Cyber Security Priorities
in Defense Industrial Base Companies

This bar plot shows the spending in each year in this hypersonic missile development contract. The color indicates the different project title in this contract.

Over 500 million dollars were spent in the first year of this contract, which consumed most obligated amount in this program. And in the following years, the expenses are drastically decrease to around 50 million dollars. The declination is exponential. Most of the expenditure was under the AMS: ADV PROGRAMSand HYPERSONIC AIR BREAT.

To put it short, in 2016, most of the spending was assigned under the AMS: ADV PROGRAMS and HYPERSONIC AIR BREAT. Subcontractors in these years or under these 2 projects are more prone to get cyber attack.

Figure 1. Subcontracts amount by projects in each year
(You can filter by pressing the legend labels)

This scatter plot provides many information for us. Each bubble indicates a subcontractor with the bubble size showing the number of contracts. The color classifies the projects. The y-axis is the number of different kinds of service or products provided from the subcontractor and the x-axis is the average amount per contract(logarithm).

Most of the bubbles stick close to the bottom, which means most of the contracts only provide one product/service(Many of them are Cost plus fixed fee). Interestingly, in HYPERSONIC AIR BREAT project, many subcontractors were assigned to provide several kinds of products or services(like fuselage, molded rubber, O Ring...). The bubble size is also larger than others, meaning the number of the contracts are larger.

Based on the contracts descriptions and our findings from the scatter plot, we can infer that project HYPERSONIC AIR BREAT may involve components manufacturing while most of the research works were done in the project AMS: ADV PROGRAMS.

Figure 2. Companies' products/services in different projects
(You can filter by pressing the legend labels)

The first pie chart shows the importance of subcontractors in this missile development program based solely on the spending. The most important subcontractor is Alliant Techsystems Operations LLC. It took up 85.1% of the total obligated amount in this program. The second is the Orbital Sciences who took up around 2.61% of the total obligated amount. Basically, we can infer that Alliant Techsystems Operations LLC was responsible for the research and the technical part since it was assigned most of the spending.

Thus Alliant Techsystems Operations LLC is obviously an critical target for cyber attack and we should pay more attention on this company.

Figure 3. Subaward amount ratio by companies

The second pie chart displays the importance of subcontracts type based on the ratio of amount. From the chart, it is easy to find that the most money-consuming contract is the Cost Plus Fixed Fee. This a very general description since we don't know what exactly the company provided from this description.

That may be due to the confidentiality but still I believe when a subcontractor is assigned to provide products or services under Cost Plus Fixed Fee, we should consider it as a target of cyber attacks, at least in this case.

Figure 4. Subaward amount ratio by contract descriptions

An advanced weapon usually needs countless components to make up. Solely based on the contract amount is not enough to identify cyber security priorities and we need to know the service and products they provided.

In this network, a red dot represents a product/service and a blue dot represents a subcontractor. The size of the dot indicates the amount in this program. The connection means that company is assigned to provide or manufacture. All these rules constitute this network.

Some of the products/service are only provided by one subcontractor(e.g. only Bae Systems Information and Electronic Systems Integration provides GPS Receivers, only Diversified Technical Systems provides AC-DC Adapter, Microprocessors, Backshells...).

These companies can be seen as critical in cyber security since once they are under attack, the products/services they provide will be affected a lot to the whole process and supply chain.

Figure 5. Network of the products/service and companies
(This network is interactive.)