Nearly 40 defense companies were impacted in SolarWinds breach
Thirty-seven defense industrial base companies were hit by the sweeping SolarWinds supply chain hack attributed to the Russian government.
The companies reported their impacts to the Department of Defense, which said it was not breached itself in the hack.
The announcement came in congressional testimony Tuesday as DOD is trying to secure its supply chain from hackers. Previously, suspected Chinese hackers were able to gather reams of data on sensitive defense programs by attacking the networks of contractors and subcontractors that handle sensitive information, which has proven to be the weakest point in the DOD’s supply chain.
“I believe we had 37 companies that reported [specifically] 44 different reports,” Rear Adm. William Chase, the deputy principal cyber advisor for the DOD, told the Senate Armed Services Cybersecurity Subcommittee. The hearing focused on DOD’s defense industrial base policy.
Under the Cybersecurity Maturity Model Certification (CMMC) program, the DOD is working to shift its contracting cybersecurity requirements from simple self-attestation to having third-party assessors inspect contractor networks to ensure they are complying with requirements. The program has five levels of cyber maturity, with level one only requiring simple security measures and level five involving advanced and more-expensive cybersecurity operations to ensure networks can withstand persistent attacks.
Chase said there is a chance a CMMC level five could have stopped the SolarWinds hack had they been in place, but the program is still in its infant stages.
“Neither the department nor the defense industrial base may never be able to completely secure industry’s networks and controlled information, but our goal must be to complicate and frustrate adversary planning and operations such that they cannot conduct them with impunity or at scale,” Chase added.