Navy challenged by spear phishing, software patches

Shutterstock image (by wk1003mike): a fishing hook with keys on a computer circuit.

(Image: wk1003mike / Shutterstock)

Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command’s assistant chief of staff for operations.

Spear phishing, when hackers send malicious emails to a select group of people, is “our biggest problem right now,” Bondura said at an AFCEA conference in Baltimore.  

“Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”

The broader act of phishing, which is less discriminate in its target, is apparently a Defense Department-wide problem, judging by a memo DOD Chief Information Officer Terry Halvorsen sent Pentagon employees in March. “Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo said.

The Navy has a sprawling IT footprint. Securing all of it, absolutely, from cyber threats may be infeasible, so the service has set about prioritizing threats via a five-year plan it released in May. That plan drew on lessons learned from “Operation Rolling Tide,” a months-long operation begun in August 2013 to drive Iranian hackers off of the Navy Marine Corps Intranet, the service’s massive internal computer network.

Bondura arrived at Fleet Cyber Command just before that operation began. “We lived that problem for about seven months, and learned a lot,” he said of the Navy’s first cyber defensive operation to be given a name.

In an interview, Bondura declined to comment when asked whether nation-state-sponsored hackers had broken into NMCI since Operation Rolling Tide. He did say, however, that lessons learned from that operation left the Navy positioned to handle such threats in the future.

Patching up, on the double

The Navy, like other parts of the Defense Department, needs to more swiftly deploy software patches for vulnerabilities, according to Bondura.

“The programs of record on the float units pose a really interesting challenge to the inspection process because … patches become available all the time,” he told FCW. “It’s not that easy to just push a patch out to a forward-deployed unit and say ‘install.’ We have to figure out a better process to make that more efficient and effective.”

Expedience is all the more important because once a zero-day vulnerability catches media attention, hackers are more likely to use it, according to Bondura.

“If the media latches on to something like that – a new zero-day – make your folks pay attention to that, because the adversaries are,” he told the AFCEA audience. “After Heartbleed came out, within about 24 hours, we saw bad guys trying to use that same darn exploit,” added Bondura, referring to the OpenSSL vulnerability made public in April 2014.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.