A new report says the cybersecurity failures at the U.S. Navy and elsewhere have put the future of U.S. economic and military dominance in doubt.
Attackers have breached the Navy’s defenses, the report says, and stolen “massive amounts” of intellectual property tied to national security.
“If the current trend continues unimpeded, the U.S. will soon lose its status as the dominant global economic power," according to the Cybersecurity Readiness Review published in March 2019 by the Office of the Secretary of the Navy.
The report is a humbling look at the cybersecurity strength of the Navy and (indirectly) the greater U.S. military.
You might be surprised by the similarities between the cybersecurity challenges at the Navy and those of your IT business and clients.
MSPs and other IT service provides, while smaller, can easily relate to the critiques and gaps described below and hopefully avoid making similar mistakes.
Also, the brutal honesty of the report may encourage you to more honestly assess your cybersecurity program.
Hey, if an organization with a $194 billion budget can swallow its pride and admit to security gaps, then maybe we all can.
After the Navy experienced “several significant compromises of classified and sensitive information,” the department’s secretary in October ordered a comprehensive review of its cybersecurity governance.
A team of military and civilian experts was formed to compare the Navy’s security to known best practices. The results were published in the March 2019 report.
While loaded with recommendations, the most striking material of the report is its harsh criticism of the miscalculations that led to the poor state of the department’s cybersecurity.
You probably know a few colleagues or clients who do not take cybersecurity seriously. Perhaps they think they're too small to be targeted or that security is too much of a hassle to bother with.
The Navy wasn't worried about cybersecurity, either.
“Although our systems were known to be vulnerable, there has been along-standing belief that the open systems .. would be relatively untargeted for the near future."
This belief severely underestimated the growing capabilities of the Navy's adversaries and the shift in their intentions. Now the department is suffering attacks and struggling to catch up.
The rampant theft of intellectual property from the private and defense sectors is eating into the Navy's competitive advantage.
“The growing decline in economic advantage via the exploitation of our open economic system has similarly been accompanied by an erosion of the U.S. military advantage via the theft of critical information on weapon systems, advanced technologies, and unique capabilities."
Suffer enough cybersecurity breaches and you, too, could find the information and technology that sets your small business apart is in the hands of competitors.
The Department of the Navy (DON) is a vast, powerful organization - but much of it focuses on the threats of old (which, granted, are genuine threats, but perhaps not the most pressing of today).
“Today the DON, like the DoD and its sister Services, is exquisitely organized, structured, equipped, and cultured for a previous era ...
“The culture is characterized by a lack of understanding and appreciation of the threats, and inability to anticipate them ...
“The net-net is that the DON is preparing to fight tomorrow's kinetic war, which may or may not come, while losing the global cyber enabled information war."
Small businesses take note: your business faces a growing number of cybersecurity threats. Avoid old habits and ask yourself if you are focused on the problems of yesterday rather than the problems of today.
While some organizations are beginning to understand that a successful cybersecurity strategy must include all departments and staff members, many still consider cyber to be an IT issue.
The Navy has the same problem.
“Cybersecurity is largely viewed as an IT issue and is not integrated across all operations and activities of the organization. The current approach is characterized by vertical stovepipes of responsibility which ignore the reality that information and cybersecurity require a horizontal, systems approach across all aspects of the organization's activities and operations."
Every business - no matter the size - relies on many other businesses and organizations to function. This is true of your small business, and also the Navy.
Unfortunately, this creates opportunities for attackers to breach an organization by targeting its partners.
Target Corp. is the classic example. The retail giant suffered a crushing data breach through a compromise of one of its HVAC contractors.
The Navy and other departments of the U.S. military rely on many thousands of organizations, some of which are considered part of the defense industrial base (DIB).
“There are also those traditional companies thought of as the DIB that are U.S. owned or domiciled, which are supported by a supply chain that includes sub-contractors that are not U.S. owned or domiciled. For years, global competitors, and adversaries, have targeted and breached these critical contractor systems with impunity."
Cyber attacks are difficult to stop and perhaps even more difficult to detect.
Few small organizations perform security event monitoring. Larger organizations that monitor network traffic cannot detect every breach.
The result is that no one - not even the Navy- is certain of the number of data breaches they've suffered or the data that has been compromised.
“The DoD and DON have only a limited understanding of the actual totality of losses that are occurring. Only a very small subset of incidents are ‘known’ and of those known, an even a smaller set are fully investigated."
Straining to secure all aspects of an organization's network and systems is a fool's errand. The resources - including the time, money, and expertise required to accomplish such a goal – are lacking.
The only sane approach is to prioritize the protection of critical assets and systems, and to scale the level of security with the importance of the given asset.
“In an age where it is impossible to protect everything, identifying what information must be absolutely protected is vital and not being adequately accomplished."
The authors of the report reviewed the practices of leaders at organizations that are handling cybersecurity effectively (CEOs in particular).
Common traits they found among the leaders:
Cyber Security Problems in the U.S. Military
Calyptix Responds to NIST Small Business Cybersecurity Act
MSPs Targeted in Advanced Cyber Attacks