Navy initiative makes cybersecurity an all-hands-on-deck job

In August 2012, Iranian hackers gained access to the Navy-Marine Corps Intranet in an intrusion that was, in different ways, both benign and very troubling as hacks go.

On one hand, NMCI is an unclassified administrative network, so no sensitive information was at risk. Email was not compromised in the attack and no information was actually stolen. And according to a report in the Wall Street Journal, the hack wasn’t a technical problem but a contracting one—a contract with Hewlett-Packard, which provides NMCI services, didn’t require the company to provide security for a certain group of Navy databases, so it didn’t, which eventually gave hackers a vulnerability to exploit.

But on the other hand, Navy officials have always touted the security of NMCI, which supports some 800,000 users, and the attack gave the hackers fairly deep access to the world’s largest intranet for the roughly four months it took to clean it all up. Also alarming was the fact that the hackers were from Iran, which had never successfully penetrated a U.S. military network before, at least not in an attack that was publicly disclosed.

Navy officials say that incident and a few others awakened them to criticality of the growing cyber threat and the potential risk it poses to full range of military operations. With nearly every device connected in one way or another, cyberattacks pose a real threat not just to information systems but also weapons systems, industrial control systems and everything in between. And the range of countries or organizations with the money and chops to carry out sophisticated hacks is growing well beyond China and Russia.

It’s not that cybersecurity hasn’t always been a serious issue, but it has been largely the concern of IT shops. Now it will be the job of the entire command structure. The project resulting from the NMCI hack, Task Force Cyber Awakening, is the start, a year-long effort to initiate changes in how the Navy acquires and operates its systems, extending a cybersecurity approach to all of its operations, from combat systems to logistics.

“Our current approach, which prioritizes modernization over sustainment, leaves us vulnerable,” the Office of the Deputy Chief of Naval Operations for Information Dominance said in a statement. “Our increasing reliance on connected capabilities (i.e., beyond traditional IT networks to our warfighting control systems) has significantly increased the potential consequences of a cyber event.”

The initiative got started in July with work being carried out by four task groups covering specific areas. One of them, called CYBERSAFE, is to design a program that will “include rigorous technical standards, certification and auditing.” It’s to be modeled after the SUBSAFE program, the Navy’s hard-nosed initiative to ensure that submarines are watertight, which was started in 1963 after the USS Thresher was lost, with 129 sailors and civilians aboard, while on a deep-dive mission. Between 1915 and 1963, the Navy lost 16 submarines on non-combat missions. In the 51 years since, no SUBSAFE-certified sub has been lost.

Another task group will focus on cybersecurity, evaluating technical standards and certifications that can be applied throughout the Navy. One will assess the effectiveness of projects currently underway or completed. And a fourth group of senior engineers will support the other groups, particularly with regard to technical standards. The first three groups are scheduled to deliver reports to the Chief of Naval Operations at various times between this month and August 2015.

The task group reports will offer prioritized recommendations on what the Navy should do to shore up its systems. Then, the real work of improving the cybersecurity throughout naval operations will begin.