The Navy took some risk in permitting hundreds of thousands of service members and civilian employees to use personal laptops and cell phones at home during the COVID-19 pandemic to transact normal business, the service’s top cybersecurity official said.
But allowing the use of personal devices was a calculated risk the Navy needed to take, Navy Chief Information Security Officer Chris Cleary said while speaking Monday during an online forum.
“This is when really [the Navy] began to test the ‘zero trust’ model” in addressing cybersecurity threats, he said. Zero trust cybersecurity assumes no one inside or outside a network is trusted by default and requires multi-factor verifications to access parts of the network.
Last week at an Association of the United States Army online event, Army Gen. Paul Nakasone, head of U.S. Cyber Command, said COVID-19’s impact has set off a culture change in how business is transacted in the public and private sectors: remotely.
Instead of face-to-face meetings, there has been “an expansion of the virtual” to conduct routine business because workers had to remain at home. In the Pentagon, where video-teleconferences were once done only by flag officers and senior civilians, these meetings through platforms like Zoom, Microsoft Teams and Crowdcast have become routine at all levels.
“We’re working in the middle of a pandemic with a generation that is comfortable [with this technology],” he said.
For classified meetings, Nakasone and Cleary said secure video-teleconferencing remains available for senior leaders.
Like Cleary and Nakasone, retired Air Force Maj. Gen. Earl Matthews said Monday the risks have increased as cyber usage has grown in the wake of the virus. “It’s not just a piece of hardware” that can be replaced, a software glitch that needs to be fixed, or defending the network’s perimeter from outside intruders during this remote work environment.
Even before the pandemic closed offices, Matthews said there was growing awareness in business and government that threats can come from inside and out that required a different approach to cybersecurity. But answers to how to address them by executives have been slowing in coming.
On Monday, Gary Austin, assistant director for the Center Enhanced Cybersecurity at the Government Accountability Office, said, “I don’t think [senior] level executives understand the threat” from inside an organization as well as those coming from outside. “We just don’t see the awareness” showing up in budget requests or concrete actions to change behaviors.
Austin added that, in the agencies GAO has studied, “I have not seen a Blue Team yet” that looked at threats as existing inside an “eco-system” versus being individual incidents or a pattern of incidents. The agencies’ leaders continue to see them as “intrusions.” He said in 26 hacking attacks on the agencies surveyed, they didn’t know where the intrusions came from. Equally worrisome, the second-highest number of intrusions believed to have been hacking attempts came from inside the agencies themselves.
“You want to stop an adversary from sending data out” of your network, but if you don’t see the whole network then the adversary can get away with that theft.
Cleary said the mindset that cybersecurity is “respond and recover” has to change. He said that means the information technology, acquisition and operations communities have to “look at the mission, not just one piece of equipment” needed to perform a specific task. In practice, he added this would translate into more active involvement by the acquisition force in the process.
Nakasone, Austin and Matthews stressed that a number of cybersecurity problems could be solved simply with better digital practices by workers.
Matthews, now a vice president at Mandiant Security Validation, said, “we’re still having cyber hygiene problems” that only have grown as cloud technology for data storage became more readily available.
At the AUSA event, Nakasone said “we have to raise the bar on cybersecurity.” The nation’s adversaries “use the most simple techniques to enter our networks” and, as Austin said, can remain hidden. The examples Nakasone gave were service members or government workers clicking on unknown hyperlinks, retaining old passwords and not patching networks when they are known to have been breached.
“We’ve got some ground to make up,” Cleary said.