8-10 pages
TA1 – Importance of Cybersecurity in the Defense Sector
Robert Antis
Terry Martin Brown
John Francis Hung Scott
Candy Anna Sigel
Jacqueline Ann Snyder
CSEC 670 Cybersecurity Capstone
Table of Contents
1. Introduction 3
Purpose 3
2. How the Defense Sector benefits from Cyberspace 4
Benefits 4
3. Defense Sector Vulnerabilities Due to its Dependency on Cyberspace 4
Vulnerabilities 5
4. Societal Importance 6
5 Laws and Regulations 7
6. Regulatory Agencies 8
7. Effectiveness of Cybersecurity Policy 9
8. Effectiveness of Cybersecurity Technology 13
9. Summary and Conclusion 16
10. Reference 17
1. Introduction
There is an increasing need in today's security environment for organizations to place a greater emphasis on cybersecurity threats. Private companies must increase cybersecurity to protect company secrets that keep them competitive in their industry and prevent liability with their clients. Governments on the other hand need the emphasis on cybersecurity to protect national security.
The defense sector is in a unique position in that it combines the needs of both the private sector and government agencies. Like other private companies, defense contractors like Hytema must be able to prove to their clients that they can protect the information that they are entrusted with. Unlike with most private companies, a breach with a defense contractor can divulge the nation’s most valuable secrets.
On top of this defense contractors must be able to protect the information of one client from another. This can be made especially difficult when one client controls the internet infrastructure that some of their facilities use. An example of this would be Boeing and how they build aircraft for both the United States military and the Chinese government. This situation requires that Boeing place a special emphasis on making sure that they are able to protect their systems not only from traditional threats like hackers and insiders but also from the authorities.
Because of the potential damage to national security that a breach in the defense sector can cause it is much easier for the government to regulate it. For most of the private sector instead of being told how to secure their systems the government focuses on telling them how they will be liable. This enables companies of differing sizes and success to be flexible in determining how to implement their security arrangements. For the defense sector the government is much more rigorous in telling them exactly how it expects them to protect their systems.
Purpose
The purpose of this paper is to look at the how the defense sector is affected by cybersecurity. It will begin by describing the importance that the defense sector plays in our society. It will also analyze how it benefits by placing a strong emphasis on cybersecurity along with looking at the vulnerabilities it must contend with. The paper will then give summaries of the various laws regulations that affect the industry along with the agencies that oversee it. The second half of the paper will look at how the policies set by the government affect the defense sector followed by an examination of important technology.
2. How the Defense Sector benefits from Cyberspace
The private defense sector also known as the arms industry, and the Department of Defense (DoD) federal government are intrinsically connected; both in a historical aspect, as well as since the cyber age began (Baker, 2014). It is a global business that manufactures weapons and provides military technology and equipment. It consists of commercial industry involved in the research, development, production, and the service of military material, equipment, and facilities. Such equipment provided by defense contractors is land-based weapons, small arms, aerospace systems, and naval systems. Today this list also includes cyber space services and systems of both an offensive and defensive cyber nature.
Benefits
With the DoD relying heavily on cyberspace to defend national security, as well as to gather intelligence and day to day operations, it has given the defense sector yet another avenue within which they can provide the government specialty services, of which they are unable to provide themselves (Baker, 2014). Providing cyber services continues to be a growing market that nets billions for defense contract companies annually (Burger, 2014). For one company alone, Booz Allen Hamilton, the cyber security division has a single contract that pays $5.6 billion dollars, over 5-years on a cyber-intelligence analysis project to protect networks in the Pentagon’s Defense Intelligence Agency (Baker, 2014). Not only has the government continued to have an ever increasing need for cyber specialists, they also have been unsuccessful at hiring/training their civilian/military workers in the field to the extent of expertise which they need (Burger, 2014). This has turned out to be a huge benefit to the defense sector, who invests heavily in successful personnel training/hiring in the cyber technologies field. With more and more calls for cuts to defense budgets over the last 10 years, many defense contractors were in the danger zone for physical equipment and facilities until they were able to successfully launch a cyber-division to cater to the growing need of capable cyber experts to protect, and work with various governmental agencies within the cyber realm, offsetting the cuts in defense spending in the physical one (Burger, 2014).
3. Defense Sector Vulnerabilities Due to its Dependency on Cyberspace
Also due to the intrinsic relationship between defense contractors and the DoD, all of the vulnerabilities that the DOD suffers from, apply to the defense sector as well as all the day to day dependencies on cyberspace for data storage, data processing, and communications applies to the defense contractors (Baker, 2014). Since it is the defense contractor that actually creates much of the technology that becomes classified once given to the government, it is only logical that any and all information that hackers can obtain from a defense contractor directly, would be as valuable as if they had gotten it from the government itself. Therefore defense contractors are as much of a target for multiple cyber aggressors as the federal government is (Baker, 2014).
Vulnerabilities
Defense contractors are the initial developers of the government’s new technologies; this makes them a highly desired target of other country/state hackers (Baker, 2014). In addition, since many technologies are actually put into production through various cycles of development, the defense contractor not only has the governmental technologies at hand, but many times actual governmental classified data as well (Baker, 2014). Through these development cycles and set ups, the networks of the defense contractor are many times connected into the government networks itself, adding additional risk to both the federal and defense contractor networks, and sharing vulnerabilities existent on each network individually (Baker, 2014). Depending on the level at which the defense contractor network is connected to the governmental network, security controls may be more or less stringent, forcing the defense contractor to adjust based on the federal mandated security levels for that classification of network (Baker, 2014). Due to the dogmatic nature of federal agencies, and their architectures, often defense contractors are forced to use technology that is considered outdated, to provide cyber solutions to federal DoD issues; this in itself is a vulnerability that the defense sector faces (Burger, 2014).
The defense sector like the federal government is global, with sites and locations throughout the world, including very remote areas such as the middle of the desert (Burger, 2014). This introduces challenges, as well as additional vulnerabilities into this sectors cyber equation. With some sites reliant on satellite and wireless systems in order to remain connected, implementing security, especially in what is considered enemy territory can be extremely challenging and opens the defense contractor up to increased vulnerabilities (Burger, 2014).
The largest risk for defense contractors is the same as for the federal government, the insider threat. This includes the actual insider who is collecting information with malignant intent or personal gain, such as Edward Snowden who was a defense contractor; as well as the careless defense contract worker who posts too much information on social websites, or allows a foreigner to probe too deeply with questions about their work while they are on vacation (Radcliffe, 1998). The human aspect of cyber security is always the weakest link, and this is one of the bigger issues within the defense sector as it is within all sectors (McConnell, 2014). The defense sector is just as vulnerable to the intentional or unintentional disclosure of classified or confidential information as all other sectors are, perhaps even more so since it harbors not only classified governmental information, but also large databanks of personally identifiable information on numerous people of interest to various groups (Radcliffe, 1998).
The DoD employs 3.1 million employees between its military and its civilian forces, however the private defense sector employs another 3 million people through direct jobs, and indirect employment such as working in local businesses supported by a defense contractors location in town (Carr, 2011). As one of the largest employment sectors in the world let alone the country, the defense sector has much societal importance in today’s cyberspace arena (Carr, 2011).
4. Societal Importance
The defense sector plays an often overlooked part in the economic stability of society as a whole. As a major employer in the U.S., when spending in the defense sector is cut, societal unemployment rates rise (Clarke, 2010). Within the last 10 years the cyberspace divisions within the defense sector has allowed for the absorption of many who otherwise would remain unemployed; however, with the cyber arena becoming more and more specialized, that absorption rate is rapidly decreasing as very specific cyber skill sets are being hand-picked over simple IT adequate bodies to fill a seat (McConnell, 2014).
The defense sector is the primary contributor to the national defense of the country which is vital in maintaining societal stability and security. Over 80% of the cyber technology staff that works for the DoD are defense contractors (McConnell, 2014). It is the defense sector who provides the technological solutions to many of the biggest security issues facing our government agencies today, and allows for some sense of security to be felt by the general populace (Clarke, 2010).
5. Laws and Regulations
As stated earlier laws and regulations require a much narrower focus for the defense sector than other sectors. The secrets that these companies maintain affect the security of the entire country and can get people killed if mishandled. The following list comprises the primary laws and regulations that these companies must follow.
Code of Business Ethics and Conduct
A written Code of Business Ethics and Conduct is required of companies conducting business with the Ministry of Defense. The code of ethics should prohibit the employees from accepting gifts of monetary value, cash, or services. It should also prohibit the usage of duties in order to gain preferential treatment.
Conflict of Interest
The Department of Defense requires contractor companies to report any personnel conflict of interest violations to the relevant contracting officer as soon as they are identified. This is done so as to avoid compromising the contractor’s activities.
Global Trade Compliance
The International Traffic in Arms Regulation (ITAR) requires companies to comply with local laws, meet trade security measures, and be conversant with complicated tariffs so that they can conduct business internationally. Procedures to screen potential conflicts should be set up on a task-by-task basis or on an annual basis.
Cybersecurity Regulations
The Defense Federal Acquisition Regulations System requires the implementation of adequate security measures that would protect technical information residing on or transiting through their information systems. Checking for vulnerabilities and employing measures that would prevent cyber security attacks are recommended.
Environment
Environmental Protection Agency (EPA) states that companies should employ all necessary measures to reduce or eliminate air, water, or chemical pollution. In the production of their products, security and defense companies should employ measures that encourage environmental conservation and easier recycling of their products.
Workers Compensation
The company should offer at least the federal minimum wage to employees for all hours worked and an additional overtime pay for extra hours worked as outlined in the National Labor Relations Board. Benefits such as life assurance, educational assistance, and a medical cover are offered to all employees. The employees should also benefit from sick leaves and holidays.
Consumer Rights
The Consumer Product Safety Commission requires that customers be offered accurate information concerning a company’s products. All measures should be put in place to protect the public from risks or injuries associated with the usage of the company’s products.
Employee Rights
The National Labor Relations Board requires interviews, short listings, and employment processes be done in a fair manner. Minority groups such as the disabled should not be discriminated against and should be offered equal chances to apply for employment positions. This is in accordance with the Equal Employment Opportunity Commission. Companies should not discriminate against sex, age, color, religion, race, disability status, or genetic information..
Fair Trade Practices
The Federal Trade Commission prohibits unfair acts and practices such as pricing and deceptive advertisements. The company is therefore required to engage in activities that are not considered as being unfair to both the consumer and other competing companies.
6. Regulatory Agencies
In order to ensure that the previous laws and regulations are followed there must be government agencies to oversee the defense sector. These agencies do more than just oversee the industry. They also work alongside companies to ensure that the rules are effective and share information. The following is a list of the agencies that the defense sector routinely deals with to maintain their cybersecurity.
Occupational Safety and Health Administration (OSHA)
It was created in 1970 by congress to ensure safe working conditions for both men and women through introducing guidelines and standards that would promote health and safety of workers.
Environmental Protection Agency (EPA)
It was created in 1970 and conducts environmental assessments, research, and education with regards to the environment. It provides compliance assistance to business sectors to prevent pollution and conserve the environment.
Federal Trade Commission
It was created in 1914 to prevent unfair competitive methods. It has three goals: The protection of the consumer from deception and unfair business practices, maintenance of healthy competition and prevention of anti-competitive business practices, and to enhance public understanding of informed choice.
Consumer Product Safety Commission
This agency protects the public from injury or death associated with consumption or usage of a company’s products. The risks may be in form of fire, electrical, mechanical, or chemical hazards.
Equal Employment Opportunity Commission
The agency is responsible for enforcing laws that ensure employees are not discriminated against due to race, sex, religion, color, age, disability, or genetic information.
National Labor Relations Board
It was created in 1935 and its mission is the protection of employees and employers rights and to oversee management practices of the private sector.
7. Effectiveness of Cybersecurity Policy
Because of the nature of their work, companies in the defense industry are constantly being targeted by malicious actors seeking to steal information. Those who attempt to infiltrate defense industry companies range from civilian to criminal hackers, insider threats, and state-funded actors, all with varying motivations to carry out the attack. Unfortunately, many attempts have ended with infiltrations that lead to millions of dollars in damage, stolen intellectual property, and questions about the integrity of the organization. In order to deal with the constant threats, good and effective cybersecurity policies need to be put in place.
Overall, cybersecurity policies within the defense industry have some uniformity across the board. As defense contractor organizations, their cybersecurity policies are shaped by the laws and regulations that Department of Defense (DoD) agencies follow. In order to be qualified for a defense contract, a company must follow the rules within Defense Acquisition Guidebook (DAG), which also cover information assurance (IA) requirements. DoD Instruction 8500.2 and DoD Directive 8500.01E, and others are the main documents that establishes IA policy within DoD agencies, and are important for defense acquisitions (DAG, 2012). While defense contractors work within the terms of a contract, the companies must follow the same policies the DoD agency does for government information systems (IS). Organizations are required to perform analysis, vulnerability & risk assessment, and countermeasures on the systems in accordance with the Statement of Work in the contract (DAG, 2012). This also applies to any supply chains and implementation of software on DoD systems from procurement to retirement of systems. In all of this, the companies do not control the guidelines and rules that are given in any one contract; the program manager (PM) does and seeks for compliance accordingly.
In addition, organizations that have servers within their enclaves that have DoD-related data must maintain the servers using the same regulations and policies as the agency does. This means that they can be subject to laws such as FISMA, Glass-Stegall Act, the Privacy Act, Economic Espionage Act, and many others that may apply. These systems must also meet the requirements under DoDD 8500.01E and DoDI 8500.2 as well. While being used under contract, the organization must have policies in place to secure, manage, and decommission them once the contract expires. In fact, since October 2013, the Pentagon has implemented new standards for defense contractors to tighten their cybersecurity policies related to critical technical data (Alexander, 2013). This ups the ante for companies to stay compliant with DoD policies and standards.
Since the defense sector does not operate in a monopoly or oligarchy, competition is quite healthy between organizations, each with their own policies that they control. That shows diversity in their operation, as one company’s corporate cybersecurity policies will be somewhat different, and more effective, from the others. Because of this, defense sector companies incorporate policies related to defense-in-depth, security clearance, and BCP that are at least on-par with DoD agencies.
Within defense-in-depth, there needs to be effective authentication, access controls, and need-to-know policies. Authentication matters greatly because it is supposed to provide assurance that individuals who access systems are the right ones, which includes non-repudiation. A policy that has in place at least two-factor authentication that have a combination of a tangible component, something the user knows, and some biometric data from the user. The organizations in the defense sector all have such a policy in place that involve elements like smart cards, proximity tokens, fingerprint or retinal scanning, PINs, or username/password. Access control policies work to ensure that employees will have access to systems that they need based on clear criteria. Given the nature of their work, a need-to-know is needed before anyone can access any systems, and having the ability to withdraw access quickly is essential. On this, the sector has good policies on this element, but some may vary on how quickly they terminate employee access under specific circumstances. This in itself is dangerous as it can allow estranged employees who are dismissed, or who will be, the necessary access to sabotage the organization. Therefore, there needs to be a policy to pull access as soon as possible to protect the organization and DoD agencies they were working with.
Tailoring to the policies of defense-in-depth is the implementation of the technology to make it happen. Companies like Northrop Grumman, Lockheed Martin, and Boeing produce their own cybersecurity products that they’ve developed for sale, but may use themselves. Surely, they may use other software and systems to secure their networks and data, but implementation may vary. The effectiveness of technology in cybersecurity will be covered in the next section.
One of the most important elements of cybersecurity policy in the defense sector includes having elements that cover security clearance. People with security clearance are of high importance to these organizations because it means they have been vetted as trustworthy to delve into classified government projects. An organization that has many employees with at least a secret security clearance has a slightly better chance in getting contracts for DoD projects. However, these individuals can also pose a significant risk if not watched and evaluated regularly. Having a security clearance also makes people targets for foreign national spies, terrorist groups, criminal syndicates, rival companies, and potential independent insider threats. There have been stories over the past few decades where some individuals have used their security clearance to take classified data for many reasons. From industrial espionage to releasing classified documents in protest to government policy, the incidents have been reported through the years. That is why, like the DoD does with soldiers and civilian workers, defense sector companies need policies in place that tie this clearance to employment. The reasoning is that behaviors that can cause someone to lose their security clearance (illicit activities, questionable foreign relationships, financial inconsistencies, etc.) can spell trouble for the organization too. Companies oftentimes have policies that do this, which either reassign employees from classified projects or even lead to the termination of employment.
Making sure that companies in the sector can continue their business in case of unforeseen events, business continuity planning (BCP) is a must. It is significant because those in the defense sector will need to be available at any time on outstanding, active contract for support. Also, any company in this sector cannot afford to have extended down time hindering business operations. Most companies in the defense sector are international companies, so they have several kinds of BCPs on file for numerous scenarios to cover their actions in an emergency worldwide. Smaller companies will have BCPs based on scenarios based within their particular region of the country. Companies will have alternative locations to continue operations, communication systems to contact employees and partners, and have access to all the data they need within these BCPs. Keeping these plans up to date is a must, so in addition to the policies that go into creating and executing them, there should be set policies in place to review, test, analyze, and revise every BCP at least yearly.
The defense sector not only shapes cybersecurity policy for itself, but also helps shape policy with educational and cross-sector partners, and the federal government. For example, Lockheed Martin created the NexGen Cyber Innovation and Technology Center (2014) to spur cyber research, for “customer and partner collaboration and innovation.” Boeing also created the Cyber Engagement Center (2014), which serves a similar purpose to Lockheed Martin’s NexGen center. Northrop Grumman established the Northrop Grumman Cybersecurity Research Consortium (2012) in 2009 to enhance their capabilities in the field with research partners at universities. These companies, including others like Raytheon and SAIC, also donate money to universities that have cybersecurity programs and give scholarships to students in related technology fields. They also contribute knowledge to NIST, DHS, and work with Congress, the DoD, and other agencies to contribute to the shaping of state and national cybersecurity policy. Actions like these help improve the country’s cybersecurity posture, as well as help continuously improve their own.
8. Effectiveness of Cybersecurity Technology
The previous section discussed the importance and effectiveness of well-defined cybersecurity policies within the defense sector. Equally as important to cybersecurity is the technological side. As cyberattacks become more sophisticated and automated, cyber defenses must also adapt to meet new types of attack vectors. However the sheer volumes of attacks make it nearly impossible to adequately defend without the assistance of automated tools. Continuous and automated performance monitoring is an example of an evolving technological area as more organizations within the defense sector are procuring security intelligent tools that provide real-time status of their cybersecurity. Another example is automated identification and analysis of users on the network. Organizations within the defense sector know that a trusted insider threat is as dangerous, if not more, than an external one. Thus organizations are investing heavily in technology that can improve the identification and authorization of user access via automated tools for base-lining and tracking user attributes and network activity. Lastly, breaches in the defense sector have been damaging that the General Services Administration (GSA) mandated all contractors and subcontractors that provide IT services to the federal government must submit a cybersecurity plan that at least adheres to government regulations and standards (Peterson, 2013).
Cybersecurity and its issues are complicated and technology is not a silver bullet. This may seem like a strange notion to some people. After all, cyberspace was created out of technological advances. Why can’t technology also be the savior? The short answer is organizations have to traverse and manage multiple factors within their business ecosystem. Technology and policies are just two factors that impact cybersecurity. While outside the scope of this paper, there are also geo-political, regulatory, legal, social-cultural, economic, and even environmental factors that all put different types of pressures on an organization. Those examples are just some of the external pressures.
Internally, organizations have to deal with cybersecurity gaps in awareness, technology, implementation, risk assessments and leadership. It’s important to keep this in mind while reading this section. In other words, it’s possible to have effective technological solutions, but they won’t help if they aren’t properly implemented or adopted without the other internal factors firing on all cylinders. Likewise, the best organizational cybersecurity policies won’t matter if an organization does not invest in technology. This concept highlights the challenge of measuring just one piece of the puzzle without taking a holistic look at all the factors. In other words, it’s difficult to ascertain the effectiveness of technology alone and be able to make determination if a breakdown is a technological failure. It could be and also failures in other areas.
It’s also well known that organizations don’t readily make breaches public fear that they will lose customers. The actual breach of the data is likely worse than what is collected. As a result, this is the second challenge to measuring technological effectiveness within the defense sector. Unfortunately the solution is to make a best guess. Any other answer that claims to accurately portraying technological effectiveness is likely not looking at all the pieces.
I’ll start with what is known. It’s known that the defense sector is under constant attack from all types of cyber criminals. Their goal may be revenge for policies against the hacker community, stealing sensitive documents, or stealing technological secrets. Regardless, the number of successful breaches made public suggests that there are serious gaps in cybersecurity despite government mandates and technological solutions:
Perhaps the most famous defense contractor breach was the RSA SecurID system compromise allowed hackers to gain access to a number of defense contractors such as Lockheed Martin, Northrop Grumman and L-3 Communications (n. a., 2011). The depth of the damage from the compromise is not clearly known however it is assumed that a large amount of sensitive data across the sector was exposed. This was a clear case of the damage that can occur then the technology that is supposed to protect you is compromised.
The RSA incident isn’t isolated. The list below illustrates other major breaches in the defense sector:
· Northrop Grumman systems were breached between 2012 and 2013. Identification data such as names, blood types, SSNs, and other government issued identification was stolen (Greenberg, 2013).
· In 2011 an executive at Vanguard Defense Industries, Richard Garcia, was hacked. 1 GB of data was stolen in the form of schematics, plans, and counter-terrorism documents classified at the sensitive and For Official Use Only level (Kirk, 2011).
· Throughout 2007 all the way until 2013, research data on secret satellite drones and software used by Special Forces was stolen from QinetiQ (Peterson, 2013).
· Terabytes of technical secrets were stolen from the Pentagon’s $300 Billion F-35 Joint Fighter project going as far back as 2007 (Gorman, 2009). Cybercriminals exploited network vulnerabilities at several defense contractors working on the project. Lockheed Martin was the lead contractor and Northrop Grumman and BAE systems also have major contributions to the project.
· The hacker group Anonymous breached defense contractor ManTech and allegedly stole 8 GB worth of sensitive documents in 2011 (Messmer, 2011).
· Bit9, a company that provides software and network security services to the federal government was breached and one of their private digital certificates were stolen and used to sign and distribute malicious software (Krebs, 2012)
Given that the above list is only the recent major breaches that have been made public, it’s fair to say that breaches within the defense sector are rampant. Defense technology secrets will always be a target that will make defense contractors and federal defense agencies high value targets for cybercriminals.
While technology may have been effective in stopping countless attacks, just one breach can expose a wealth of information. This is main justification to say that technology has not been effective in stopping cyberattacks in the defense sector. Granted, while cybersecurity technological tools have stopped and discouraged many attackers, one cannot defend that technology has been effective overall. From another perspective, Lockheed Martin was mentioned several times in the above list. They are the largest defense contractor in the world and they have been breached on numerous occasions. It’s likely that Lockheed Martin has some of the best technological cybersecurity tools in the private sector given that they are a billion dollar company. It says a lot when it’s possible to breach Lockheed Martin.
What is even more demoralizing is even when technology is effective it’s possible that there is a weakness in another area that makes it possible to go around a technological defense. Cybersecurity is no different than other defense concepts when it is said that a defense is only as strong as the weakest link. Again, this is why technology is equally as important as the policies and regulations discussed in the previous section are. Strength in those two components of cybersecurity won’t guarantee 100% security however it will make attacks more challenging to be successful.
9. Summary and Conclusion
As this paper has demonstrated the defense sector faces unique challenges to cybersecurity. The importance of defense companies is two-fold; economic and national security. Like many private companies the success of defense companies will help the nation’s economy, while a breach could harm it. But at a much more important level these companies can carry the security of the nation on their shoulders.
By taking a much more active role in defining the security requirements of the defense sector the government is better able to prevent damage to national security. The government uses the state law, regulations, and policies to work alongside the defense companies to ensure that their systems are not breached and if they are the damage in minimized.
Reference
Alexander, D. (2013, November 19). Pentagon tightens cybersecurity rules for defense contractors. Retrieved March 11, 2014, from http://www.reuters.com/article/2013/11/19/us-usa-defense-cyber-idUSBRE9AI17O20131119
Baker, General. DAA of U.S. Central Command (2014, January 28). Interview by C Sigel [Personal Interview]. Cyber Security: The direction of the Department of Defense.
Boeing: Cyber Engagement Center. (2012). Retrieved March 10, 2014, from http://www.boeing.com/boeing/defense-space/cyber_solutions/cec/index.page
Bureau of Consumer Protection. (n.d.). Federal Trade Commission. Retrieved March 13, 2014, from http://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection
Burger, Colonel. Departmental Head of U.S. Central Command J6 (IS and IA) division. (2014, January 28). Interview by C Sigel [Personal Interview]. U.S. Central Command: Development of the Joint Cyber Command.
Carr, J. (2011). Inside cyber warfare: Mapping the cyber underworld. Sabastopol: OReilly.
Clarke, R.A. (2010). Cyber war: the next threat to national security and what to do about it. New York, NY: Ecco.
Defense Acquisition University (2013). Defense Acquisitions Guidebook. Retrieved on March 10, 2014 from https://acc.dau.mil/docs/dag_pdf/dag_complete.pdf
Dodd-Frank Wall Street Reform 325 in the last year. (n.d.). Federal Register. Retrieved March 13, 2014, from https://www.federalregister.gov/defense-federal-acquisition-regulation- HYPERLINK "https://www.federalregister.gov/defense-federal-acquisition-regulation-supplement-dfars-" supplement-dfars-
"Federal Trade Commission | Protecting America's Consumers." Federal Trade Commission | Protecting America's Consumers. N.p., n.d. Web. 10 Mar. 2014. Retrieved from http://www.ftc.gov/
Greenberg, A., (2013). U.S. defense contractor sustains data breach. www.scmagazine.com. Retrieved from http://www.scmagazine.com/us-defense-contractor-sustains-data-breach/article/307498/
Gorman, S., (2009). Computer spies breach fighter-jet project. The Wall Street Journal online. Retrieved from http://online.wsj.com/news/articles/SB124027491029837401
International Traffic In Arms Regulations. (n.d.). - PART 121-THE UNITED STATES MUNITIONS LIST. Retrieved March 13, 2014, from http://www.fas.org/spp/starwars/offdocs/itar/p121.htm
Kirk, J., (2011). Can it really work? Anonymous breaches another us defense contractor. www.computerworld.com. Retrieved from http://www.computerworld.com/s/article/9219319/Anonymous_breaches_another_US_defense_contractor
Krebs, B., (2012). Bit9 breach began in July 2012. Krebsonsecurity.com. Retrieved from http://krebsonsecurity.com/tag/bit9-breach/
McConnell, M. Booz Allen Hamilton: Director of Cyber Initiatives (2014, February 12). Interview by C Sigel [Personal Interview]. The issues with cyber security in the federal landscape.
Messmer, E., (2011). Anonymous claims to have breached mantech international’s network. www.networkworld.com Retrieved from http://www.networkworld.com/news/2011/072911-anonymous-mantech.html
n.a., (2011). Northrop Grumman, l-3 communications hit in cyber-attack via rsa securid tokens. Channel Insider. Retrieved from Business Source Complete Database.
NexGen Cyber Innovation & Technology Center · Lockheed Martin. (2014). Retrieved March 12, 2014, from http://www.lockheedmartin.com/us/isgs/nexgen.html
"NLRB.gov." National Labor Relations Act. N.p., n.d. Web. Retrieved on 9 Mar. 2014 from http://www.nlrb.gov/resources/national-labor-relations-act
Northrop Grumman (2012). Northrop Grumman Cybersecurity Research Consortium. Retrieved March 10, 2014 from http://www.northropgrumman.com/Capabilities/Cybersecurity/Documents/Literature/NGCRC_datasht.pdf
"Occupational Safety and Health Administration - Home." Occupational Safety and Health Administration - Home. N.p., n.d. Web. 11 Mar. 2014. Retrieved from https://www.osha.gov/
"Overview." About the EEOC:. N.p., n.d. Web. 11 Mar. 2014. Retrieved from http://www.eeoc.gov/eeoc/
Peterson, A., (2013). The U.S. outsources cybersecurity & defense to contractors that keep getting hacked. www.thinkprogress.org. Retrieved from http://thinkprogress.org/security/2013/05/03/1958871/contractors-outsource- HYPERLINK "http://thinkprogress.org/security/2013/05/03/1958871/contractors-outsource-cybersecurity-" cybersecurity-hacked/#
Radcliff, D. (1998). The danger within. Computers & Applied Sciences Complete, 20(16), Retrieved from http://proquest.umi.com/pqdweb?did=2259614071&Fmt=3&VInst=PROD&VType=PQD& RQT=309&Vname=PQD&
"Regulations, Laws & Standards." U.S. Consumer Product Safety Commission. N.p., (n.d.). Web. Retrieved on 12 Mar. 2014 from http://www.cpsc.gov/en/Regulations-Laws--Standards/.
"US Environmental Protection Agency." EPA. Environmental Protection Agency, (n.d.). Web. Retrieved on 9 Mar. 2014 from http://www.epa.gov/.
1