Cybersecurity issue

Audit Exposes Lack of Cyber Inspections in US Pacific Submarine Fleet

Despite the premium the U.S. Navy has placed on cybersecurity in recent years, a report revealed that some of the service’s most valuable assets may have been left out. According to an internal audit obtained by media, vessels under Naval Submarine Force Pacific and their tenders have not been getting the required internal and external cybersecurity inspections.

The audit’s finding has brought to light “the specter of cyber vulnerability” among some of the sea service’s most potent platforms, C4ISRNET reported Friday. It was learned that the Navy’s Fleet Cyber Command did not inspect and assess the cybersecurity of 41 SUBPAC submarines and two sub tenders as required from 2016 to 2018, and failed to document the reasons why those inspections did not take place.

Auditors wrote that when asked to explain the omissions, the personnel responsible for such vulnerability evaluations and intrusion assessments of information technology networks “blamed short staffing for not doing the tests, which are required to be conducted every three years.”

Those responsible for the triennial inspection said they lacked the manpower to implement them, so they simply excluded Navy submarine networks, according to the audit. Furthermore, the assigned inspectors told auditors they decided to put off submarine inspections because they “informally determined” that other Naval assets are more vulnerable to attack and should be prioritized for inspection.

It was also noted in the audit, which was obtained by journalists through a freedom of information request, that assigned inspectors did not document their reasoning for excluding submarines and their tenders because there was no policy requiring that such decisions be recorded. The omission has exposed the Department of Defense Information Network to an unacceptable level of risk, the auditor concluded.