Navy challenged by spear phishing, software patches

Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command’s assistant chief of staff for operations.

Spear phishing, when hackers send malicious emails to a select group of people, is “our biggest problem right now,” Bondura said at an AFCEA conference in Baltimore.  

“Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”

The broader act of phishing, which is less discriminate in its target, is apparently a Defense Department-wide problem, judging by a memo DOD Chief Information Officer Terry Halvorsen sent Pentagon employees in March. “Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo said.

The Navy has a sprawling IT footprint. Securing all of it, absolutely, from cyber threats may be infeasible, so the service has set about prioritizing threats via a five-year plan it released in May. That plan drew on lessons learned from “Operation Rolling Tide,” a months-long operation begun in August 2013 to drive Iranian hackers off of the Navy Marine Corps Intranet, the service’s massive internal computer network.

Bondura arrived at Fleet Cyber Command just before that operation began. “We lived that problem for about seven months, and learned a lot,” he said of the Navy’s first cyber defensive operation to be given a name.

In an interview, Bondura declined to comment when asked whether nation-state-sponsored hackers had broken into NMCI since Operation Rolling Tide. He did say, however, that lessons learned from that operation left the Navy positioned to handle such threats in the future.

Patching up, on the double

The Navy, like other parts of the Defense Department, needs to more swiftly deploy software patches for vulnerabilities, according to Bondura.

“The programs of record on the float units pose a really interesting challenge to the inspection process because … patches become available all the time,” he told FCW. “It’s not that easy to just push a patch out to a forward-deployed unit and say ‘install.’ We have to figure out a better process to make that more efficient and effective.”

Expedience is all the more important because once a zero-day vulnerability catches media attention, hackers are more likely to use it, according to Bondura.

“If the media latches on to something like that – a new zero-day – make your folks pay attention to that, because the adversaries are,” he told the AFCEA audience. “After Heartbleed came out, within about 24 hours, we saw bad guys trying to use that same darn exploit,” added Bondura, referring to the OpenSSL vulnerability made public in April 2014.