CAPITOL HILL – Securing the vast data-sharing network used by the Department of the Navy and its industrial base will require a significant investment of time and expertise from the department, Secretary of the Navy Richard V. Spencer told lawmakers on Wednesday.
Spencer told the House Armed Service Committee that Navy’s data continues to be vulnerable and securing it will require an ongoing partnership between the department and industry.
“One of the most vulnerable Achilles’ heals we have is our supplier base,” Spencer told the House Armed Services Committee. “That ranges from Fortune 100 companies, Fortune 50 companies, on down to I believe the mom and pop small business world.”
The Navy’s recently released Cybersecurity Readiness Review details the threat facing Navy-run cyber networks, which the report estimates have more than 1 million military and industry users.
The DoN ranks first among U.S. government agencies exposed on the darknet. In an analysis provided by Dark Owl, a Denver-based company specializing in indexing darknet content and assisting organizations in finding leaked or compromised sensitive data.
Spencer said the Navy has to take the lead in providing a means for the industrial base to secure data. A year ago, Chinese hackers infiltrated a U.S. Navy contractor’s computer systems, stealing 614 gigabytes of information experts said could undermine the fighting ability of U.S. submarines.
“One reason we’re going to the cloud,” Spencer said. “The cloud allows that ability to provide an avenue for some smaller organization to be encrypted, to be protected without encumbering a lot of costs on them.”
The Navy’s Fiscal Year 2020 budget request includes about $10 billion for beefing up the department’s cybersecurity efforts.
However, the department is far behind the industry when it comes to investing in cybersecurity, according to its cybersecurity review. For example, last year the Navy replaced its old Windows 7 operating system with the 2015-created Windows 10. A subsequent upgrade to Windows 10 version is ongoing, according to a Feb. 26 NAVADMIN issued by Vice Adm. Matthew Kohler, the Navy’s deputy chief of naval operations for information warfare. Windows-maker Microsoft has stated it will no longer support Windows 7 as of Jan. 14, 2020.
One of the contributing reasons such a lax cybersecurity posture exists, according to the review, is the Navy did not have a clear chain of command for cybersecurity issues. The current organizational structure charges cybersecurity to the undersecretary, who also performs the duties of the undersecretary and as the department’s chief management officer, according to the cybersecurity review.
Spencer wants Congress to authorize the Navy to create a fifth assistant secretary position to take the lead on cybersecurity. The new position will set policy and advocate for the funds and authorities requested by naval personnel and the U.S. 10th Fleet, Spencer said.
The new assistant secretary will also enforce good cybersecurity hygiene and ensure commands properly update their systems. For years the Navy has provided waivers for the use of outdated operating systems and allowed high-risk systems to connect to Navy networks, according to the review.
“These waivers inject unknown risk to the enterprise and reinforce the narrative that cybersecurity is not a priority,” the cybersecurity review states.