long-term goal to improve things, but that will take time. Especially as various healthcare systems of all sizes will have to rely on public and private partnerships, government support, and possibly raising prices on goods and services to consumers to cover some of the costs.

Updating Legacy Systems and Vintage Software: Too many healthcare systems still rely on legacy computer systems and infrastructures. As a result, these older systems, with outdated software, are more vulnerable to potential hackers. Updating to newer systems will help, but this often requires a financial investment that some organizations don’t have the funding for. One step to help assess if legacy systems need to be updated is to conduct a thorough end-to-end security assessment to see potential risks and make decisions based on that assessment. These assessments, especially done frequently, are important as HIPAA requires them

Practice Digital Hygiene: Just as doctors recommend washing one’s hands to prevent the spread of germs, all staff at any healthcare facility should practice good digital hygiene habits, whether at home or in the office. That includes changing computer and email passwords frequently (and not using easy ones to remember or guess), not clicking on suspicious links in email messages, and often using encryption and anti-virus software to clean work computers and laptops. Organizations should also implement multi-factor authorization, frequently update software, and test devices for potential vulnerabilities.

Increased Communications: Healthcare organizations should actively collaborate with federal and state government agencies to stay up-to-date on potential threats, especially those that could impact multiple cities, districts, or states. At the same time, these same organizations should advocate with their policymakers to help solidify and streamline the regulations that oversee cybersecurity for their industry. Doing so will help create an industry standard for healthcare cybersecurity that all organizations can easily understand and manage.

Healthcare impacts everyone and the industry must remain proactive in working to promote and update cybersecurity standards and secure the technology it works with every day. By making cybersecurity a top priority, all consumers will feel more at ease that their medical data is safe and secure.

Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.

On January 26, 2022, the White House introduced a new cybersecurity directive to reduce cyberattacks against federal agencies and their digital infrastructure. With the 2020 Solar Winds hack still fresh in the minds of many in the IT world and the even more recent Log4j security issue, it should come as no surprise that the government is now looking to secure and strengthen its internal workings more than ever.

The memorandum, which standardizes all Office of Management and Budget (OMB) expectations, was sent to all federal agencies and mandates adopting a zero trust architecture system. Since it’s release, government agencies were given 30 days to appoint a strategy lead for their organization and then 60 days after that to submit an implementation plan for the fiscal year 2022 to 2024 followed by an estimated budget for the fiscal year 2023 to 2024. The ultimate goal is that by September 2024, federal agencies will meet five specific zero trust goals focusing on identity management, devices, networks, data, and applications.

While many applaud the new initiative, there are concerns within some federal agencies that the timelines are too aggressive and that their staff is not ready to make all the changes necessary, per a recent survey. With the clock literally ticking, we will explore how those tasked with this responsibility can best prepare for zero trust compliance.

Changing Culture: Overcoming Staff Distrust of New Protocols

Federal agencies can sometimes be set in their ways and take a very long time to respond or change how they tackle big projects. When it comes to executing zero trust security, it simply comes down to ensuring that every user and device connected to an agency’s network is verified and that users only have as much access as they need, nothing more or less. That includes internal staff and executives who may feel they should have more access or broader privileges because they work in an elevated role at the agency.

The reality is that threats can come for both the outside — and the inside — of an organization. No piece of technology or any user can be 100 percent trusted. That’s why the security model is called zero trust. Adopting a least-privilege model is the smart way to go. Depending on an agency’s specific system, network privileges can be assigned to individual users based on business units, roles, seniority, and other factors. 

The least-privilege model can be a hard pill to swallow for some who have worked at an agency for a long time. They may suddenly feel that they are now not trusted despite years of service. It may take some time for recent hires or those unfamiliar with zero trust protocols to get them entirely used to the concept. Before any implementations are made, it’s a good idea to fully brief staff and any vital users and make them fully up-to-date on zero trust principles. This is especially necessary to get staff buy-in on any necessary protocol changes so that they feel like a vital part of the solution and not viewed as a potential source of trouble.

Utilizing Existing Technology in the Marketplace 

When it comes to reaching the OMD’s accelerated timeline for zero trust, some federal agencies may feel that they have to requisition the development of brand new technology. The risk is that in their rush to meet the specific deadlines, they may overlook existing resources that can help speed up the process and ensure a successful transition.

For example, the OMB zero trust mandate asks that each agency prioritize resources adopt and use cloud technology. That includes utilizing such services as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PasS). In addition, agencies will need to centralize and streamline access to data to help inform analytics, improve their use of analytics to identify and manage potential risks, and invest in both technology and personnel to meet the government’s modernization goals.   

Fortunately, many existing cloud-based technology solutions already exist that can be integrated to fit an agency’s specific needs. This can save time and money in development, deployment, and implementation since the individual vendor has already done most of the build-up work. Also, hiring an IT consultant that understands both the technology and how it can work best specifically for government use can certainly expedite the process.

Today’s Hybrid World and the Impact on Implementation 

The most pressing factor federal agencies will need to consider when meeting the new mandates is today’s new hybrid workforce world. Since the pandemic, many federal workers are either 100 percent teleworking or employed in a hybrid schedule. In 2020, 45% of all agency employees teleworked that year, according to the Office of Personnel Management (OPM). Of everyone eligible to telework, 90% did just that in 2020 compared to 56% in 2019.

With the federal government continuing to encourage telework, the mandate to implement zero trust compliance is even more critical. With so many employees either working from home, in an office, or anywhere with a Wi-Fi connection, the opportunities for a cyber attack rise exponentially. Because of that, the old ways of “perimeter defense” or creating a security plan based on everyone working in the same office no longer works today. 

To implement zero trust compliance, agencies must ensure that all technology used by their employees, from computers to cell phones, is entirely secure. In addition, agencies must implement multi-factor authorization for users to access networks and applications along with endpoint security to ensure devices are not compromised. Finally, continuous monitoring and response to potential threats are crucial to preventing a possible attack.

To meet the OMB’s cybersecurity goals, every federal agency will need to develop a plan and budget that meets their organizational needs and keeps their staff satisfied, especially in our new hybrid workforce reality. A “one size fits all” plan will not work. That’s why agencies should seek resources and experienced consultants familiar with the government world and current technology to help make implementing zero trust a successful reality.

Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.