Beginning in the next few months, sailors throughout the Navy’s fleet can expect to see new and more consistent consequences when they violate the service’s cybersecurity policies — whether intentionally or not.
The service is in the process of building new “templates” that will instruct its commanders on the range of accountability measures they should impose on service members who run afoul of well-publicized regulations designed to protect Navy networks. The move was borne out of service leaders’ realization that while some sailors were punished for violations such as plugging a USB drive into a government computer, those decisions were dependent almost entirely on whether or not a particular local commander put a premium on cybersecurity and treated violations seriously.
The wide variability in punishment in response to cyber violations is unlike most other approaches to good order and discipline within the Navy, said Troy Johnson, the director of the Navy’s newly-established cybersecurity division.
“If a person reports for work late three times in two weeks or shows up at a club that the base commander has declared off-limits, Navy leaders know what to do about that. People know what the range of consequences is for that kind of behavior,” Johnson said in an interview for an upcoming edition of Federal News Radio’s On DoD. “But if someone plugs their personal phone into one of our computers to charge it and puts some malware on our system, how bad is that? What should we do? So we’re in the process of designing template accountability guides to make sure commanders treat this as a big deal, but in a proportional manner that makes sense. Right now, it’s highly-dependent on the personality of the commander.”
Johnson said the specific recommended penalties for cyber violations are still being developed, but said they would be preceded by a widespread information campaign driving at the notion that all the Navy’s IT systems should be thought of as a weapons platform and that making them more vulnerable to an adversary is serious business.
The year-long communications campaign, initiated two weeks ago, will involve a barrage of social media, video messages, blog posts, printed material and other media telling sailors that government IT systems must be treated differently than their home computers.
“And the cyber threat reaches beyond traditional IT networks to systems that affect nearly every aspect of the Navy’s mission,” Vice Adm. Ted Branch, the Navy’s deputy chief of naval operations for information dominance wrote in a message announcing the information campaign. “Machinery control, weapons and navigation systems may be vulnerable, as well as the systems and networks supporting human resources, financial management, and logistics business processes. A successful cyber intrusion anywhere in the Navy increases the risk that adversaries can move to other targets. … Every time you connect to or operate a Navy network or system, you are in the cyber battlespace.”
The Navy is speaking from experience: the new cybersecurity organization that’s now drawing up the new accountability measures was created partially in response to a 2013 intrusion that compromised significant portions of the Navy-Marine Corps Intranet; the foreign government behind the attack is believed to have made its way in via a known and neglected vulnerability on one of the Navy’s public websites.
Navy Cybersecurity, the permanent office the service created two months ago to continue the work of its year-long Task Force Cyber Awakening, has focused so far on ensuring the service’s IT systems and military hardware were as free from cybersecurity holes as possible, but intends to widen its aperture to include more of the human factors that make the Navy vulnerable to cyberattack.
That also happens to be a preoccupation of the Office of the Secretary of Defense, which launched a DoD-wide Cybersecurity Culture and Compliance Initiative (DC3I) in October, including the promise of more unannounced cybersecurity inspections and several upcoming deadlines for senior leaders to meet in order to change the department’s cybersecurity “culture.”
In announcing the DC3I, DoD cited industry estimates that suggest as much as 80 percent of successful intrusions are the result of poor cybersecurity hygiene, including inadvertent lapses by everyday users and a failure to apply software patches that would plug known security holes.
Johnson said that roughly comports with the conclusions the Navy reached about the causes of its vulnerabilities during Task Force Cyber Awakening, but the evidence about how many of the Navy’s problems were directly attributable to bad user behavior is mostly anecdotal.
“Right now, I don’t think we have good enough, systematic statistics on the level of accountability across the whole Navy when it comes to cybersecurity, like we do for almost everything else,” he said. “But I will say that for every person we find who’s doing something they shouldn’t be doing — and usually that’s not because of malice — we also find people who are doing stuff that goes above and beyond what they’re being asked to do and that makes things better. So we’re also trying to encourage more of that.”