In June, the Washington Post covered the revelation that the Chinese government successfully breached an unnamed contractor working for the Naval Undersea Warfare Center, a submarine research branch of the Department of Defense. According to the report, 614 gigabytes of data were stolen, including submarine communications data and information on a secretive project known as Sea Dragon. The attack has been attributed to China's Ministry of State Security, or MSS.
Little is known to the public about the classified Sea Dragon initiative, but sources claim that it was designed to be a “disruptive offensive capability.” Given the long, storied history of nation-state attacks launched by China and other countries seeking to steal DoD secrets, one has to wonder why an initiative of this magnitude didn’t warrant better security by the government. And with a seemingly endless parade of third-party government contractors either walking away with a treasure trove of classified documents or unintentionally compromising them, it’s baffling that more hasn’t been done to address the risks of working with individuals who aren’t bound to follow the same security practices as federal employees.
Current security policies followed and created by the U.S. government offer some guidelines for cybersecurity best practices, especially where third-party contractors are involved. The National Institute of Standards and Technology’s (NIST) own Self-Assessment Handbook for Assessing NIST SP 800-171 security requirements states that all contractors should comply by deploying “adequate security,” and also by reporting when an incident occurs. “Adequate security” in this context means "protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
Obviously, the contractor who was working for the DoD on the Sea Dragon initiative failed to provide adequate security. Given what is at stake with national security, the NIST 800-171 basic security requirements are too weak, which is why this scenario keeps happening.
No organization can prevent all breaches – not even the DoD. Millions of dollars are poured into resources to encrypt or control access to confidential data, but breaches continue to result from credential theft and user error based on business mission being prioritized over security. Adversaries will continue to pursue high-value data via any means possible. “Adequate security” in this context should include measures that detect breach activity in real-time, track the data once it leaves the control of the organization or trusted third party, limit exposure by following best practices, and invest in technologies that will allow a fast, accurate response.
Had the DoD security architects followed standard defense-in-depth strategies, Data Loss Sensors, an invention sponsored by the DoD, would be required of each installation. Using a detection-based strategy focused on the data itself, security teams can stay informed about attempts to steal highly confidential documents, even after they are shared with contractors. With real-time, detailed alerts, they can respond quickly to minimize the damage, plus narrow down the suspect list and identify the leaker.
All third-party contractors, especially those working at this level within the DoD, should be required to deploy new technologies that track data and classified documents. By requiring detection mechanisms to follow the document flow of sensitive data, government agencies can raise the bar against the level of "protective security measures" that obviously failed in this case. Detection is far more important, and likely would alerted the security operations team at the Naval Undersea Warfare Center far earlier.