Even an organization as big and armed as the United States Navy doesn’t take the ransomware threat for granted. Federal Drive with Tom Temin spoke with the principal cyber advisor in the office of the Navy Chief Information Officer, Chris Cleary to check in on their progress.
Tom Temin: Alright, let’s begin with talking about ransomware. First of all, has the Navy been hit by it? Has any gotten through not that you’ve paid ransoms? Or do you see it happening, but you’re able to kind of fend it off for the most part?
New to civil service? Check out Federal News Network's New Hire Guide, brought to you by United Healthcare, to provide insights and pointers to first-time feds. (Pssst: It includes health and life insurance cheat sheets, too!)
Chris Cleary: So for the most part, the Navy or the Marine Corps has not been subjected to a ransomware attack. It’s one of those things we pay very, very close attention to because I think where ransomware is much more impactful to both the Navy and the Marine Corps is how it impacts the things that we depend on that we cannot control. If you use the Colonial Pipeline as an example, you know, the Colonial Pipeline push fuel around all the Down East Coast, there’s lots of organizations that have dependencies on those fuel, and you may not be able to respond to the attack per se, because it’s not in your backyard, it’s not in your AOR, that gives you the authorities to be able to respond to let’s say, as a naval organization, the Navy, you know, again, luckily enough has not directly been impacted by a ransomware thing. It’s something that we’re keenly attuned to particularly where those kind of ransomware attacks which have been through the lens of ransomware have locked her information up, you pay me an amount, and I will unlock it. And we’ll both get back on a business. What we’re most afraid of is it’s when the ransomware attack comes with no intent whatsoever of even accepting a ransom, it’s a move to lock her information up and permanently degrade it. And we think if the Navy or the Marine Corps were to see that kind of an attack pointed at us specifically it would be just that. “Hey, we’re not here looking for money, we’re here to degrade your ability to operate as a naval force.”
Tom Temin: So, as fleets are deployed and operate around the world, and they get ship husbanding and supplying and so forth, at various places, and by various suppliers around the world, then one of the big worries is that those suppliers would be hit. And therefore you could be stranded for three days trying to get the fuel into the ship where it should have taken 12 hours or something.
Chris Cleary: And fuel would be the most obvious one. And how do we see the Colonial Pipeline attack? We’ve been concerned about that, but the joke was, 10 years ago, if I wanted to keep a ship pierside I’d just need to make sure that Coca Cola didn’t show up. Because even getting stores even getting supplies, foods stuff, you know, repair parts, you know, if I can just prevent FedEx from showing up or a husbanding agent that would be bringing you just food. And if the food doesn’t show up on the pier, the ship might not be able to get underway because it needs that food to go be at sea for you know, X amount of time. So those are the things that we used to joke about 10 or 15 years ago, now we’re seeing it come into fruition for the ways that our adversaries can really, no kidding, target the things that we depend on critically and fuel and power. Power, it’s a little less relevant for ships at sea, because you know, we generate our own power and stay in a boat. But for the things that push that stuff around, you know, fuel depots, fuel is pumped to, and then if I lose power, or you’re able to do some sort of ransomware attack on other things that I depend on, you know I may not be able to move fuel around. So it’s an incredibly complicated problem with a lot of critical dependencies, the Navy sort of going through the wickets right now, sort of not only identifying a resource or a thing, but what are all the things that that thing depend on. And then you know, that spider’s web of critical dependencies and a way an adversary particularly get into that to disrupt it. Malware is we’re finding is a very attractive tactic for an adversary because it’s relatively easy to employ, and relatively once it’s in and executed, pretty complicated to get out.
Tom Temin: And with respect to the Navy’s own information systems and the ransomware threat or any cyber threat, there is always the phishing vector, which vexes pretty much every organization, what are some of the practices, you have to make sure that employees, sailors and civilians are on guard and that they don’t click on that thing?
Chris Cleary: So the Navy and Marine Corps are pretty diligent in the way that they train their workforce in not attempting to click on things. Now, granted, there are some things we put in place that make it challenging to click on things, you know, there’ll be a lot of Warnings Don’t click or, you know, you’re not allowed to click. A lot of executables and files are turned off. So some of those things are just not possible. Cross site scripting is always something that could get an adversary. And we do take measures whether through our red teams. As an example, when I started this job as a chief information security officer a better part of two years ago working with Aaron Weiss, the CIO, we did do a spearfishing exercise within the secretariat. So every once in a while, we will exercise spear phishing campaigns through our red teams. So we commissioned one of our red teams to do this specifically for us. And they went off and they’ll conduct a pretty sophisticated spearfishing came in and all the way down to what other people refer to as whaling, which is I’m not just sending out a wide net, I have a particular narrative that’s going to target a particular individual You know, I’m going to make this sound like his daughter or his wife or co worker or something that would be “Oh, yeah, this is so and so. Oh, they sent me something. Click. You know, we have a training process that comes in behind this. A lot of times you’ll be informed that you you’ve done spearfishing campaigns. There’s a lot of companies that provide these sorts of services commercially. And it’s really all about awareness. It’s just bringing awareness to your workforce, that any single individual within the Department of the Navy could be an aim point of an adversary to inject malware into our systems. And so it’s really again, education, training and awareness are the ways that we mostly focus on trying to get our hands around that.
Tom Temin: There is an interesting vector that that could happen that kind of personalized email to individuals. Because the military does have a practice of sending stories about different service members to hometown websites, I almost said hometown newspapers, but those are mostly disappeared. But it’s possible to find out personal information about people from public sources that then can be crafted into a dangerous phishing email.
Chris Cleary: No, it’s easier than that. I mean, just look at the social media these days, I just have to go into somebody’s LinkedIn profile or Facebook account, to pull down almost anything that I would need to craft a plausible spear phishing email directed at any individual or any individual families’ members. So that’s another one that we look at. So now you go to additional dependencies, you know, what about your computer use from home for teleworking? And if I’ve Spearfished your wife or your daughter, and they’ve downloaded malware onto a computer that you depend on, and that was actually a concern when we started the COVID pandemic, because we allowed a lot of employees to begin to do work through personally owned computers, because we just didn’t have the bandwidth, the throughput, the government furnished equipment, to give everybody a private government furnished computer to take home. And then you had VPN constraints and firewall limitations. So we had to sort of accept a lot of risk to enable working from home again, this kind of goes back into more of my days as the CISO, working for Aaron Weiss. But there are some pretty good success stories that both the Navy in the Marine Corps would take a little bit of a victory lap on the way that we enabled our workforce to work from home and actually the relatively small amount of incidences we had associated with that.
Tom Temin: And of course, there are other vectors into systems; old fashioned hacking. My question then is, regardless of how some malware could come in, what types of – I hate to use the word playbooks – that sounds like a cliche, but what sorts of procedures do you have that get invoked, such that you can remediate the situation when it’s discovered, and I guess that would include discovery itself?
Chris Cleary: I don’t think that the Navy and the Marine Corps are too different than any other security service provider who do these types of functions. I would use kind of like a fire department analogy. The Navy and the Marine Corps network defense centers are pretty sophisticated. And they are very good at what they do. And when the alarm goes off, and the fire department responds, and if those organizations are the fire department, they know exactly what to do when the bell goes off. They know exactly what they do when they get on location. If you look at SolarWinds, Log4j, the myriad of these other ones, but the Navy, the Marine Corps, fleet cyber, Marforcyber, do an amazing job responding to the fire alarm. It’s the things that we need to improve on that happened before and after. You know, a fire department can respond to a building on fire and put the fire out, but could that fire have been prevented through other means. Did it happen because of an electrical fault, or was it arson. And then you go through, you know, that whole litany of ways that people can do things. So the adversary is getting better and better at what they do. And a lot of ways they look at how we do business and they swim up as far upstream as they need to to be successful. That’s exactly what happened with SolarWinds. You know, we did and lots of people understand the story now. But the adversary just injected, you know, we’ll call it an attack and exploitation in an organization that knew they were trusted when they pushed out their updates. So when I saw this update coming in I or whoever, “Oh, it’s trusted, it’s signed, it’s coming from the manufacturer, it’s coming from the developer, this is a trusted thing I’m gonna bring into my environment, I’m going to execute it.” And that’s where they figured out how to exploit a trusted relationship. So the adversaries who are good at these things, again, that’s why spearfishing is really you’re counting on somebody to be negligent or not paying attention or be susceptible to click on something. It’s not guaranteed that you’re going to click on that, but you throw enough out there and that’s what they call spearfishing, you get thrown off of these out, somebody is going to click. Or, if I figure out the way adversaries do things, I’m going to study it long enough to determine where that weakness in the system resides. And unfortunately, to most major organizations, the weakness does not reside inside the organization, it resides outside of their organizations. And this is kind of the new world we’re living in. So, once again, it’s the way we respond to these things internally is pretty good. High marks across the board. It’s the things that we can’t control outside the organization that scares me.
Tom Temin: And with respect to cloud adoption, which navy of course, has been a big embracer of cloud. Does that complicate a little bit the continuous discovery of where your data sources are that need to be protected? Just because multiple instances of databases and software applications exist because of the cloud. So how do you maintain that visibility? And maybe that gets into the cooperation between network operators centers and cybersecurity operations centers.
Chris Cleary: Sure. And I think you’re seeing the maturity of that process happen right now, the Navy has been a large adopter of cloud as have the other services. The Army has taken a few victory labs just recently on their cloud initiatives, the Navy, although our adoption of the cloud has been very good, you know, there’s still some things that give us critical dependencies of the cloud, you know, it still has to be connected to the cloud. Ships at sea, bandwidth, illustrations, latency, doesn’t always make connecting to the cloud as efficient and as practical and as convenient as it is when you’re on a land-based environment. And then what people sometimes fail to do is think, “Oh, I’ve put it in the cloud, I’m secure now.” Well, every vulnerability, everything that I needed to do when I hosted that information locally, are things that I have to be aware of, even though I’m hosting it remotely. There are initiatives underway, a lot of those cloud providers provide services around securing your information, but the full understanding of that cloud environment, actually, to be honest with you, one of the places that the services are struggling with is having visibility inside of those environments where they can get access to, or observe what’s happening with their data, particularly and in security situations, some cloud providers have sort of said, “Hey, you know, your access to this cloud ends at the waterline.” You don’t think safety deposit box has hit a bank, you kind of give it to the teller, they put it in a box and you see that box carried and put it in the vault, you never really given access to the vault, per se. But who else is in the vault? What’s going on in the vault, you know, can I see my box and which row and column my safety deposit boxes and some banks will let you in most banks won’t. That kind of analogy. Even though I’m putting my information in a very secure environment, I’m putting a lot of trust and confidence in the providers of that environment that they’ve built, you know, resilient, secure, reliable, redundant, blah, blah, blah, all the things that the cloud has always been known for. But our adversaries know, our information is going to those environments. So they’re getting better at going to to get it. It’s a continuing game. And I think when we look at security or warfare, for that matter, it’s the perpetuation of the problem. You know, it’s move/counter move, and things like cloud have enabled a resiliency and redundancy and availability. Well, adversaries are going to start moving into those environments and start exploiting those things, or degrading our ability to get access to information or all the classic CIA triangle, you know, confidentiality, integrity, availability, well, that game is now just moved into the cloud and, you know, move/counter move.
Tom Temin: And helping understand the worldwide nature of this because on the one hand, you hear that military organizations and other highly secure organizations demand CONUS-based cloud resources, you know, you can’t use the Chinese version of the cloud, Mr. large commercial cloud provider. But on the other hand, there is the reach back limitation, sometimes from distant spots. And so it might be that you need local storage, not local, like shipboard, but local in a nation. So how does that balance in terms of you know, the need for CONUS, but then sometimes the need for nearby.
Chris Cleary: So cloud availability is no different than any other resource that the Navy or Marine Corps would need when they’re deployed. We use fuel a lot, if you look at what’s going on Hawaii with Red Hill, and maybe our inability to get access to that fuel depot, and now having to transit fuel from other places to ships in that area. Ultimately, the data has to come from somewhere and go to somewhere. The jump off points, whether they be local and say, the Indo-Pacific region, or everything’s being pushed through satellites, from data centers on the west coast of Hawaii or wherever, that is just a conductivity problem. So this is again, where the Navy has to be a little more attuned to where information is coming from and how it gets there because again, our limitation to that information is more easily degradable because of all the other things that we depend on that are maybe targetable. Whether it be a satellite cable that taking information from the West Coast, United States to Hawaii, and then it hits a satellite, and it’s going to bounce around a bunch of different, you know, C5 ISR systems that get downloaded to a ship in the South China Sea. You know, that kill chain are things that our adversaries understand and they begin to target those things. You know, unfortunately, the way that we plan to fight in most fights is in very comms restricted limited environments. So what information do you already have organic, that you may not get another connection to quote unquote, the cloud at sea in a warfighting environment. And you may not want to, because there’s a whole targeting thing and EMCON in the way that people track signals, a whole other story for another day. But when the balloon goes up in the fight is, on a lot of times, the Navy and the Marine Corps play to say we are now in a comms-constrained environment, we’re only gonna be able to use the information that we have organic to us. And it’s kind of the way that we conditioned ourselves to fight through those situations.
Tom Temin: And then if something bad does happen, whether because of cyber or for just whatever technical reason may happen, sometimes, databases and data sets get corrupted, just maybe give us an overview of the recovery procedures and policies you have in place.
Chris Cleary: A lot of those are specific on, “Did I lose a communications channel — the data is not available.” So it’s kind of hard to say there’s a policy place in the ability to restore services But when you look at things like damage control on a ship, culturally, that is the way that our mindset goes, that you have to be able to fight hurt. And actually one of the new initiatives that we’re pulling through right now, really maps back to this idea of resiliency. And resiliency is sort of a, you know, you could say survivability, fight, hurt, restoring of services. Those are the things that we need to improve upon, because those are the things that keep us in the fight. Particularly when we’re talking about information, and information and data is kind of the weapon system now. If that information is degraded, I don’t have a particular comms path. Project overmatch actually is initiative that the Navy has been very adamant on the Chief of Naval Operations is it’s kind of his brainchild, which is basically saying, What are other means and methods of communications we have at sea available to us? And how can I push any data through any available comms channel to connect ship “A” to ship “B”, because acknowledging that information is power, and we have to ensure that we have availability of that information, even in contested environments, and that’s one of the newest initiatives of the Navy.
Tom Temin: Yeah, that idea of contested environments can really be anywhere then it’s not simply because of where the Navy might need to fire cannons, somewhere over the horizon, but it can be a contested environment can be at the Pentagon, nowadays.
Chris Cleary: Correct. With our suppliers, with our developers, with our families. You know, there’s lots of ways of delivering effects. We speak in the words of delivering effects is kind of the jargon used around the Pentagon. And there’s lots of ways our adversaries can deliver effects to change the way that decision makers make decisions. And I think that’s the new game that we’re in right now. You know, data information is power. So if I can degrade the adversaries’ ability to get information, I can change their calculus on the way that they’ll make decisions or try to employ forces and, and this is this left of boom kind of fight. There’s lots of ways I can hold you at risk now. Information we’ve seen is becoming more and more of a way that you hold your adversaries at risk.
Copyright © 2023 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.