As hacks, intrusions and attacks against civilian and military networks have increased in recent years, the Navy and other services have placed a premium on cybersecurity and ensuring their systems are as fortified as possible against bad actors.
But according to an internal Navy audit obtained by Navy Times, the submarines of Naval Submarine Force Pacific and their tenders did not receive the required internal and external cybersecurity inspections in recent years, raising the specter of cyber vulnerability among some of the sea service’s most potent platforms.
The Naval Audit Service report, released last September, found that the Navy’s Fleet Cyber Command did not inspect and assess the cybersecurity of 41 SUBPAC subs and two tenders as required from 2016 to 2018, and failed to document the reasons why those inspections didn’t take place.
When asked, personnel responsible for such vulnerability evaluations and intrusion assessments of information technology networks blamed short staffing for not doing the tests, which are required to be conducted every three years, according to the audit report.
“Personnel informed us that they do not have enough staff to meet the triennial inspection requirement for all information systems, so they excluded Navy submarine networks,” according to the audit, which was obtained by Navy Times via a Freedom of Information Act records request.
Those personnel told auditors they decided to cut sub cyber inspections because the boats disconnect from the network while conducting operations, and that they “informally determined” that more heavily used Navy networks are more vulnerable to attack and should be prioritized for inspection.
Personnel also said they did not document their reasoning for excluding subs and tenders because there was no policy requiring that such decisions be documented.
Auditors wrote that it was possible that “excluding submarine networks from inspection workload may expose the Department of Defense Information Network to an unacceptable level of risk.”
The audit recommended several reforms and Fleet Cyber Command concurred with those prescriptions.
The command has completed “a comprehensive review of our inspection site selection and prioritization processes and reinvigorated efforts to include afloat units that includes Submarines and Submarine Tender vessels,” command spokesman Cmdr. David Benham said in an email Thursday.
Auditors also found shortfalls within SUBPAC regarding cyber inspections.
Despite having a formal cybersecurity inspection policy, auditors found that SUBPAC “had insufficient oversight controls and defined procedures, as well as no formal training to ensure required cybersecurity inspections were performed and properly documented.”
All told, SUBPAC and its squadrons did not retain documentation showing that mandated cybersecurity inspections were performed from 2016 to 2018 on 53 percent of the required inspections.
“As a result, COMSUBPAC lacked the assurance that submarines and tenders were as cyber ready and secure as possible,” the report states. “There is also a risk the inspectors will not perform consistent and thorough inspections or follow up on previously noted deficiencies.”
The audit found that SUBPAC was not ensuring that corrective actions were resolved, and there was no clear procedure defined for conducting and recording cybersecurity inspections.
“In addition, according to COMSUBPAC’s Cyber Department, there was no formal training for its inspectors on how to properly record and maintain documentation for the (Immediate Superior in Command) cybersecurity inspection process,” the report states.
Auditors recommended several changes to beef up SUBPAC’s cybersecurity processes, including developing an oversight process and buttressing the inspection system to better define procedures — prescriptions with which the command concurred.
SUBPAC officials did not immediately respond to a request for comment Thursday regarding the audit.
Geoff is a senior staff reporter for Military Times, focusing on the Navy. He covered Iraq and Afghanistan extensively and was most recently a reporter at the Chicago Tribune. He welcomes any and all kinds of tips at firstname.lastname@example.org.