Navy mulls punishment for cyber neglect

What if clicking an email phishing link could get you fired? Cyber hygiene is such a problem for the Navy that the service is considering sanctions for personnel who lack basic cyber hygiene.

"One of the biggest problems we have quite frankly is one of the least costly to address, which is just hygiene. And that's an education campaign to make sure our people understand how critical cybersecurity is," the Navy's number two, Thomas Modly, told reporters following his keynote address at the Sea Air Space conference in National Harbor. Modly stressed that something drastic was needed to highlight cyber hygiene importance.

Noting that some private companies employ internal phishing campaigns and if an employee can be terminated if they take the bait a certain number of times, Modly said the Navy is looking at punitive measures for users to get them to take cybersecurity seriously.

"We're looking at ways to create sanctions for people for not following hygiene. We're not trying to be draconian here but the ramifications of not having tight controls over our data are pretty dramatic," he said. "At the end of the day, it ends up costing people's lives so we have to just get people more seriously about thinking [about cyber] that way," while also "getting a lot more creative about how we make it painful" for intruders.

Modly said the Navy doesn't have anyone "looking at how all the pieces fit together" -- industrial base challenges, cyber hygiene, etc., and "creating the structure to do that is a big part of this."

The Navy completed a cybersecurity review in March that pinpointed areas in need of improvement. The report found that annual training was "far too basic and one-size-fits-all" and "underemphasizes the realities of the cyber threat" to the point that "the workforce is led to believe that cybersecurity is simply a matter of routine compliance, which enables seeing security practices such as password protection and email vigilance as needlessly burdensome."

The Navy's focus on cybersecurity is amplified by the service's legislative push to elevate the CIO role to the secretariat level. Navy Secretary Richard Spencer proposed adding an assistant secretary that would function as a CIO to Congress in April.

Undersecretary Modly, who performs the duties of Navy CIO and chief management officer, said assuming other's roles upon taking office was a first step in elevating the CIO's duties to the "highest possible level in the department."

The Navy gutted its CIO office last year. Modly said he has eschewed the idea of rebuilding it in the last year, saying the long-term strategy is having someone with cyber "as their 100 percent focus."

The Navy is conducting a study evaluating the impact of a fifth assistant secretary position, examining the number of people needed, their missions and charters. The draft report is expected on June 1, and the plan is to start rolling out implementation strategies will follow July, Modly said.

The idea would for it to be a "net zero" move regarding personnel and just moving billets and funding around -- except for the new assistant secretary of the Navy position. The remainder of the former CIO office would report to that new leader. If Congress approves, it could pave the way for more senior, accountable cybersecurity leadership in other military services.