Washington, DC - Throughout National Cybersecurity Awareness Month this October, and in subsequent articles, the Office of the Deputy Chief of Naval Operations for Information Warfare (N2N6) will describe the things you can do, at home and at work, to protect yourself and the Navy from cyber threats.
Few people today need to be convinced that our networks, computers and smart phones are at risk of compromise. We've grown accustomed to the news of computer hacks.
The confidential information of 143 million Americans was potentially compromised in the recent Equifax breech. In May 2017, the WannaCry ransomware attack infected 150,000-plus computers in over 150 countries within the first 24 hours.
If you keep up with the news, you know of Russia's election-focused data thefts and disclosures. More distant high profile attacks, such as the 2015 Office of Personnel Management hack that resulted in the theft of 21.5 million personnel records, are memorable because they affected many of us in the Navy.
From these example hacks, you can safely assume anything connected to the internet is at risk.
In fact, any electronic device for storing and processing data - a computer - is at risk, regardless of whether it's connected to the internet or whether it looks like the desktop or laptop computers we use at home and at work.
Disconnected systems are also vulnerable as attackers have employed innovative tactics to reach systems not connected to the internet. For example, thumb drives loaded with damaging software were picked up by unsuspecting technicians and used to spread the Stuxnet virus to centrifuges in an underground Iranian nuclear research facility.
Although the compromise of Iran's nuclear facility was well publicized, less well known are other news reports that also demonstrate physical systems controlled by computers (control systems) are at risk.
In 2016, hackers who were thought to be from Russia compromised a Ukrainian power company, knocking out power to part of Kiev for over an hour. A 2015 breech of a Ukrainian energy company, which resulted in a power outage to 80,000 customers, may have been related to the 2016 attack. Closer to home, in 2016 "...the Justice Department claimed Iran had attacked U.S. infrastructure online, by infiltrating the computerized controls of a small dam 25 miles north of New York City."
The control systems that manage the Navy's critical infrastructure and other services at Navy bases and facilities are commercial products that have known weaknesses. Like the Ukrainian control systems and the systems controlling the New York dam, Navy control systems and networks used by operational forces could also be at risk of compromise.
During June 2017, a commercial ship off the Russian coast discovered its GPS navigation system erroneously located the ship at an airport 32 kilometers inland. At least 20 other ships in the area had similar problems with their Automatic Identification System, which U.S. Navy ships also use. "Experts think this is the first documented use of GPS misdirection - a spoofing attack that has long been warned of but never seen in the wild."
Chief of Naval Operations (CNO) Admiral John Richardson sums up the current cyber threat environment, "The threats reach well beyond what you would consider a traditional computer or information technology network into the control systems and indeed almost every aspect of our lives and of our Navy mission."
These cyber threats can come from nations with highly sophisticated cyber programs, countries with lesser technical capabilities but possibly more disruptive intent, ideologically motivated hackers or extremists and/or insiders within our organizations, with a variety of motivations. Even cyber criminals threaten the Navy because they sell malicious software to state and non-state actors, thereby increasing the number of potential threat actors.
Vigilance and ensuring a robust defense-in-depth framework that incorporates people, processes and technology to assure our networks are safe is key.
The threat will continue to increase as adversaries look for potential vulnerabilities and increase their level of sophistication for cyber-attacks. In Congressional testimony, former Director of National Intelligence James Clapper described the threat saying, "Cyber threats to US national and economic security are increasing in frequency, scale, sophistication and severity of impact. The ranges of cyber threat actors, methods of attack, targeted systems and victims are also expanding."
But you can make a difference.
By adhering to cybersecurity policies, directives and best practices you can help keep the Navy secure and also protect yourself and your families while online, outside of work. It's an all hands effort, like damage control on a ship.
Knowing adversaries are actively seeking to penetrate our systems, steal our data and disrupt operations should help you understand the CNO's perspective: "Wherever you are, whatever system you're operating, every time you log in, you are in the cyber battlespace."
Be vigilant. Be safe.