NATIONAL HARBOR, Md. — The U.S. Navy has framed cybersecurity incorrectly for years and is now chipping away at a new approach that better suits the contemporary environment, the service’s chief information officer said Tuesday.
“I have made the assertion now, publicly, multiple times. You may have heard me say it. But I believe that the way that we view cybersecurity in the Department of Navy is wrong,” Aaron Weis said at the Sea-Air-Space conference. “We view cybersecurity as a compliance problem, and it is most definitely not a compliance problem.”
Instead, Weis explained, cybersecurity should be treated like the broader concept of military readiness. A more holistic lens would emphasize active cyber management — considering a range of factors — and could inch away from red tape, audits and boxes that need checking. Essentially, traditional assessments of equipment, logistics, training and personnel, among other things, could find their equal in the digital domain.
“We have 15 years of track record that proves that the current approach to cybersecurity, driven by a checklist mentality, is wrong,” Weis said. “It doesn’t work.”
Sailors and other military officials were warned in February they were targets for cyberattacks amid troubled Sino-U.S. relations and Russia’s invasion of Ukraine.
“Cyberattacks against businesses and U.S. infrastructure are increasing in frequency and complexity,” Navy Vice Adm. Jeffrey Trussler said in an unclassified memo at the time. “[Department of Defense] and federal law enforcement report adversary interest in our remote work infrastructure. This means that you are a target — for your access and your information.”
Hackers previously exploited mistakes on Navy and private networks by stealing or brute-forcing credentials as well as surreptitiously installing malware, according to the memo. Defense News in June 2018 reported Chinese-sponsored cyberattacks breached a Navy contractor’s computers, jeopardizing sensitive data related to secret work on an anti-ship missile.
“With heightened tensions throughout the world,” Trussler said in his February missive, “ensure your team understands how the actions of a single user can impact our global force.”
Weis earlier this year credited Trussler, who is the deputy chief of naval operations for information warfare, Navy Secretary Carlos Del Toro and other leaders for supporting the move away from the compliance mindset.
“This is happening,” he said in a dispatch from the earlier WEST 2022 conference. “And I think, one, it’s really needed. Two, it will put the Department of Navy, again, as a leader in this area as we’re looking to change and improve how we’re operating and how we’re defending.”
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.