Navy Secretary Richard Spencer was blunt: the service is struggling to beat back threats to cybersecurity and the supply chain.
“We are woefully behind,” Spencer said Oct. 23 at the Brookings Institution.
Spencer said the service has a plan to improve and pointed to the newly established position of special assistant/chief information officer filled by Aaron Weis. That job has four directorates aimed at modernizing the service for a digital age and keeping the Navy sharp against top cyber threats.
The Navy is establishing a special assistant to the secretary, effectively reforming the role of the chief information officer.
Moreover, Spencer said his thinking and level of engagement on cyber has evolved in the last year.
“I need to fight to get off the pier. I might not be able to start the ship. I might not be able to get fuel to the ship,” he said.
Adversaries have begun to realize they can target suppliers far down the supply chain, who in many cases may not follow proper cybersecurity practices. These companies, which might supply a small, yet critical component such as chips or even tires, could be hit with a crippling cyberattack and limit production, a move that would have wide ranging implications for the larger force.
The Department of Defense hosted a prototyping event to test tools that can monitor manufacturing company networks for cyber intrusions.
“If you look at Sun Tzu, what is one of his rules? Take over the enemy and keep all their assets in tact. That is cyber 101,” Spencer said. “I need every single resource I can – and that’s not dollars … it’s gray matter … to combat this.”
The Department of Defense is looking at preventing supply chain vulnerabilities by creating a framework that all companies must meet depending on how sensitive the systems or programs are they’re working on called the Cybersecurity Maturity Model Certification, or CMMC.
One of the directorates under the new CIO is a chief information security officer who will work with the defense industrial base, Weis said during an AFCEA Northern Virginia chapter event in early October.
Weis said the tier 2 and 3 suppliers are the most exposed, which was also validated in the Navy’s Cyber Readiness Review, commissioned by Spencer following the aforementioned exfiltrations.
“What we really need to look at is how do we work with our tier 1 suppliers,” he said. “Help me help you. We all have to be able to secure this together.”