Navy challenged by spear phishing, software patches

Shutterstock image (by wk1003mike): a fishing hook with keys on a computer circuit.

(Image: wk1003mike / Shutterstock)

Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command’s assistant chief of staff for operations.

Spear phishing, when hackers send malicious emails to a select group of people, is “our biggest problem right now,” Bondura said at an AFCEA conference in Baltimore.  

“Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”

The broader act of phishing, which is less discriminate in its target, is apparently a Defense Department-wide problem, judging by a memo DOD Chief Information Officer Terry Halvorsen sent Pentagon employees in March. “Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo said.

The Navy has a sprawling IT footprint. Securing all of it, absolutely, from cyber threats may be infeasible, so the service has set about prioritizing threats via a five-year plan it released in May. That plan drew on lessons learned from “Operation Rolling Tide,” a months-long operation begun in August 2013 to drive Iranian hackers off of the Navy Marine Corps Intranet, the service’s massive internal computer network.

Bondura arrived at Fleet Cyber Command just before that operation began. “We lived that problem for about seven months, and learned a lot,” he said of the Navy’s first cyber defensive operation to be given a name.

In an interview, Bondura declined to comment when asked whether nation-state-sponsored hackers had broken into NMCI since Operation Rolling Tide. He did say, however, that lessons learned from that operation left the Navy positioned to handle such threats in the future.

Patching up, on the double

The Navy, like other parts of the Defense Department, needs to more swiftly deploy software patches for vulnerabilities, according to Bondura.

“The programs of record on the float units pose a really interesting challenge to the inspection process because … patches become available all the time,” he told FCW. “It’s not that easy to just push a patch out to a forward-deployed unit and say ‘install.’ We have to figure out a better process to make that more efficient and effective.”

Expedience is all the more important because once a zero-day vulnerability catches media attention, hackers are more likely to use it, according to Bondura.

“If the media latches on to something like that – a new zero-day – make your folks pay attention to that, because the adversaries are,” he told the AFCEA audience. “After Heartbleed came out, within about 24 hours, we saw bad guys trying to use that same darn exploit,” added Bondura, referring to the OpenSSL vulnerability made public in April 2014.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.