The threat to the U.S. Navy from cyber intrusion has become a crisis. Hackers, particularly those from Russia and China, are not limiting themselves to attacks on computers and networks. Now they are engaged in a massive assault on the entire Navy enterprise, including ships, weapons systems, research and development establishments, the supply chain, and shore facilities. According to a recent report, the Navy and its private sector partners are inadequately prepared to deal with the growing threat. But the Navy is working to improve the security of its systems and networks. It is requiring industry to get secure. Critical to this effort will be the adoption of technologies and techniques that provide continual monitoring of all networks and devices and the prompt identification and isolation of non-compliant devices and software.
Evidence that a massive cyber campaign is being waged against the Navy, and every organization associated with it is mounting. The defense industrial base and associated supply chains are under constant assault. The hackers have two objectives: steal U.S. defense secrets and undermine confidence in the ability of the industrial base to function during a conflict. In 2018, Chinese government hackers successfully penetrated a major Navy contractor’s network, making off with more than 600 GB of sensitive and secret data, including information on a Navy program to develop a supersonic anti-ship missile. The Navy’s shore infrastructure is being subjected to repeated attacks. Hackers particularly go after the facility-related control systems that monitor and direct critical functions such as utilities, fire and safety, and security. It is worth noting that the Department of Defense has recognized the problem of control systems’ vulnerabilities and has a list of tested and approved control system products.
Even ships may be vulnerable to cyber intrusions. Several years ago, the Navy found major cyber vulnerabilities in the networks of the new Littoral Combat Ship. Cyber attacks may constitute a particularly serious problem for logistics vessels providing critical support for U.S. operations overseas. The Coast Guard has sent out two alerts this year alone reporting on hacking attacks on the navigation and networks of commercial vessels in international waters. This should not be surprising since the major systems on both commercial and military vessels are increasingly managed by automated control systems and sensors. The potential vulnerability of Navy vessels to cyber attack is likely to get worse as the service works to build a larger fleet, deploy unmanned vessels, implement distributed operations, and expand its networks.
In March 2019, the Navy published its Cybersecurity Readiness Review. The report declared that “competitors and potential adversaries have exploited DON information systems, penetrated its defenses, and stolen massive amounts of national security I.P." A primary focus on these hacking campaigns has been to penetrate the systems and networks on which the Department of Defense and the defense industrial base rely to design, build, mobilize, deploy, and sustain forces. Perhaps even more damaging has been the concerted effort by these enemies to target the U.S. economy and, in particular, the industrial base. Not only is the long-term health of the U.S. economy, on which a strong military relies, at risk, but so too is the military-technical superiority which provides the Navy with the basis for victory in conflict. The report warns that if the ongoing deluge of cyber assaults is not successfully countered, U.S. national security and the ability of the United States to prevail in a future great power confrontation will be at risk:
"If the current trend continues unimpeded, the U.S. will soon lose its status as the dominant global economic power. That loss of relative economic power foreshadows the Navy and Marine Corps becoming relegated to being a near-peer. As a near peer, every asymmetric advantage becomes magnified and more valuable in a future fight, and every advantage lost the more intolerable. Alarmingly, near peer status may have already been reached if one truly considers the disruptability of the critical enabling infrastructure necessary to mobilize the nation and actually get forces to and sustained in a true peer-on-peer fight.”
The Navy and Marine Corps both are working to correct deficiencies in their approach to cybersecurity. One innovative approach they are employing is the Continuous Hardening and Monitoring Program. The program uses a variety of techniques, including machine-assisted monitoring of networks, data analytics, and automation technologies to provide continuous vulnerability management assessments, validation of network nodes' compliance with information assurance accreditation standards, and confirmation that devices on the networks meet access and authorization standards.
The Navy/Marine Corps Next Generation Enterprise Network Re-compete (NGEN-R) contracts will also reduce the cyber vulnerabilities of current networks and devices. NGEN-R will improve cybersecurity by integrating legacy networks across both sea services, implementing enhanced protection measures, and more rapidly upgrading security technologies.
The Navy also is asking its industry partners to take cybersecurity more seriously. Last year, James Geurts, Assistant Secretary of the Navy for Research, Development & Acquisition, published a memorandum requiring contractors to implement enhanced cybersecurity standards for their networks, including better access controls and network monitoring.
The Navy and Marine Corps also have been at the forefront of the effort to implement Comply to Connect (C2C). C2C creates a highly automated platform that ensures compliance of the devices that are entering the network with security standards and access protocols. It does this through continuous monitoring, rapid interrogation and, if necessary, the isolation of non-compliant devices. C2C is very scalable, allowing it to respond to the anticipated growth in the size of Navy-Marine Corps networks and in the number of devices that will be found in weapons systems, platforms and digital control systems.
The Navy and Marine Corps are not alone in having their networks, platforms, supply chain, and facilities subjected to a near-continuous cyber bombardment. As demonstrated by the recent Cybersecurity Readiness Review, the Navy is willing to take an unflinching view of its vulnerabilities, poor practices and technological inadequacies. It is only possible to take the appropriate corrective actions once the problem has been correctly assessed. Now the Navy and Marine Corps—and the Department of Defense writ large—must implement the needed reforms and the necessary technologies to secure assets before they become news.
Dan Gouré, Ph.D., is a vice president at the public-policy research think tank Lexington Institute. Goure has a background in the public sector and U.S. federal government, most recently serving as a member of the 2001 Department of Defense Transition Team. You can follow him on Twitter at @dgoure and the Lexington Institute @LexNextDC. Read his full bio here.
This article first appeared at Real Clear Defense.