The Department of the Navy this week released a scathing assessment of the service’s approach to cybersecurity, lamenting that hackers have been relatively unimpeded in their years-long plundering of data from the department and its contractors.
“Competitors and potential adversaries have exploited DON [Department of Navy] information systems, penetrated its defenses, and stolen massive amounts of national security” intellectual property, says the “cybersecurity readiness review” released by Richard Spencer, the secretary of the Navy.
The Navy failed to account for the fact that defense companies it contracts with would be aggressively targeted by foreign hackers for their valuable data, according to the audit.
“Despite our adversaries’ clear statements of intent, the DON did not anticipate this attack vector,” the report says. The reactive system of self-reporting of breaches and supplier vulnerabilities has “demonstrably failed,” concludes the study, which was released after The Wall Street Journal reported on it this week.
‘Not a new concept’
To longtime observers of the Navy’s cybersecurity practices, this week’s review will feel like déjà-vu.
A 2013 breach by suspected Iranian hackers of the unclassified portion of the Navy Marine Corps Intranet triggered a major overhaul of the Navy’s cybersecurity posture. The breach required a multi-month effort to evict the hackers from the Navy’s internal computer network.
In March 2015, Vice Adm. Jan. Tighe, then the commander of the Navy’s U.S. Fleet Cyber Command, indicated that the operation would be a catalyst for changing how the Navy approaches cybersecurity. The experience, Tighe told Congress, “served as a learning opportunity that has both matured the way we operate and defend our networks and simultaneously highlighted gaps both in [our] cybersecurity posture and in our defensive operational capabilities.”
The apparent lack of meaningful progress in the years since was not lost on the authors of the newly published Navy report.
“Recognizing the need to institute a cybersecurity culture within the DON is not a new concept, however the ‘getting it done’ has been the problem,” they wrote.
Tony Cole, a cybersecurity executive who has advised defense contractors, said that the Navy, like every large enterprise, needs to learn from past successful cyberattacks.
“Endpoint numbers continue to grow at a blistering pace and future sailors and soldiers will be armed with numerous IP addressable wearables,” Cole, CTO of cybersecurity company Attivo Networks, told CyberScoop. “The key to winning this game is detection in conjunction with preventative measures when adversaries attempt to steal, destroy, or modify the data. Doing the same thing over and over won’t win the game.”
The report makes a lengthy set of recommendations, including ones focusing on changing the cybersecurity culture at the service so that leaders drive a sense of accountability in the domain down to their subordinates.
Sen. Mike Rounds, a South Dakota Republican who chairs the Armed Services subcommittee on cybersecurity, said he found the Navy report “refreshing” in its candor about the cybersecurity challenges facing the service. Other military branches should follow suit with that type of rigorous self-assessment, he added.
“From the report that the Navy put out, I think you could have replaced the Department of the Navy and put in any one of the other branches and you would have similar types of challenges,” Rounds told CyberScoop.
Rounds said he met with Spencer this week and that the Navy secretary assured him the service was working to lock down its networks from hackers and implement cultural and organizational changes to improve network security.
“I commend the secretary of the Navy for actually commissioning this independent report and in being forthright with it,” Rounds said. “This is the type of thing that in our country we can do to make things better. We’re not hiding it, we’re recognizing our limitations, we’re talking about how to fix it.”
The secretary of the Navy commissioned the review in October, asking a team of defense industry executives and Navy officials to leave no stone unturned in their search for vulnerabilities in how the Navy approaches cybersecurity. The steering group consulted a range of officials across the federal government and at big corporations like Microsoft and Goldman Sachs.
The report singles out China and Russia as rival powers that have been strategic in achieving their national goals “while the U.S. remains relatively flat-footed, and is too often incapable of defending itself [in cyberspace].”
China has pursued a strategy of stealing data from American companies on a massive scale in the service of Chinese economic development, the report charges, echoing long-running accusations of U.S. officials. Beijing has denied doing so.
Navy leaders are well aware that their personnel are potential targets for cyber-espionage from other nation-states. The chief of naval operations told reporters this week that the Navy had stopped announcing flag officer assignments out of concern those senior officials would be targeted by hackers.
At the same time, however, Navy and Pentagon officials only have a “limited understanding” of the total data lost from network breaches or other incidents, according to the Navy assessment.
“Only a very small subset of incidents are “known” and of those known, an even a smaller set are fully investigated,” the report says.