U.S. Military Must Step Up Top Brass Training to Thwart Phishing

NEWS ANALYSIS: A quick training session after a network breach is a good idea, but the Joint Chiefs of Staff need to apply military practices to solving their phishing problem.

Joint Chiefs Hack 2

When the offices of the Joint Chiefs of Staff at the Pentagon were hacked three weeks ago, the hackers, who were apparently from Russia, harvested a trove of unclassified but sensitive data.

What happened is that those hackers managed to launch a phishing attack against one or more people at the JCS and were successful in at least one case. Fortunately, it wasn't long before cyber-security systems discovered them in the Pentagon's unclassified mail system and shut the system down.

Shutting the system down limited the damage and ensured that no more information would be extracted until security personnel could determine exactly how the hackers had gotten in and what information they'd taken. They're still working on that.

Meanwhile, The Wall Street Journal reports that JCS personnel received a one-hour training session on what a phishing attack is and how to avoid one. Such a training session is probably a good thing since it's important to help the staff understand the problem. But for an organization that's handling our country’s sensitive national defense information, one has to wonder if that's all they're going to get.

A little background: When someone talks about an unclassified email system, to the outsider it sounds as if this is an email system that's used for setting up lunch meetings and discussing this week's failure of the Washington Nationals’ bullpen. To some extent that's true, but an unclassified email system is much more than that.

In the military, an unclassified email system simply means that the content of the email doesn't have to be protected to the extent it would be if the material were so secret that its distribution must be restricted.

This means, for example, that email messages will include information about operations such as travel plans, training and personnel actions. Taken together, such information can paint an important picture of the tempo and background of military operations. Letting one's adversary have access is not a good thing.

The question then is: What can be done about it? As it happens, the U.S. Navy has had the answer all along.

In an article set to appear in the September issue of the Harvard Business Review, a former vice chairman of the Joint Chiefs of Staff, Admiral James Winnefeld, along with Christopher Kirchhoff, who also served on the Joint Staff, and Professor David Upton from Oxford University discuss the critical role human factors play in security.

They argue that the model to use is the one developed by Admiral Hyman Rickover when he developed the management and training procedures for the Navy's nuclear propulsion program.

Rickover was determined to make the Navy's nuclear propulsion program so safe that it could be operated reliably even while the ships that depended on nuclear propulsion operated for months underwater or were located far from any source of technical support.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...