State-constructed computer worms from peer adversaries looking to gain an asymmetric advantage in a conflict pose an acute and growing threat to the naval services. The malware’s blinding speed and ability to deliver destructive effects with little regard for physics or geography mean they could be immensely disruptive to the missions of the Navy, Marine Corps, and Coast Guard, barring sufficient preparations to defend against them and mitigate their effects.
NotPetya (described in a Wired article published in August 2018) is a fast acting, highly damaging computer worm constructed by Russian military intelligence that uses hacking tools stolen from the U.S. National Security Agency. It gains access to computers through vulnerabilities in Windows operating systems, finds passwords stored deep in the memory of the computer, and then irreversibly encrypts the data on the computer while self-replicating and spreading onto other computers.
The statistics of the worm’s effects are jarring. NotPetya took 45 seconds to take down the network of a large Ukrainian bank, cost the pharmaceutical giant Merck $870 million, and forced Maersk—the world’s largest shipping company—to take 10 days to restore the core functionality of its 4,000 servers and 45,000 computers.
The case of Maersk is particularly instructive for the naval services given that the company is a massive seafaring logistics enterprise with almost 80,000 employees operating in 130 countries. Maersk had dedicated substantial resources to cyber security and was in its own words, “monitoring the cyber threat closely” when NotPetya infected a single computer in its office in Odessa, Ukraine. The worm’s rapid spread through Maersk’s global operations caught the company off guard. The Wired article recounts the improvised and chaotic response at the company’s headquarters in Copenhagen, Denmark:
Maersk employees were running down hallways, yelling to their colleagues to turn off computers. . . . Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.
Granted, Maersk is a rough proxy for the naval services and the Department of Defense has been investing in innovative and needed cyber security solutions for some time. However, to be confident that the naval services could weather such a cyberattack, definitive answers from knowledgeable personnel to three key questions are necessary.
1) Are the cyber defenses of U.S. naval services resistant to cyber worms? While the Department of Defense fends off countless cyber attacks daily, Russian spy services have compromised U.S. military computers around the world with a worm before, peer adversaries continue to breach military systems at all levels, and self-identified cyber vulnerabilities remain.
2) How damaging would an uncontained cyber worm on the networks of the naval services be? The potential spectrum of effects of a worm-like NotPetya would depend greatly on network segmentation, frequency of system updates, and use of multifactor authentication, among other cyber protections.
3) How well would the naval services function with cyber degraded C4ISR and how quickly could they resume operations after a state-constructed computer-worm attack? The 10 days that it took Maersk to restart its operations—with a massive focus of resources and no external interference—could potentially be enough time for Russia to seize the Baltics or China to take Taiwan in surprise offensives.
After NotPetya, Maersk’s chairman remarked that the company was “average” at cyber security at the time of the attack, but intended to turn its cyber defenses into a “competitive advantage.” Because state competitors are also vulnerable to computer worms, the naval services could likewise make cyber resilience a dominating advantage by practicing service-wide immediate action drills for computer-worm breaches, including worm considerations in war gaming, and conducting pre-emptive cyber worm–focused audits, among other preparations. In a tight contest against peer adversaries, protection against computer worms could be a decisive factor for the success of the naval services.