'Damage assessment' ongoing in hack of Navy contractor

By Justin Doubleday  / June 15, 2018

The Pentagon has an ongoing damage assessment into the hack of a Navy contractor's networks that reportedly saw China steal troves of data on a sensitive program to outfit submarines with a supersonic, anti-ship missile.

The cyberattack involved "technical information" residing on the contractor's unclassified networks, according to Kristen Baldwin, acting deputy assistant secretary of defense for systems engineering. She declined to identify the contractor, but confirmed the company followed Defense Department regulations for reporting cyber incidents that occur on unclassified networks.

"Our process is, once an incident has been reported, we have the option to initiate a damage assessment -- that's what we're doing in this case," Baldwin said June 14 following a National Defense Industrial Association event in Washington. "That helps us to understand the potential risk of what may have been exposed and any risk remediation actions that are necessary."

The Washington Post reported last week that Chinese hackers had stolen hundreds of gigabytes of data in January or February from a contractor who works for the Naval Undersea Warfare Center in Newport, RI. The stolen information, while unclassified, relates to a sensitive program, "Sea Dragon," which the Post reports involves outfitting submarines with a supersonic, anti-ship missile.

According to budget documents, Sea Dragon is one of the Strategic Capabilities Office's secretive projects. Budget documents describe Sea Dragon as a "cost-effective capability" to be demonstrated by "integrating an existing weapon system with an existing Navy platform." They say additional details on the nature of the program are only available “at a higher classification level.”

The Pentagon funded the program at $357 million in fiscal year 2018 and is seeking an additional $148 million in FY-19 to complete "underwater static testing" and make preparations for sea-based launch tests, according to the documents.

Chief of Naval Operations Adm. John Richardson said June 14 that the Navy has "a full-court press on this" and confirmed the service is looking into the issue. Additionally, he said Defense Secretary Jim Mattis has directed the Defense Department's inspector general to investigate the issue.

A DOD IG spokeswoman confirmed the investigation, but did not provide any details on its scope or time line.

"We have to do more to get more competitive in this dimension to safeguard information," Richardson told reporters at the NDIA conference in Washington. "Anything where another entity is coming in and intruding, you would feel the same way, if this was on your personal computer. That's a serious matter and we've got to do everything we can to think about how to shut that down."

However, Baldwin said, "just because something has been exposed to a cyber exploit doesn't necessarily mean that it was sensitive information lost," but added more would be known about the Navy contractor incident once the damage assessment is complete.

"What we find in many cases is that it is unclassified data, that it is things we would not be that concerned to lose, because our companies are making strides in putting in place these protections and making sure that our most sensitive data is protected," Baldwin said. 

"But it's something we have to maintain vigilance on," she added. "It's really important for these companies to implement these controls and share with us when something has happened."

-- additional reporting by Lee Hudson