Navy mulls punishment for cyber neglect

U.S. Navy Photo by Mass Communications Specialist 2nd Class Joshua J. Wahl 

What if clicking an email phishing link could get you fired? Cyber hygiene is such a problem for the Navy that the service is considering sanctions for personnel who lack basic cyber hygiene.

"One of the biggest problems we have quite frankly is one of the least costly to address, which is just hygiene. And that's an education campaign to make sure our people understand how critical cybersecurity is," the Navy's number two, Thomas Modly, told reporters following his keynote address at the Sea Air Space conference in National Harbor. Modly stressed that something drastic was needed to highlight cyber hygiene importance.

Noting that some private companies employ internal phishing campaigns and if an employee can be terminated if they take the bait a certain number of times, Modly said the Navy is looking at punitive measures for users to get them to take cybersecurity seriously.

"We're looking at ways to create sanctions for people for not following hygiene. We're not trying to be draconian here but the ramifications of not having tight controls over our data are pretty dramatic," he said. "At the end of the day, it ends up costing people's lives so we have to just get people more seriously about thinking [about cyber] that way," while also "getting a lot more creative about how we make it painful" for intruders.

Modly said the Navy doesn't have anyone "looking at how all the pieces fit together" -- industrial base challenges, cyber hygiene, etc., and "creating the structure to do that is a big part of this."

The Navy completed a cybersecurity review in March that pinpointed areas in need of improvement. The report found that annual training was "far too basic and one-size-fits-all" and "underemphasizes the realities of the cyber threat" to the point that "the workforce is led to believe that cybersecurity is simply a matter of routine compliance, which enables seeing security practices such as password protection and email vigilance as needlessly burdensome."

The Navy's focus on cybersecurity is amplified by the service's legislative push to elevate the CIO role to the secretariat level. Navy Secretary Richard Spencer proposed adding an assistant secretary that would function as a CIO to Congress in April.

Undersecretary Modly, who performs the duties of Navy CIO and chief management officer, said assuming other's roles upon taking office was a first step in elevating the CIO's duties to the "highest possible level in the department."

The Navy gutted its CIO office last year. Modly said he has eschewed the idea of rebuilding it in the last year, saying the long-term strategy is having someone with cyber "as their 100 percent focus."

The Navy is conducting a study evaluating the impact of a fifth assistant secretary position, examining the number of people needed, their missions and charters. The draft report is expected on June 1, and the plan is to start rolling out implementation strategies will follow July, Modly said.

The idea would for it to be a "net zero" move regarding personnel and just moving billets and funding around -- except for the new assistant secretary of the Navy position. The remainder of the former CIO office would report to that new leader. If Congress approves, it could pave the way for more senior, accountable cybersecurity leadership in other military services.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.