Everyone already knew that Navy cybersecurity had big problems. Last fall, a Wall Street Journal report on Navy cybersecurity revealed that Chinese nation-state hackers had successfully breached a number of third-party Navy contractors over an 18-month period, stealing highly classified information about advanced military technology currently under development, including “secret plans to build a supersonic anti-ship missile planned for use by American submarines.” The hackers had targeted the contractors, the WSJ reported, because they surmised these firms had less robust cybersecurity and would make easy targets.

Shortly after the WSJ published its report, an internal Navy cybersecurity audit was ordered, citing “several significant compromises of classified and sensitive information.” The resulting audit report, which was released last week and first reported on by the Wall Street Journal, portrays a military branch in complete cyber chaos, “in ways few appreciate, fewer understand, and even fewer know what to do about.”

Cybersecurity awareness severely lacking in the Navy

The scathing, 80-page report details many of the same organizational culture stumbling blocks and lack of awareness/education among personnel that stymie cybersecurity at private-sector firms, including:

* Navy cybersecurity is predominantly viewed as “an IT issue and is not integrated across all operations and activities of the organization.”
* Navy leadership “occasionally articulate[s] the importance of cybersecurity, but do[es] not fully understand how to convert their words into action.”
* The Navy’s workforce is “generally uneducated in cybersecurity, largely complacent, and fails to fully embrace ‘a risk to one is a risk to all.’”
* Navy internal bureaucracy is mired in the pre-digital era, is focused on pre-digital threats, and has been reluctant “to shift its focus from ship or platform centric, to information centric, in order to attend to the world of vulnerabilities presented by its adversaries’ capabilities growth and sophistication.”

Navy contractors “under cyber siege” from foreign nationals

The audit did not mince words regarding the significant ongoing threat to Navy cybersecurity posed by its own supply chain, including subcontractors who “are not US owned or domiciled” but who are necessary to the Navy supply chain because they are part of ”key industrial and utility commons ecosystems that are no longer centered or owned in the US, such as advanced composite materials or national telecommunications infrastructures.” These contractors, the audit states, are “under cyber siege” by foreign adversaries, particularly those in Russia and China, and have been for years.

Meanwhile, the Navy “did not anticipate this attack vector,” did not adequately warn its supply chain about possible cybersecurity threats, and has relied on an honor system where contractors self-report vulnerabilities and breaches. This system, the audit states, has “demonstrably failed” and left the Navy and the DoD with no grasp of the true scope of Navy supply chain breaches. Very few cyber incidents are reported, and of those that are, only a small number are “fully investigated.”

In a brief statement, Secretary of the Navy Richard Spencer pledged that “the Department of the Navy Secretariat along with the Chief of Naval Operations and the Commandant of the Marine Corps, will coordinate with the Department of Defense and Congress for the resources required to compete and win in the cyber domain.” The Navy also announced that it had ceased publicizing promotions of Navy captains and admirals last fall to prevent top brass from being targeted by hackers.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.