eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
When the offices of the Joint Chiefs of Staff at the Pentagon were hacked three weeks ago, the hackers, who were apparently from Russia, harvested a trove of unclassified but sensitive data.
What happened is that those hackers managed to launch a phishing attack against one or more people at the JCS and were successful in at least one case. Fortunately, it wasn’t long before cyber-security systems discovered them in the Pentagon’s unclassified mail system and shut the system down.
Shutting the system down limited the damage and ensured that no more information would be extracted until security personnel could determine exactly how the hackers had gotten in and what information they’d taken. They’re still working on that.
Meanwhile, The Wall Street Journal reports that JCS personnel received a one-hour training session on what a phishing attack is and how to avoid one. Such a training session is probably a good thing since it’s important to help the staff understand the problem. But for an organization that’s handling our country’s sensitive national defense information, one has to wonder if that’s all they’re going to get.
A little background: When someone talks about an unclassified email system, to the outsider it sounds as if this is an email system that’s used for setting up lunch meetings and discussing this week’s failure of the Washington Nationals’ bullpen. To some extent that’s true, but an unclassified email system is much more than that.
In the military, an unclassified email system simply means that the content of the email doesn’t have to be protected to the extent it would be if the material were so secret that its distribution must be restricted.
This means, for example, that email messages will include information about operations such as travel plans, training and personnel actions. Taken together, such information can paint an important picture of the tempo and background of military operations. Letting one’s adversary have access is not a good thing.
The question then is: What can be done about it? As it happens, the U.S. Navy has had the answer all along.
In an article set to appear in the September issue of the Harvard Business Review, a former vice chairman of the Joint Chiefs of Staff, Admiral James Winnefeld, along with Christopher Kirchhoff, who also served on the Joint Staff, and Professor David Upton from Oxford University discuss the critical role human factors play in security.
They argue that the model to use is the one developed by Admiral Hyman Rickover when he developed the management and training procedures for the Navy’s nuclear propulsion program.
Rickover was determined to make the Navy’s nuclear propulsion program so safe that it could be operated reliably even while the ships that depended on nuclear propulsion operated for months underwater or were located far from any source of technical support.
U.S. Military Must Step Up Top Brass Training to Thwart Phishing
He did this with rigorous training, careful selection of personnel, and mutual oversight by the people involved in the program.
He also put his trust in the people, so that anyone, no matter how junior, could stop a procedure in process if he or she detected a safety problem, while requiring any task that could create an accident to be accomplished by at least two people.
The result of this nearly fanatical attention to detail is that so far the U.S. Navy has never had a nuclear accident.
One legacy of this practice made its way to the U.S. Cyber Command, which has been highly effective in turning aside the millions of attacks sustained by military computer systems on a daily basis. But outside of the Cyber Command, things haven’t gone so smoothly.
“You don’t do [the training] after the problem has occurred,” said Stu Sjouwerman, founder and CEO of security awareness training company KnowBe4. “You want to do that before someone clicks on a compromised site.”
“You’d expect the Joint Chiefs [of Staff] to have had that training in place—and they hadn’t. That was borderline criminal oversight,” Sjouwerman added. It was also highly surprising that the White House server was hacked, he said. “You’d expect that especially with Obama having a focus on cyber-attacks, they would have given security training a very high priority.”
In fact, the military does give security training a high priority, but as in many organizations, there are weak spots. One has to guess (since the JCS isn’t discussing the breach) that the Joint Chiefs followed a familiar pattern in which the guys at the top were too busy to get the security training everyone else got. The fact that they had to have an emergency training session on phishing after the breach points to this explanation.
But what’s being overlooked even as the military fixes this problem is the similar issue at companies where the C-level executives are apparently immune from corporate security training requirements. They’re too busy, you see. Their time is too expensive to waste with training.
But, in fact, it’s the data held and used by the C-suite that’s likely the most critical to the success of the business. Even if hackers can’t hack the cash registers, they can still hack the CEO’s email.
This is a blind spot in corporate governance if there ever was one. The authors of the Harvard Business Review article point this out. Unfortunately, I suspect the people who need it the most will also be too busy to read it.