LAS VEGAS — When Bailey Bickley, chief of Defense Industrial Base defense at the NSA Cybersecurity Collaboration Center, took the stage at Black Hat, she shared a photo that stood in stark contrast to the polished glass-and-steel image of a typical defense contractor: a small, cluttered office with taxidermy on the walls.
A bison head, a deer head and almost the entire front-half of a water buffalo could be seen in the picture of the small office that looked nothing like a sleek Washington beltway defense firm. Below the water buffalo was a triple monitor setup with filing cabinets, a copy machine, chairs and plenty of pictures and figurines mounted across the workspace. No other computers could be seen.
“This is a real picture of one such DIB company. We went to visit their headquarters,” said Bickley.
“And this company produces custom radio frequency solutions for DOD to use in very austere locations across the globe. And I don’t know about for all of you, but when I went here, it was a surprise to me,” she added.
The company, which remained unnamed, manufactures great products, said Bickley, though their IT environment isn’t what she had in mind for a defense contractor. Therein lies the problem: Most DIB providers — 80%, in fact — are small businesses like the rustic, trophy-adorned workspace presented in the photos, she said. And their small setups are part of a growing battlespace that needs to be shielded from foreign adversaries.
Defense firms are attractive targets for nation-state hackers because they often hold sensitive technical data, intellectual property or access credentials linked to U.S. military and intelligence systems. Even smaller contractors can serve as entry points into the broader defense ecosystem, making them a key focus for espionage campaigns.
A large-scale phishing campaign publicly revealed in late March, for instance, targeted defense, aerospace and IT companies that support Ukraine’s military, likely seeking to harvest credentials and sensitive intelligence about its war against Russia, Nextgov/FCW previously reported.
“The DIB is no longer a handful of traditional defense contractors, but it now includes a lot of companies from nascent and emerging industries,” Bickley said on stage. Those can include AI providers, transportation companies or even foreign-owned utilities.
No DIB company is too insignificant to be targeted by nation-state hackers, who often exploit unpatched vulnerabilities, she said, calling out major Chinese hacking collectives like Volt Typhoon and Salt Typhoon that have breached troves of core infrastructure across the U.S. and the world.
“When we engage with small companies, they often think that what they do is not important enough to be targeted. But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small,” she said.
The talk, in part, highlighted an ongoing partnership between the NSA and Horizon3, a penetration testing provider. The two, through the NSA cyber center’s Continuous Autonomous Penetration Testing program, provided automated testing tools to some 200 DIB providers.
They found over 50,000 vulnerabilities, and soon after, more than 70% of these vulnerabilities were mitigated, Bickley said. In one case, a penetration test unearthed an internal file sharing system with over 3 million sensitive documents on nuclear submarines and aircraft carriers in just five minutes.
“But again, I would ask you to put yourself in the shoes of this company,” Bickley said, calling back to the office with animals mounted on its walls. “They’re not thinking about two-year-old vulnerabilities. They’re thinking about building the best antenna for DOD that money can buy.”
“And that is the value that we can add, from a National Security Agency perspective, from industry’s perspective — when we are able to share insights on what we’re seeing in the threat environment and flag things for these companies so they can stay on top of it,” she said.
