Small Defense Industrial Base Firms Pose Tempting Targets for Nation-State Hackers, NSA Official Says
At the annual Black Hat conference in Las Vegas, Bailey Bickley, chief of Defense Industrial Base defense at the NSA Cybersecurity Collaboration Center, took to the stage to share a shocking revelation about the nation's defense industrial base. According to Bickley, over 80% of DIB providers are small businesses, often with limited IT resources and a lack of cybersecurity expertise.
Bickley shared a photo that starkly contrasted the polished image of a typical defense contractor with the reality of a small, cluttered office. The picture showed a bison head, a deer head, and almost the entire front-half of a water buffalo mounted on the walls, alongside a triple monitor setup with filing cabinets, a copy machine, chairs, and plenty of pictures and figurines. No other computers could be seen.
"This is a real picture of one such DIB company," Bickley said, "And this company produces custom radio frequency solutions for DOD to use in very austere locations across the globe." Despite the company's impressive products, its IT environment was far from what Bickley had expected. Therein lies the problem: small businesses like this one are often attractive targets for nation-state hackers due to their sensitive technical data, intellectual property, or access credentials linked to U.S. military and intelligence systems.
Defense firms are a growing battlespace that needs to be shielded from foreign adversaries. Nation-state hackers exploit unpatched vulnerabilities to gain entry into the broader defense ecosystem, making even smaller contractors a key focus for espionage campaigns. A recent large-scale phishing campaign revealed in late March targeted defense, aerospace, and IT companies that support Ukraine's military, likely seeking to harvest credentials and sensitive intelligence about its war against Russia.
"The DIB is no longer a handful of traditional defense contractors, but it now includes a lot of companies from nascent and emerging industries," Bickley said. Those can include AI providers, transportation companies, or even foreign-owned utilities. No DIB company is too insignificant to be targeted by nation-state hackers, who often exploit unpatched vulnerabilities, she said, calling out major Chinese hacking collectives like Volt Typhoon and Salt Typhoon that have breached troves of core infrastructure across the U.S. and the world.
"When we engage with small companies, they often think that what they do is not important enough to be targeted," Bickley said. "But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small." Through an ongoing partnership between the NSA and Horizon3, a penetration testing provider, automated testing tools were provided to over 200 DIB providers, revealing over 50,000 vulnerabilities. More than 70% of these vulnerabilities were mitigated soon after.
In one case, a penetration test unearthed an internal file sharing system with over 3 million sensitive documents on nuclear submarines and aircraft carriers in just five minutes. "But again, I would ask you to put yourself in the shoes of this company," Bickley said, calling back to the office with animals mounted on its walls. "They're not thinking about two-year-old vulnerabilities. They're thinking about building the best antenna for DOD that money can buy."
"And that is the value that we can add, from a National Security Agency perspective, from industry's perspective — when we are able to share insights on what we're seeing in the threat environment and flag things for these companies so they can stay on top of it," Bickley said. By sharing knowledge and best practices, the NSA aims to help small DIB providers strengthen their cybersecurity and protect against nation-state threats.