Officials recently revealed that a data breach occurred involving a Navy Contractor where hackers working for the Chinese government gained access to highly sensitive data regarding submarine warfare. Included in the breach were top secret plans for the design of a supersonic anti-ship missile system that was to be used in U.S. submarines by the year 2020.
American officials have confirmed that these breaches occurred in January and February of 2018, but would say very little else about the breach, citing the secret nature of the stolen plans. An investigation into what happened and exactly how the breach occurred is ongoing and the government is reluctant to speak of the incident while the investigation unfolds.
Though the naval contractor was not identified, U.S. officials confirmed that he worked for the Naval Undersea Warfare Center. This military organization is located in Newport, R.I. They conduct research on underwater weaponry and develop weapons specifically for submarines.
The stolen data consisted of 614 gigabytes of information closely related to a project called Sea Dragon. In addition, radio room materials related to cryptographic systems were stolen along with, signaling and sensor data. The Washington Post has obtained more detailed information about this breach but, at the request of the U.S. Navy, they have agreed not to publish those facts. The military believes releasing these documents could further harm national security and put other military projects in jeopardy.
One of the more alarming details of the breach was that this naval contractor had highly sensitive information about Sea Dragon stored on his personal computer and phone. These devices did not have the necessary security protocols for storage of classified government documents. The contractor was using a normal unclassified network for his phone and computer despite knowing that the information he was privy to was of top-secret nature. Charges may be filed against the individual for not taking basic steps to secure the data and following NIST guidelines.
This incident has sparked highly-charged discussions about the Navy’s ability to properly oversee its vast network of contractors. Many of these people have access to the designs for America’s latest weaponry. Loss of these plans and blueprints could result in a devastating effect on America’s military capabilities.
Last week, the inspector general’s office at the Pentagon confirmed that Jim Mattis, Defense Secretary, was currently reviewing the handling of all military contractors. Mattis and his team will investigate whether there are other blatant cybersecurity issues that could possibly leak classified information to the Russians, Chinese, or North Koreans.
The Navy, working in conjunction with the FBI, is currently leading the investigation into what happened.
The naval spokesman, Cmdr. Bill Speaks, commented saying, “There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.” He added that “It would be inappropriate to discuss further details at this time.” The FBI has declined to comment.
Little is known about the Sea Dragon project, except that the project was designed to provide a “disruptive offensive capability” by “integrating an existing weapon system with an existing Navy platform.” In addition, the Pentagon said that the project has to date, cost over $300 million. The Navy had plans to begin underwater testing as early as September of 2018, but those plans will now most likely be placed on hold.
Military experts believe that China will now be able to develop technology that will render the Sea Dragon project ineffective. There is some speculation that other weaponry projects could also be compromised.
The government has set in place an extensive array of security protocols and guidelines to ensure that events like this do not happen.
According to the Nist.gov website:
All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017, or risk losing their DoD contracts.[1]
DFARS regulations were created to stop cyber breaches like Sea Dragon from taking place. All government contractors and sub-contractors are required to use high-level security protocols anytime they store, process or transmit sensitive government data.
According to a study done by IBM in 2014[2], human error is involved in as many as 95 percent of all data breaches. Cyber breaches are successful because hackers prey on human weaknesses. Most commonly, hackers lure an unsuspecting victim into giving access to the cyber thief believing him to be a legitimate person or company. Hackers are able to sell the information they obtain on the Dark Web.
Many governments around the world now employ a staff of hackers who work continuously to steal data from large companies, individuals, hospitals, various government organizations, non-profits and many others. The stolen information will fetch a high price on the Dark Web. In the case of Sea Dragon, the data loss could place an advanced Naval weapons systems into the hands of the Chinese.
[1] https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance
[2] https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/