The Department of the Navy (DoN) released a report Monday detailing the service’s widespread cyber security and a continued lack of preventive measures that have contributed to competitors’ ability to successfully steal critical data over a number of years.
The report follows a series of reports detailing the Navy’s inability to improve protection of its technical data and industry partners’ intellectual property (IP) from cyber attacks and a call from the Secretary of the Navy in October to audit the service’s cyber security posture.
“Competitors and potential adversaries have exploited DON information systems, penetrated its defenses, and stolen massive amounts of national security IP,” DoN officials wrote in the report. “This has lessened our capabilities and lethality, while strengthening their offensive and defensive capabilities.”
Officials paid particular note to the Navy’s slow effort to warn its Defense Industrial Base of the increasing attack vector and the threat to its IP once companies entered into contracts on Navy programs.
“This is just not another challenge to be resourced. The failure to protect Navy and Marine Corps information systems and IP is an existential threat to their existence,” officials wrote.
Nation-state hackers, particularly from China, have successfully carried out breaches of sensitive Navy data, according to a recent Wall Street Journal report.
The report finds the Navy’s current cyber security governance structure is inadequate, which led to industry partners not receiving notice of cyber threats.
“We find the DoN preparing to win some future kinetic battle, while it is losing the current global, counter-force, counter-value, cyber war. Knowing and acting on that new reality is essential for the DoN,” officials wrote.
The report recommends the Navy continue its shift to a more secure cyber security governance structure that is information-centric, rather than ship or platform-centric. This includes moving away from the service’s current “vertical stovepiped approach to cyber security.”
Officials have also recommended the Secretary of the Navy establish a Chief Information Security Office role and assign the DoN CIO to reassess the service’s cyber security and IT policy standards.