Lessons from the defense industry: advice from General Dynamics.
General Dynamics executive Thomas Kirchmaier offered a defense industry perspective on lessons automobile manufacturers might apply in their own sector. He began with an overview of General Dynamics' businesses. Cybersecurity is fundamental, he said, to their enterprise and their products, and has been for some time.
Offering some historical perspective, Kirchmaier noted that information security—infosec—was the precursor to cybersecurity. "It largely worked, until everything got connected." Yet, he argued, fundamental infosec principles remain applicable. He's seen two shifts in his own industry that affects the way those principles are applied : digitization, and increasingly networked systems. This transformation has made weapons more precise, and thus both more lethal and more discriminating.
The automotive industry has seen similar shifts. But there are differences. The modern defense industry was born in the Cold War, and security consciousness "is in its DNA." "We must defend our business and our intellectual property," Kirchmaier said. Even unclassifed enterprise systems contain valuable information that attackers pursue aggressively. General Dynamics, he said, faces more than two-billion targeted attacks annually. The company has more than ninety-five-thousand endpoints and four hundred ten network sites worldwide. "We haven't built a monolithic, centralized cybersecurity system." Instead, they've opted for a foundation of principles and standards, "hand-in-hand with strong, uncompromising executive responsibility for security in the business units."
Finally, there's a strong culture of intelligence and information sharing. He took two General Dynamics products—the Littoral Combat Ship and the M1A2 main battle tank—as examples. The common protection principles involve secure platform architecture. The M1 is air-gapped, with a human-in-the-loop at crucial points—including all of those involving weapons delivery. The Littoral Combat Ship achieves this secure platform architecture by using enclaves.
General Dynamics is fully committed to information sharing within the Defense Industrial Base, and that sharing among competitors, Kirchmaier thought, provides a useful example for the automotive industry.
He concluded by observing that, to a business, cyber risk is an existential risk. Security should be aligned not only with enterprise goals, but with products.