Vulnerabilities and Social Engineering in Acquisition Scenarios

Abstract

As our adversaries look to weaken the United States, a constant barrage of social engineering attacks are hitting both the Defense Industrial Base and the Government at record numbers. Constantly, our adversaries are looking for weaknesses within our acquisition system to collect information, conduct fraud, or steal U.S. Government funded intellectual property. The report entitled “Vulnerabilities and Social Engineering in Acquisition Scenarios” is a follow-up effort to the paper presented by MITRE at the NPS Acquisition Research Symposium in May 2023, “Social Engineering Impacts on Government Acquisition.” We have developed hypothetical scenarios based on open-source reporting where our government acquisition community is uniquely vulnerable and susceptible to attacks. Each scenario aligns to a different part of the acquisition lifecycle and addresses various social engineering attack and compromise types. These scenarios highlight different government agencies and various acquisition positions (e.g., contracting officer, program staff, technical members of source selection panels, contracting specialists, etc.) to demonstrate how different mission sets and roles can all be affected by acquisition exploitation. We discuss the impact of each vulnerability attack, whether that be economic espionage or exposure of CUI. Finally, each scenario includes recommendations that can be used to help mitigate the risk, decrease the attack surface, or repel a future attack.