The US Navy’s Naval Undersea Warfare Center (NUWC) bills itself as a "full-spectrum research, development, test and evaluation, engineering and fleet support center for submarines and autonomous underwater systems". Clearly, its assets would be attractive to malicious actors, and rock-solid security processes -- especially in supply chain -- would be assured without exception. Unfortunately, this is not so, as recently revealed when a NUWC contractor's network was compromised leading to the theft of hundreds of gigabytes of sensitive - maybe classified - US Navy data.

In January and February 2018, Chinese hackers compromised the unclassified network of a US Navy contractor working for the NUWC. Amounting to 614 gigabytes, the exfiltrated data included signal, sensor and cryptographic systems data, submarine radio room information, the Navy's submarine development unit's electronic warfare library and information on the Sea Dragon, a “disruptive offensive capability” project. Described as catastrophic for US warfare advancements, the classification of the information was conflicting, revealing some clear issues with the supply chain and overarching legislation. One thing is for sure, China didn't just tip the US' hand: they grabbed all the cards, kicked over the poker table and went home with strategic advantages.

When news of the breach was publicized in June 2018, the complexity of the issue was only hinted at - certain details on the compromised missile project were withheld at the request of the Navy, arguing their release could harm national security. Referred to as a "serious" hack by officials, it was actually really serious: when aggregated, the unclassified data would be very "revealing of [US Navy warfare] programs", possibly classified. As expected, it didn't take long for questions to be raised on why data that was considered to be 'highly sensitive' was stored a contractor's unclassified network. And as expected, the Pentagon has not elaborated on what exactly went awry with NUWC security processes, contractor compliance and Sea Dragon, the secret, non-secret project that is no longer a secret.

Although breached, not much is known about Sea Dragon's operational capabilities other than it was a supersonic, anti-ship missile that would enhance the Navy's existing submarine land-attack platforms with an undersea payload of missiles. Considering the current array of US missiles, the air defense Standard Missile 6 (SM-6) may have been the receiving technology. If Sea Dragon's design included target data from the Naval Integrated Fire Control-Counter Air (NIFC-CA), the Navy could hurl missiles at 2,685 miles an hour, below and canted from the expected radar position, leaving only minutes for a target to detect, track and destroy them. The result? A major counter-offensive response that would halt an enemy's offensive tactics, while maintaining the Navy's defensive position. Although merely speculation, out of all possibilities this is a likely scenario. In either respect, the compromise of Sea Dragon represents a tremendous national security and naval warfare setback for the US.

The truly shocking thing about the NUWC hack and Sea Dragon is that it isn't the first time. Or the second.

China has been employing cyber-espionage for large-scale strategic gain for a while now. In 2013, a confidential report prepared for the Pentagon listed over two dozen major weapons designs systems critical to US missile defense and combat that were compromised by Chinese cyber spies. The report identified weapon design and system breach on the Pentagon’s regional missile defense for Asia, Europe and Persian Gulf, the advanced Patriot missile system, an Army system for shooting down ballistic missiles and the Navy’s Aegis ballistic-missile defense system. Also making the list were vital combat aircraft and ships, such as the F/A-18 Hornet, the V-22 Osprey, the H-60 Black Hawk helicopter, the Navy’s Littoral Combat Ship and the F-35 Joint Strike Fighter that rang in over $1.4 trillion, suggesting billions of dollars in combat advantage for China…and trillions of US warfare budget vapourized and wasted.

China's pursuit of becoming the pre-eminent super power in East Asia is palpable. The NUWC contractor breach was just another attempt to either snuff out US military advantage, an operational gain to be exploited in future conflict or a direct benefit to China's own defense industry; this was presumed to be the case in the theft of the F-35 fighter designs followed by Beijing's super-fast development of its own version. Not surprisingly, China has repeatedly denied any involvement - direct or indirect - in any espionage activity targeting the US. Whether this hack, or any of the others, was executed by Chinese state or non-state actors doesn't really matter: if China isn't condemning and interdicting the actions of those behind the hacks, they might as well be signing the cheque.

US and Canada need to accept and respond to the fact that supply chain and suppliers are hot targets for infiltration and exfiltration due to weak legislation and regulations. Many US officials have expressed frustration at the scale of cyber theft from defense contractors and inability to prevent it, from Ret. General Martin Dempsey, former chairman of the Joint Chiefs of Staff to Ret. General Keith Alexander, former director of the National Security Agency. But it's not as though they haven't tried.

In the early 2000s, the Pentagon launched a pilot program to assist the defense industry in hardening assets by giving them access to classified threat data from the National Security Agency to screen their networks for malware. Eventually this was expanded to include more defense contractors and other industries, with limited success as attack vectors became more sophisticated, and yes, asymmetrical. Then the 2015 National Defense Authorization Act (NDAA) amendments did take shot, albeit conservative, by requiring classified defense contractors to report network intrusions and allow government investigation of the breach. Still, direct punitive measures, such as modifying contracting rules to require that Pentagon suppliers and contractors secure their networks or be stricken from the list, stalled.

Inside, the older internal security policy outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36 and security controls from the DoD Information Assurance Certification and Accreditation Process (DIACAP) were replaced with the NIST Risk Management Framework (RMF) and related Special Publications to meet internal security requirements. Systemically covering categorization of systems, selection of appropriate security controls, implementation of controls and assessment of effectiveness, authorization of systems to operate and then monitoring their use for process improvement, these requirements have not yet been extended to the supply chain.

In August 2018, MITRE, the not-for-profit sponsored by the Department of Homeland Security, published Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, a supply chain security study that recommended "improved relations with contractors, new standards and best practices, changes to acquisition strategy and practice, and initiatives that motivate contractors to see active risk mitigation". Noting, only weeks later the US' House Energy and Commerce Committee delivered a blistering criticism of MITRE's Common Vulnerabilities and Exposures (CVE) database program, charging that, “[b]arring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society.” To hear that the CVE database is 'broken' and unreliable is jarring to practitioners, as it is heavily relied on as a source of vulnerabilities for software, hardware and operating systems.

Running Madly Off in All Directions

Currently, the supply chain is front-and-center, in part due to the NUWC hack. In the 2019 NDAA amendments, more constraints are laid out including pressure on China's telecom companies by barring federal agencies from buying their products and restrictions on the Pentagon’s use of technology that is considered a risk to national security. At the process level, the US Government also instituted procedural measures that include the certification or adherence to security standards, such as the National Institute for Standards and Technology (NIST) series that can be specified in tenders and statements of work. But for all of the efforts to improve legislation, standards, procedures, controls and vulnerabilities reporting, there appears to still be little control over contractors and suppliers architecture and controls as they related to classified and un-aggregated unclassified data.

Evidenced by the many breaches of government data in recent years, ranging from classified national security data to the more benign, the conceptual asymmetry of attacks remains a struggle. Regardless of its classification, the more that data is shared, changes state or is permitted access to, the more vulnerabilities will surface in 'people, processes and tools' making control selection more complex. Government must rely on external parties to augment resourcing needs, so the once closed systems of decades ago have now been networked, socialized and globalized, resulting in more of a revolving door than an access-controlled, air-gapped, man-trap - as they should be. For those reasons, suppliers, contractors and supply chain will remain a conundrum - and an opportunity for malicious actors.

Can this long-standing problem be mitigated, reducing the most pressing risks? Of course. Much of the current response is post-breach reactive from 'mopping up the mess' to a directive or report summarizing the harm or damage. From the NUWC hack, it is clear that breach was more procedural than technological: a security vulnerability existed in the supply channel and its related processes. Acknowledging the importance of strict standards is imperative. In July 2018, I wrote a Vanguard article, Risky Business: Wading Through Security and Risk-Reduction Standards, and focused on a recent comparative analysis I had performed for a GoC department on supply chain security. In short, it was underscored that where, in the past, suppliers and contractors were assessed on certification and compliance, we now need to shift to compliance of controls to secure the supply chain at every stage and level.

It starts at the top. Legislatures and executives need to demand and support strict internal and external regulations and standards. Without directives with 'procedural teeth' and sanctions, we risk repeating history, again. Practitioners need to think creatively - like the malicious actors - so that vulnerabilities and vectors can be mapped and monitored and controls can be adjusted, beyond technological 'hacking' and analysed outside the 'kill chain'. Treating risk-based security as a "profit center" and augmenting with integrated practices across attack vectors - supply chain, cyber-physical, cyber-IT and human domain - as described in the MITRE report, is a start.

Understanding the entire operational environment and dissection of technological and process layers, reverse engineering of forensic outputs in context of defined assets and architectures, mapping data state changes identifying all attack vectors, and dynamically managing this 'ecosystem' through continuous improvement - these are no longer options.

Right now, the impact of the NUWC hack is yet to be quantified (at least, publicly) but likely several months from now it will be found in a report outlining the financial, capability and national security cost of weak supply chain security. Recognizing the wheels of legislation and regulation turn very slowly, the question at that time will be, what has been done to prevent another breach of this kind? ... Possibly another question might be, what will Canada have learned (and implemented) from the US' hard lessons in supply chain security?

written by Valarie Findlay