A new report says the cybersecurity failures at the U.S. Navy and elsewhere have put the future of U.S. economic and military dominance in doubt.
Attackers have breached the Navy’s defenses, the report says, and stolen “massive amounts” of intellectual property tied to national security.
“If the current trend continues unimpeded, the U.S. will soon lose its status as the dominant global economic power,” according to the Cybersecurity Readiness Review published in March 2019 by the Office of the Secretary of the Navy.
The report is a humbling look at the cybersecurity strength of the Navy and (indirectly) the greater U.S. military.
Security Challenges Are Familiar
You might be surprised by the similarities between the cybersecurity challenges at the Navy and those of your IT business and clients.
MSPs and other IT service provides, while smaller, can easily relate to the critiques and gaps described below and hopefully avoid making similar mistakes.
Also, the brutal honesty of the report may encourage you to more honestly assess your cybersecurity program.
Hey, if an organization with a $194 billion budget can swallow its pride and admit to security gaps, then maybe we all can.
8 Insights from the Report
After the Navy experienced “several significant compromises of classified and sensitive information,” the department’s secretary in October ordered a comprehensive review of its cybersecurity governance.
A team of military and civilian experts was formed to compare the Navy’s security to known best practices. The results were published in the March 2019 report.
While loaded with recommendations, the most striking material of the report is its harsh criticism of the miscalculations that led to the poor state of the department’s cybersecurity.
#1. Cyber Threats Underestimated
You probably know a few colleagues or clients who do not take cybersecurity seriously. Perhaps they think they’re too small to be targeted or that security is too much of a hassle to bother with.
The Navy wasn’t worried about cybersecurity, either.
“Although our systems were known to be vulnerable, there has been along-standing belief that the open systems .. would be relatively untargeted for the near future.”
This belief severely underestimated the growing capabilities of the Navy’s adversaries and the shift in their intentions. Now the department is suffering attacks and struggling to catch up.
#2. Eroding Competitive Advantage
The rampant theft of intellectual property from the private and defense sectors is eating into the Navy’s competitive advantage.
“The growing decline in economic advantage via the exploitation of our open economic system has similarly been accompanied by an erosion of the U.S. military advantage via the theft of critical information on weapon systems, advanced technologies, and unique capabilities.”
Suffer enough cybersecurity breaches and you, too, could find the information and technology that sets your small business apart is in the hands of competitors.
#3. Living in the Past
The Department of the Navy (DON) is a vast, powerful organization – but much of it focuses on the threats of old (which, granted, are genuine threats, but perhaps not the most pressing of today).
“Today the DON, like the DoD and its sister Services, is exquisitely organized, structured, equipped, and cultured for a previous era …
“The culture is characterized by a lack of understanding and appreciation of the threats, and inability to anticipate them …
“The net-net is that the DON is preparing to fight tomorrow’s kinetic war, which may or may not come, while losing the global cyber enabled information war.”
Small businesses take note: your business faces a growing number of cybersecurity threats. Avoid old habits and ask yourself if you are focused on the problems of yesterday rather than the problems of today.
#4. Cybersecurity in a Silo
While some organizations are beginning to understand that a successful cybersecurity strategy must include all departments and staff members, many still consider cyber to be an IT issue.
The Navy has the same problem.
“Cybersecurity is largely viewed as an IT issue and is not integrated across all operations and activities of the organization. The current approach is characterized by vertical stovepipes of responsibility which ignore the reality that information and cybersecurity require a horizontal, systems approach across all aspects of the organization’s activities and operations.”
#5. Partners Breached
Every business – no matter the size – relies on many other businesses and organizations to function. This is true of your small business, and also the Navy.
Unfortunately, this creates opportunities for attackers to breach an organization by targeting its partners.
Target Corp. is the classic example. The retail giant suffered a crushing data breach through a compromise of one of its HVAC contractors.
The Navy and other departments of the U.S. military rely on many thousands of organizations, some of which are considered part of the defense industrial base (DIB).
“There are also those traditional companies thought of as the DIB that are U.S. owned or domiciled, which are supported by a supply chain that includes sub-contractors that are not U.S. owned or domiciled. For years, global competitors, and adversaries, have targeted and breached these critical contractor systems with impunity.”
#6. Scope of Problem is Unknown
Cyber attacks are difficult to stop and perhaps even more difficult to detect.
Few small organizations perform security event monitoring. Larger organizations that monitor network traffic cannot detect every breach.
The result is that no one – not even the Navy- is certain of the number of data breaches they’ve suffered or the data that has been compromised.
“The DoD and DON have only a limited understanding of the actual totality of losses that are occurring. Only a very small subset of incidents are ‘known’ and of those known, an even a smaller set are fully investigated.”
#7. Prioritize Critical Assets
Straining to secure all aspects of an organization’s network and systems is a fool’s errand. The resources – including the time, money, and expertise required to accomplish such a goal – are lacking.
The only sane approach is to prioritize the protection of critical assets and systems, and to scale the level of security with the importance of the given asset.
“In an age where it is impossible to protect everything, identifying what information must be absolutely protected is vital and not being adequately accomplished.”
#8. Follow the Best CEOs
The authors of the report reviewed the practices of leaders at organizations that are handling cybersecurity effectively (CEOs in particular).
Common traits they found among the leaders:
- Personally engaged in the company’s approach to cybersecurity
- Consistently communicate expectations
- Select leaders that understand the threat
- Set priorities and incentives that reflect the importance of cybersecurity to the company’s success
- Hold ·everyone accountable for cybersecurity
- Demand education, training, and constant testing of their workforce
- Establish clear and enforceable standards
- Set the priorities for what information must be protected
- Have strong, empowered CIOs that are accountable and report directly to them
- Establish organizational structures and processes that optimize alignment of responsibility, authority, and accountability.
- Maintain good situational awareness of their organizations’ cyber-health
- Require and use dashboards and scorecards to predict and monitor performance.
- Use of simulations and threat modeling to train their personnel
- Factor cybersecurity into every decision they make