NAVY, INDUSTRY PARTNERS ARE ‘UNDER CYBER SIEGE’ BY CHINESE HACKERS

 

THE WALL STREET JOURNAL

Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts

Hacking threatens U.S.’s standing as world’s leading military power, study says

Navy Secretary Richard V. Spencer testified before the Senate Committee on Armed Services last week.
Navy Secretary Richard V. Spencer testified before the Senate Committee on Armed Services last week. PHOTO: RON SACHS/ZUMA PRESS

March 12, 2019 2:32 p.m. ET

WASHINGTON—The Navy and its industry partners are “under cyber siege” by Chinese hackers and others who have stolen tranches of national security secrets in recent years, exploiting critical weaknesses that threaten the U.S.’s standing as the world’s top military power, an internal Navy review has concluded.

The assessment, delivered to Navy Secretary Richard Spencer last week and reviewed by The Wall Street Journal, depicts a branch of the armed forces under relentless cyberattack by foreign adversaries and struggling in its response to the scale and sophistication of the problem.

Drawing from extensive research and interviews with senior officials across the Trump administration, the tone of the review is urgent and at times dire, offering a rare, unfiltered look at the military’s cybersecurity liabilities.

KEY TAKEAWAYS FROM THE NAVY REVIEW

The Navy report’s authors conducted 31 site visits and interviewed 85 current senior military officers and civilians across both the Navy and wider Defense Department, as well as senior officials at the Federal Bureau of Investigation, Department of Homeland Security and White House National Security Council, among others. Here are their main conclusions:

  • The Navy and its industry partners are facing relentless cyber attacks that seek to steal sensitive national security data by a wide range of foes, with China and Russia the most adept and strategic.
  • The U.S. is at risk of losing global military and economic advantages due to cyberthefts of secrets and intellectual property.
  • Despite efforts to address the problem, the defense industrial base has suffered “a flood of breaches of significant data” and “continues to hemorrhage critical data.”
  • The Navy and Defense Department have only a limited understanding of the totality of losses they and their partners are suffering.
  • The Navy is focused on “preparing to win some future kinetic battle, while it is losing the current global, counter-force, counter-value, cyber war,” the review’s authors conclude.

The 57-page document is especially scathing in its assessment of how the Navy has addressed cybersecurity challenges facing its contractors and subcontractors, faulting naval officials for not anticipating that adversaries would attack the defense industrial base and for not adequately informing those partners of the cyber threat. It also acknowledges a lack of full understanding about the extent of the damage.

“For years, global competitors, and adversaries, have targeted and breached these critical contractor systems with impunity,” the audit says. “These enterprises, regardless of their relationship with the department, are under cyber siege.”

The Navy declined to comment on the review, which hasn’t been publicly released.

Chinese officials didn’t immediately respond to a request for comment, but in the past have denied engaging in cyberattacks.

The review presented the threat posed by China in particularly stark terms, arguing that its cyber espionage operations against the U.S. military, its suppliers and the private sector in general have shifted power dynamics between the world’s two biggest economies.

China has “derived an incalculable near- and long-term military advantage from it [the hacking], thereby altering the calculus of global power,” the report said.

The findings are of acute interest and concern within the Navy.

“We are under siege,” said a senior Navy official. “People think it’s much like a deathly virus—if we don’t do anything, we could die.”

One major breach of a Navy contractor, reported in June and attributed to Chinese hackers, involved the theft of secret plans to build a supersonic antiship missile planned for use by American submarines, according to officials.

The hackers targeted an unidentified company under contract with the Navy’s Naval Undersea Warfare Center in Newport, R.I.

Coupled with that breach, a second breach last year prompted Mr. Spencer to request the internal review, Navy officials said.

The report repeatedly singles out China and Russia in the theft of military secrets, portraying their actions as calibrated to achieve strategic objectives while remaining below the threshold of armed conflict, a metered approach that the U.S. has struggled to defend against.

The review found flaws with the Navy’s longstanding approach to its own supply-chain security, which relies on contractors self-reporting vulnerabilities and breaches. “That after-the-fact system has demonstrably failed,” the review said.

According to U.S. officials and security researchers, hackers have stolen highly classified information about advanced military technology. Victims of Chinese attacks alone span large and small contractors, major universities that develop maritime technology and receive billions in federal research dollars, and the Navy itself.

The Navy and Defense Department “have only a limited understanding of the actual totality of losses that are occurring” due to a scarcity of resources and difficulties involved in tracking breaches at contractors and subcontractors, the report said.

“Only a very small subset of incidents are ‘known’ and of those known, an even…smaller set are fully investigated,” it said.

The report is unclassified and doesn’t provide specific details about individual breaches or tally recent intrusions. A separate classified document details some of the known breaches of the Navy or its contractors.

Navy officials declined to give even an estimate of incidents over the last 18 months other than to say they were “numerous.”

China is considered the biggest thief, officials said, but Russia is another source of concern. Iran also has breached Navy systems, an official said, but that occurred before the Trump administration, the official said.

“It’s not only the number of breaches but the magnitude of the loss that is so troubling,” said another Navy official.

When contractor breaches are investigated, information about the attacks “is often hyper classified and difficult to share, sometimes leading to an alarming lack of understanding and appreciation of the threat,” the review said.

The top-to-bottom review of the Navy’s cybersecurity began last October. The Wall Street Journal reported in December that the review was ordered by Mr. Spencer after a series of hacking incidents.

The Journal reported last week that Chinese hackers had targeted and potentially compromised more than two dozen universities in the U.S. and around the globe as part of an elaborate scheme to steal advanced maritime technology secrets. Some of the schools, such as Penn State’s applied research laboratory, are under contract to the Navy.

In response to those revelations, Sen. Edward Markey (D., Mass.) sent letters Tuesday to Acting Defense Secretary Patrick Shanahan and Homeland Security Secretary Kirstjen Nielsen asking questions about how their agencies protect research institutions from cyberattacks.

“In the era of great power competition, it should come as no surprise that Chinese hackers are targeting academic institutions ripe with valuable information about U.S. military capabilities,” Mr. Markey wrote.

The Navy review faulted the military branch’s culture as lacking an appreciation of the cybersecurity threats it faces, being unable to anticipate novel attacks and favoring compliance and governance over outcomes.

Among recommendations, the review urged identifying and better protecting essential data, selecting leaders to oversee a long-term cybersecurity strategy and installing new accountability measures on contractors to ensure they meet cybersecurity standards.

The national security implications of China’s cybertheft of advanced research from Navy contractors and universities are considered so severe that the issue has been mentioned in the presidential daily brief on multiple occasions, according to a person familiar with the matter. Some subcontractors have been breached by the same Chinese hacking group several times within the same year, despite warnings from investigators, the person said.

The Trump administration has sought in recent months to hold Beijing responsible for what officials have described as a relentless onslaught of intrusions into U.S. corporate and government networks. Chinese hackers stand accused of stealing hundreds of billions of dollars annually in intellectual property from U.S. businesses, and the Justice Department in recent months has announced a series of charges that have blamed Beijing for a variety of wide-ranging cyberattacks.

Write to Gordon Lubold at Gordon.Lubold@wsj.com and Dustin Volz at dustin.volz@wsj.com

 

 

 
Share

Leave a Reply

Search All Posts
Categories