PENTAGON: The Navy doesn’t have a good handle on how it is spending money to protect its networks against cyber attacks, a top leader says. In the wake of a stinging self-assessment of own cyber vulnerabilities released this spring, they’re rushing ahead to bring in a new management team to spearhead change.
“No one at a senior level of this department was responsible for this portfolio,” Navy undersecretary Thomas Modly told reporters here last week. “It was very distributed, so we found we were investing in things without any level of coordination…we’re spending a lot of money in this area right now, but we don’t understand where we’re spending it.”
Navy officials are banking on a soon-to-be-named cyber advisor to Navy Secretary Richard Spencer — who will bring aboard a staff empowered to make change — to be the catalyst to begin tackling these issues as the Pentagon struggles to keep foreign adversaries out of its networks, and those of US defense contractors.
China, Iran and Russia are “relentlessly hacking into our systems,” Modly said, “they’re trying to come at us in every possible way that they can.” Last year, reports emerged of Chinese hackers punching their way into the networks of US defense contractors, and making away with classified data on new weapons systems like a supersonic anti-ship missile and other sensitive plans for submarines.
More recently, the Navy’s Cyber Readiness Review released in March offered a scathing critique, calling weak spots and persistent holes in the system an “existential threat” to the existence of Navy and Marine Corps. The unsparing 80-page assessment concluded the Navy is under “cyber siege” and has so far failed to secure its IT systems.
Pentagon officials have often said the weakest link in the chain are sub-tier suppliers working on weapons systems who don’t have the money or expertise to fully secure their own systems, providing adversaries with an open back door into more sensitive networks.
“To the extent that they come into the places that it’s easiest for them to come in, they are able to go to lower level suppliers,” Modly said, where the hacker can pull information that might not in itself be classified but when pieced together with other information, “then all of a sudden they’re getting bigger and more clear picture of our competitive advantages in certain areas of technology.”
Since many of those smaller suppliers have neither the money or expertise to build and maintain their own firewalls, Modly suggested the possibility of a Navy cloud where the service could help them manage their data. It’s unclear how receptive companies would be to placing their proprietary information into a system potentially accessible by potential competitors.
But that’s all in the future. At the moment, the soon-to-be-named Navy special assistant to the secretary for information management will manage four new subordinate directorates, all which will likely be no larger than 15 to 20 people (as the plan stands now.) “We are not adding a huge staff,” Modly said. “We won’t do that, but we are moving pieces around on the chess board.”
Those directorates include a chief technology officer tasked with leading acquisitions of technical infrastructure, a chief digital officer, a chief data officer, and a chief information security officer. Navy leadership is still working on what authorities those leaders will have to push change inside often entrenched bureaucracies likely to bristle at having a new layer of management telling them how to run their shops.
The first thing out of the gate will be pushing “stronger policies to deal with our industrial base to ensure that as they look at second- and third-tier suppliers that they’re enforcing stricter cybersecurity standards,” Modly said. Specifically, supply and logistics are “our biggest weakness with respect to auditibility and data clarity, and that’s because no one owns it.”
Overall, Modly stressed that this isn’t just some old ideas wrapped up in a new package. March’s cyber report really lit a fire under Navy leadership, and considering that incoming CNO, Adm. Mike Gilday, is the former 10th Fleet commander, which is the Navy’s cyber arm, it’s an effort that will likely get more attention at the top. “I hope that no one thinks this is a rehash of things we’ve done before,” Modly said, “because it’s not.”