At long last, perhaps five years too late, the U.S. Navy is getting serious about responding to the massive hacking effect that the Chinese government has launched against it. In effect, the Chinese have poured into the Navy’s business through channels and from directions that the Navy hasn’t been aware of or hasn’t been able to respond to.
As I detail in my book, The New Art of War, arms of the Chinese government obtained records of 22 million government employees in 2015 from the Office of Personnel Management and the APT10 hacking group, in cooperation with the Ministry of State Security, stole 100,000 more names of Navy members, as disclosed in Dec. 2018. They even stole ship maintenance records.
So it is possible that the Chinese government has the names of every member of the U.S. Navy and may also have been able to match up those names with credit bureau and health records it has stolen.
Now the Navy is appointing a cyber czar, as per the following article in today’s Wall Street Journal. I append it. Is it too little too late?
U.S. Navy to Appoint Cyber Chief Following a Blistering Audit
New position is part of broader effort to end plague of cyberattacks
WASHINGTON—The Navy is hiring a new cyber chief in an attempt to better shield its military secrets from Chinese hackers and other nation-state thieves who have aggressively targeted naval operations in recent years, according to Navy officials.
The new position is part of a broader effort to improve cybersecurity in the Navy and among its private-sector industry partners, coming after a scathing internal audit earlier this year found that repeated compromises of national-security secrets threatened the U.S.’s standing as the world’s top military power.
Officials plan to announce Thursday that they will appoint Aaron Weis as the Navy’s new chief information officer. Mr. Weis, now a senior adviser for the Pentagon’s chief information officer, will lead efforts to safeguard the Navy and Marine Corps’ secrets by pushing changes on a number of fronts.
These include what officials called cultural changes to improve basic cybersecurity practices, accountability across the Navy for data security and improving security practices among smaller defense contractors that conduct sensitive work but are frequently targeted by China and other countries, like North Korea, Iran and Russia, officials said.
China remains the primary concern, however, officials said.
“They’re never going to stop,” Undersecretary of the Navy Thomas Modly said of China in an interview. “They are going to be at this for a very long time, largely because they’ve been successful at it.”
Mr. Modly and other Navy officials have declined to provide specifics about recent breaches at the Navy and its contracting partners.
Revelations last year detailed how Chinese hackers gained access to secret plans to build a supersonic antiship missile planned for use by American submarines, according to officials at the time. Chinese hackers targeted an unidentified company under contract with the Navy’s Naval Undersea Warfare Center in Newport, R.I.
Navy officials said a broader response plan to implement changes within the Navy and Marine Corps is taking form and would surface later this year. The hiring of Mr. Weis was a critical first step, Mr. Modly said.
Mr. Weis will have four chiefs reporting to him, including a chief technology officer, a chief of digital strategy, a chief data officer and a chief information security officer, Mr. Modly said.
Some of the weakest links in the Navy’s ability to protect its research and technology from hackers are the smaller defense firms that perform a range of work and services for the service.
Prime contractors, such as Northrop Grumman Corp. and General Dynamics Corp. , typically have the resources to protect their information, and rules and requirements are instilled in their employees. But the smaller firms that contract with those firms, and the smaller ones still, are more vulnerable, officials said.
That presents a conundrum to the Navy which relies on those firms, but also must find a way to hold them accountable for safeguarding information.
“There are a lot of things we’re thinking about doing that will sort of burden share this with them,” Mr. Modly said. “I think that’s probably a fair way to say it.”
Research universities that develop maritime technology have been a particular liability.
The Navy is battling what officials consider cultural issues inside the service that have resulted in lax cybersecurity, officials have said. Many commanders tend to see cyber defense as ancillary to their primary responsibilities, heightening the need for accountability as the Navy tries to rein in the problem.
As a result, the Navy will have to approach its own workforce with a carrot-and-stick approach, Mr. Modly said, which will be challenging given military and government personnel rules.
“But that doesn’t mean we can’t reward people for demonstrating good behavior.”
Navy officials initially sought to name a new assistant Navy secretary overseeing cybersecurity who would have reported directly to Navy Secretary Richard Spencer, other officials said. But congressional officials balked at the plan, and the Navy settled for a new chief information officer who answers to Mr. Spencer, through Mr. Modly, the undersecretary of the Navy, these officials said.
Mr. Spencer commissioned the unusual study last year and had its conclusions released publicly to draw attention to security matters. The Wall Street Journal first reported on the study in March.
Afterward, President Trump, who took notice of the report, commented to top aides that he was concerned about the threat posed to the Navy by cyberattacks, according to an individual familiar with the conversation.
Write to Gordon Lubold at Gordon.Lubold@wsj.com and Dustin Volz at dustin.volz@wsj.com