In Germany (as well as Austria), there is a type of company referred to as the “Mittelstand”. Generally speaking, these are small- to medium-sized companies, non-public and typically family-owned, providing technical expertise (if not excellence) in a specific niche, usually manufacturing or engineering oriented. Although small, such organizations have outsized influence on much larger organizations by providing critical technical capability in very specific areas such as tool and die work, specialty manufacturing, machine tool production, and related areas. While the word originates in the German world, the concept extends to other regions, such as the cluster of small suppliers and engineering firms in Southeast Michigan supporting major auto manufacturers or the specialty machine shops and fabricators near Wichita, Kansas or Seattle providing vital inputs to the aerospace industry. Essentially, while we focus on global, “word-beating” firms such as Ford, Boeing, Siemens, BMW, etc. as pinnacles of manufacturing, their operations are only possible through the support of relatively small, specialist suppliers in the global Mittelstand.
Based on this relationship, with Mittelstand companies providing vital services and capabilities to far larger organizations, there is also a significant transfer of intellectual property and expertise to these smaller entities. Specifications critical to the production of automotive parts, jet engines, precision manufacturing, or other fields may reside in the networks of their ultimate consumer (the large manufacturer), but also increasingly exist in the CNC machines, additive manufacturing equipment, and CAD/CAM systems within the Mittelstand. As a result, the attack surface for the ultimate recipient of the finished, integrated product extends to the vendors and suppliers that produce components fed into the process.
Pivoting in focus, intellectual property theft – especially within “strategic” industries such as aerospace, automotive, or specialist manufacturing – remains a serious and persistent problem globally. Especially in circumstances where there are developing or otherwise lagging entities in terms of commercial technologies which nonetheless possess the capabilities (and lack of scruples) to steal from more advanced countries or companies, such activity is to be expected and difficult to deter. Yet at least when discussing large, multinational entities, they are at least expected (if only out of own self-interest) to possess and resource cybersecurity teams capable of defending their networks and detecting malicious activity. They might not always be successful, but the capability exists and such entities can “foot the bill” to ensure it remains over time.
Yet in the modern environment with its extended supply chain, covering not just other major firms but the various entities of the Mittelstand, intellectual property theft itself also expands in scope. While breaking into and stealing information of interest from the networks of major multinational corporations may no longer be as easy as it was 10 years ago, gathering up information on the inputs to that company’s final product from small businesses with few (if any) dedicated security resources is rather trivial. Furthermore, while obtaining such information from workstations may be relatively easy due to lack of defense and monitoring, gathering such data from production equipment (those same CNC and CAD/CAM machines) represents an even harder-to-detect concern. While stealing the complete plans for a new aircraft engine or automotive transmission may be increasingly difficult, capturing the prerequisites or design work leading to the final assembly and production of such equipment may be surprisingly (and alarmingly) easy.
In this model of production and design, organizations have correctly taken advantage of diverse supply chains and centers of expertise to add increasing efficiencies and cost-savings to product development and manufacturing. Yet in doing so, large organizations – which may at this stage represent glorified integration firms of disparate intellectual property – outsource their risk to entities that are ill-suited to respond to the potential threats facing stores of strategically-important knowledge. In the course of outsourcing expertise and capability, larger entities have also outsourced risk to vital centers of value to the organization while doing little (if anything) to secure them.
Although for a different purpose, adversaries have already caught on to contractor dependencies as a method of simplifying or increasing the effectiveness of operations. One need only look to the recent pattern of US electric utility intrusions, facilitated through vendor and contractor breaches, to see the benefits from an adversary’s perspective. Essentially, these smaller organizations – which nonetheless remain critically embedded in strategically-significant operations – become the initial footholds for follow-on intrusions into far larger targets. Yet in the case of intellectual property theft, such small organizations within the Mittelstand move from being mere means to an end (compromise of a larger organization) to ends in themselves (sources of valuable information that otherwise feeds into larger entities). In this aspect, adversary targeting and operations shift in that the Mittelstand targets become final objectives in intrusions. Worrisome in this instance is that small manufacturing, engineering, design, and testing organizations simply lack the scale to even run dedicated IT departments in many instances, let alone robust security teams – thus facilitating attacker actions as they hunt in a uniquely permissive but also valuable environment.
As a result of the above, we face a conundrum: focal points of value reside in organizations that, organically, are incapable of creating a robust defensive posture to protect such value. The cost of this disconnect, while reflecting on the victims in the Mittelstand, is ultimately (if indirectly) shouldered by the larger organizations these companies support and the societies they exist in, as trade secrets and industrial know-how are transferred to lower-cost competitors. In many respects, we are witnessing a classic market failure due to the division of labor, effort, and ownership at play: large organizations contract out work to economize on cost and take advantage of expertise, but in doing so they fail to incorporate the risk created in such outsourcing that the smaller entities will be unable to protect valuable information either developed or transferred as part of such a relationship. The result might be much hand-wringing and frustration, but such reactions do little to actually resolve the problem.
The issue at play can be distilled to the following: small businesses perform strategically vital work (whether from a national or business perspective), yet lack the organic resources to adequately secure this work from those who would happily steal the fruits of such labor. Although this view is currently not considered by many organizations residing in the Mittelstand, presumably larger companies are paying attention – and at some level, decision-makers would like to see this disconnect resolved.
Thus, a potential exists to wring competitive and comparative advantage from the situation. In even thinking about the concept of a Mittelstand, various factors enabling its existence come into focus: availability of robust, quality technical education; a flexible and available labor force; and a robust market for intermediate players to supply know-how to larger organizations. Hence such clusters of activity in centers of higher-end manufacturing in Germany, the United States, and elsewhere for such entities. But what if we were to add a new, modern factor to those ingredients favoring the growth and flourishing of the Mittelstand: support and assistance to ensure network and information security. The idea may seem radical on its face, yet considering that networked operations and communications are a basic fundamental of modern operations and business, I would argue this perspective is actually rather anodyne.
Essentially, many a development-oriented and business-friendly planner would view good schools and infrastructure as necessary inputs to a successful environment for Mittelstand companies. In adopting this view while adjusting for the requirements and necessities of modern business, adding in secure information technology environments would seem a fairly obvious addition – yet these organizations by virtue of size and revenue are unable to take actions such as hiring a dedicated security staff, purchasing the latest security products, or subscribing to the most relevant threat intelligence feeds. So from the perspective of trying to grow and nurture such environments, just as governments or larger organizations would fund technical education or pay for transportation infrastructure, why not extend this model to include subsidized or collective cyber defense?
Basically what I suggest here is a herd immunity approach in the face of persistent, dedicated efforts to breach and plunder the Mittelstand. Where such organizations cannot achieve reasonable security independently and organically, other entities (specifically those benefiting from their work) should step in to either subsidize or build out such capabilities if only out of enlightened self-interest. Essentially – larger (and more financially-secure) entities provide security assistance or guarantees to contracted entities to secure the intellectual property and other items associated with these critical Mittelstand entities. In this fashion, vital information and processes are better secured to the benefit of the Mittelstand but also the far larger entities benefitting from their efforts. More to the point, the extended attack surface of larger organizations and their hosting societies will shift from an unprotected, largely unmonitored space in which adversaries have a free hand, to a collectively defended arena that recognizes the risk to multiple entities such breaches enable.
On a broader level, such support can shift from merely natural self-preservation to developing a competitive advantage vis a vis other entities. For example, if Bavaria, Michigan, or Siemens were to build out a program providing cyber security assistance to critical vendors and suppliers, these entities will carve out a benefit to such firms that is self-reinforcing and mutually-beneficial: in exchange for greater cooperation and subsidized (or shared) security operations, smaller entities will be better able to protect themselves against persistent threats while larger organizations can rest easier that relevant intellectual property is secured. Essentially, a grand bargain can be reached – either geographically or through business-specific links – where mutual assistance and support enables smaller entities to more effectively operate and compete within advanced industrial sectors. From a competitive standpoint, organizations or regions not offering such support will be left behind as firms desiring to protect both vital information and their own competitive advantage migrate or favor those areas helping to secure such items.
Thus, in an environment that features industrial incentives like tax abatements and zoning laxity, we can add a new (and in my opinion, more significant) benefit to attract and retain organizations to an area or an organization: mutual cyber defense cooperation to secure vital information and other items of value. In this sense, rather than dumping millions of dollars/euros/pounds in landscaping or tax credits, municipalities (or larger organizations) can instead offer the possibility of federated, subsidized cyber defense as an incentive for organizations to locate themselves and do business within a certain area. Through this collective effort, a currently unmitigated externality of extended supply chains is at least partially resolved, and overall defense and preservation of strategically-significant information, technology, and industrial know-how achieved.