Ensuring the cybersecurity of the Navy’s industrial base and overseeing the service’s offensive and defensive cyber capabilities will become the responsibility of a proposed fifth assistant secretary of the Navy, Secretary of the Navy Richard V. Spencer told lawmakers on Tuesday.
Spencer told the Senate Armed Services Committee the Navy is currently developing a business plan to improve the department’s cybersecurity and beef up the security of its industrial base. The proposed new assistant secretary, which requires congressional approval, will become the point person for working with the Navy’s industrial base to maintain cybersecurity. The new assistant secretary will also implement powers to protect U.S. networks and capabilities and to take the cyber fight to adversaries, Spencer said.
Sen. Mike Rounds (R-S.D.) expressed concern about the threat during the hearing
“As we move to a 355-ship Navy, as we talk about the security of every one of those ships, and all the work we do to protect those ships, compare that with what our near-peer and peer competitors are doing,” Rounds said. “They’re not stealing our ships; they’re stealing our
information.”
In response, Spencer said problems were less in the service and more in industry.
“When it comes to classified information inside the Navy itself, we’re good with that,” Spencer said. “What we’re concerned with is out in our contractors.”
Last month, Spencer released the Navy Cybersecurity Readiness Review which looked at the health of the Navy’s data protection. Among the report’s findings, the Navy’s contractor base is the soft underbelly of Navy cybersecurity.
“The Department has relied on long-standing security constructs based on information sharing and self-reporting to inform it of its supplier’s vulnerabilities and breaches. That after the fact system has demonstrably failed,” the cybersecurity report states.
What’s worse, Navy and Pentagon officials do not know what’s been lost or the extent of data breaches, according to the review.
“Because of the scarcity of resources available, and the limitations of the available art and science of detection, the DoD and DoN have only a limited understanding of the actual totality of losses that are occurring,” the report states
As part of the proposal for a new assistant secretary, Spencer said the Navy also plans to ask for additional authorities to implement in working with the industrial base to protect data. These new authorities will not be exclusively defensive, either, Spencer said. Offensive cyber tools compliment defensive tools.
“It’s not how quickly we can get to the fight, one of our battles is going to be getting off the pier because cyber is around us,” Spencer said.
