L3Harris announced recently that they are acquiring Viasat’s Link 16 business for $1.96 billion. This announcement, coming on the heels of the recent Viasat hack in Ukraine, gave me an excuse to dig deeper into the role that Cybersecurity plays in the Mergers and Acquisitions (M&A) process.
Historically, the M&A process has focused on legal and financial due diligence, ensuring that the product that was being acquired was not in breach of any laws and that the financial information provide was accurate. These days however, it is becoming increasingly common to also perform Cyber due diligence in order to assess the current state of a products cyber security posture.
There are multiple elements that can complicate assessing the current state of a products cyber posture. The following is a high level introduction to some of the main concerns a security researcher might have when completing a security assessment.
Incomplete Information
Lack of cyber security artifacts such as logs, documentation, and evidence of past intrusions can make it difficult to properly assess the security posture of a product. Investigators may have to work with incomplete information when making their assessment which can lead to incorrect assumptions. This is particularly important to emphasize when you know that a system has been attacked in the past, as the attackers may have left backdoors in the system that you are now acquiring.
Accountability
There is often a lack of accountability during the transition period. It can be difficult to ascertain who is responsible for the security of each part of the product, especially in organizations as big as Viasat. Likely, multiple teams have contributed in various ways to a products security and the responsibility handoff during the transition just muddies the water further. This add an additional level of challenge to the security researchers task while also adding a substantial delay to the assessment.
Historical Information
Investigators will complete tech assessments and penetration tests of the product, but that will only assess the current state of the system. Investigators typically lack knowledge of the historical state of the system where any intrusions likely occurred. This can allow past vulnerabilities to slip through unnoticed and unpatched by the acquiring organization.
Integration
There is added risk to both companies during the integration process. Adversaries who are aware of the transition can take advantage of the possible open networks and integration activities to establish a foothold in the system. There is also an immediate increase in complexity of the product if it is integrated into a new system which will be difficult to properly lock down initially.
Human Element
The Human element of a transition also increases the risk of cyber security incidents. The confusion of the integration process opens up the very real possibility of phishing attempts on both involved companies. There is also an increase in insider threat behavior as the company being acquired may be laying off employees as a result of the M&A. These disgruntled employees are much easier for adversaries to manipulate.
What does this mean for L3Harris
Given Viasat’s recent high profile hack, L3Harris should double down on their Cybersecurity due diligence during this M&A process with a particular focus on the historic state of the system in order to flush out any potential footholds that the previous threat actors may have left behind. Depending on the quality of the logging and documentation that is provided, this task may be quite challenging. As L3Harris intends to continue to use this new product in Government related assets, this task is particularly important to get right.
Original article: https://spacenews.com/viasat-sells-tactical-data-communications-business-to-l3harris-for-1-96-billion/