Five years after the Navy established a task force to “awaken” itself to the dangers cyber attacks pose to its systems and operations, it remains dangerously unprepared to counter those threats, according to the results of a comprehensive review the secretary of the Navy commissioned last October.
The stinging, 80 page assessment concluded the Department of the Navy’s failure to properly secure its IT systems represents an “existential threat” to the survival of the Navy and Marine Corps, and that few of its leaders understand the magnitude of the challenge.
“A real appreciation of the cyber threat continues to be absent from the fabric of DON culture. Senior leaders occasionally articulate the importance of cybersecurity, but do not fully understand how to convert their words into action, and to making it real,” the authors wrote in the document, titled the Secretary of the Navy Cybersecurity Readiness Review. “The workforce is generally uneducated in cybersecurity, largely complacent, and fails to fully embrace ‘a risk to one is a risk to all.’ As a result, cybersecurity is undervalued, and often used as a bill-payer within programs of record.”
The review team was led by Michael Bayer, a former chairman of the Defense Business Board. Its members and staff interviewed more than 80 current and former Navy officials, business leaders, and cybersecurity experts.
It concluded the department should take immediate steps to address the cultural shortcomings, including by making cybersecurity competency a selection factor in picking its key leaders, overhauling Navy education at all levels to incorporate cybersecurity, and develop an internal communications plan to drive home that the Navy is moving to an “information-centric” business model.
It also pointed to what the authors said were fundamental weaknesses in the Navy’s IT leadership structure. The authors said the best practices they identified across the large private sector organizations they studied included having a CIO and CISO with strong governance authorities, and that those officials did not run the same networks they were charged with overseeing.
By contrast, the study found, the Department of the Navy’s cyber governance structure is confusing, diffused, and relatively toothless.
It has no CISO at all, and its CIO’s office lacks the top-down authority it needs to enforce cyber policies. Compounding the problem, the authors wrote, is that the DON has delegated many of its CIO functions to senior officers in the Navy and Marine Corps in various reorganizations over the last several years, but those officials don’t always have the authority they need to enforce policy. And the policies are sometimes in conflict with one another.
“In addition, by his choice, the undersecretary of the Navy is currently triple-hatted as the undersecretary, Chief Management Officer (CMO), and the department’s CIO,” the review said. “[The Navy and Marine Corps CIOs] are themselves multi-hatted, responsible for overseeing the daily execution of the DON CIO function and other service responsibilities. This creates inconsistent communication from the top-down and inconsistent messaging laterally. Commands and personnel remain protective of their traditional structure and budgetary status quo.”
In February, the undersecretary, Thomas Modly, said the Navy intended to eliminate that multi-hatted scenario by appointing a new assistant secretary for information management: A senior official who would serve as the DON CIO, but also assume responsibility for cyber and data management issues.
But the plan was derailed, at least temporarily, last week. The Navy had planned to make room for the new position by eliminating its assistant secretary for installations, energy and environment, but Congress objected to the change.
In a statement on Tuesday, Navy Secretary Richard Spencer said the Navy had begun a “broader review of how best to organize the department to address the overall challenges of information management, to include not only cybersecurity, but also data strategy and readiness, business system rationalization, and artificial intelligence. We will be working with the Congress to determine what legislative authorities may be required to implement any significant changes.”
Spencer added the DON would coordinate with DoD and Congress “with urgency” to get the resources it needs to respond to the cybersecurity review’s various recommendations, saying the study panel gave the Navy a “clear path forward.”
Beyond cultural and structural issues, the review pointed to persistent process problems that keep the DON from securing its networks and weapons systems.
For one, the Navy and Marine Corps appear to be pursuing two different approaches to setting security standards for weapons platforms, the authors wrote — CYBERSAFE in the case of the Navy; the Risk Management Framework in the case of the Marine Corps.
For another, those standards are simply waived in too many cases, a habit the authors compared to the waivers another study identified in the Navy’s surface fleet after two at-sea collisions in 2017.
“Consistent with what the DON discovered in the 2017 Strategic Readiness Review, a critical look at how declining readiness in the surface fleet contributed to the loss of 17 sailors, the Navy has embraced a culture of ‘normalization to deviation’ in cybersecurity,” they wrote. “For example, there are currently a number of high risk systems connected to the Navy network that have received five or more formal waivers to continue operating due to a lack of resources or scheduled modernization occurring in the distant future. For these systems, the ‘waived’ state has become the de-facto standard. These waivers inject unknown risk to the enterprise and reinforce the narrative that cybersecurity is not a priority … at risk systems are allowed to remain connected to the network and no one is singularly held responsible for non-compliance.”
Nonetheless, the study identified at least a couple of bright spots in which the Navy has started to implement cybersecurity best practices, and it said those efforts should be “celebrated” and given additional funding.
In some cases, Task Force Cyber Awakening succeeded in securing platform-specific IT systems. More broadly, the authors lauded a nascent effort called Compile-to-Combat in 24 Hours (C2C24), which aims to quickly deploy new IT capabilities to ships by relying on already-certified systems and cloud computing platforms, not requiring every new system to come with its own hardware.
“C2C24 moves away from a hardware-based architecture in favor of data as a service through agile software capabilities which can be delivered securely (uncompromised) and reside on existing already-approved hardware,” the study found. “C2C24 deployment is an excellent example of the DON leveraging commercial capabilities and assuring that cybersecurity is built in from inception and extended to associated systems. C2C24 must be established as a program of record and funded immediately.”
The assessment was prompted, at least in part, by breaches of the Navy’s own systems by foreign adversaries. The details of those breaches are still classified, but the Navy has acknowledged a similar foreign intrusion was the impetus behind the Task Force Cyber Awakening it created in 2013, and the Navy Cybersecurity office it stood up as a follow-on effort.
But the new report raised even larger worries about penetrations of data systems operated by Navy contractors. Their systems also include classified and sensitive information, and there are strong reasons to believe that penetrations of those systems have led to larger data breaches.
“The review was struck with how an enterprise that instantly goes to general quarters in a hull breach has moved so lethargically with the flood of breaches of significant sensitive data,” the authors wrote. “The (Defense Industrial Base) continues to hemorrhage critical data.”
DoD and Navy policies intended to enforce cybersecurity standards on contractors have not proven effective as of yet, they added.
“Despite the ongoing cyber war, the timelines have not been enforced, additional auditing requirements for security controls have not been instituted, permissions for naval law enforcement to scan partner networks have not been granted, and the theft of IP from the DIB relentlessly continues,” the review said.