You may have seen: China’s been hacking Navy contractors for 18 months, new report reveals, which among other things says:
…
“It’s extremely hard for the Defense Department to secure its own systems,” Bossert said. “It’s a matter of trust and hope to secure the systems of their contractors and subcontractors.”Subcontractors of all branches are frequently attacked by hackers due to inadequate cybersecurity measures. Officials say subcontractors are not being held accountable for those inadequacies.
…
Sadly, that article and the WSJ report it summarizes, Chinese Hackers Breach U.S. Navy Contractors fail to provide any actionable details, like which Navy subcontractors?
If you knew which subcontractors, you could target advertising of your services to strengthen their defenses or not be outdone by alleged Chinese hackers. I say “alleged Chinese hackers” because attribution of hacking seems to follow a “villain of the week” pattern. Last year it was super-human North Koreans, or was that the year before? Then it has been the Russians and Chinese off and on. Now it’s the Chinese again.
To correct the lack of actionable data in those reports, I have a somewhat dated (2014) RAND report, Findings from Existing Data on the Department of Defense Industrial Base by Nancy Young Moore, Clifford A. Grammich, Judith D. Mele, that gives you several starting places for finding government subcontractors.
I need to extract the specific resources they list and update/supplement them with others but for weekend reading you could do far worse.
Think of this as one example of weaponizing public data. There are others. If gathered in book form, would you be interested?