Chinese Hackers Breach US Navy Contractors

Chinese hackers are breaching Navy contractors to steal everything from ship-maintenance data to missile plans, triggering a top-to-bottom review of cyber vulnerabilities, WSJ reported Friday, citing officials and experts. From the report: A series of incidents in the past 18 months has pointed out the service's weaknesses, highlighting what some officials have described as some of the most debilitating cyber campaigns linked to Beijing. Cyberattacks affect all branches of the armed forces but contractors for the Navy and the Air Force are viewed as choice targets for hackers seeking advanced military technology, officials said. Navy contractors have suffered especially troubling breaches over the past year, one U.S. official said. The data allegedly stolen from Navy contractors and subcontractors often is highly sensitive, classified information about advanced military technology, according to U.S. officials and security researchers. The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks. One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials.

Contract Requirements

[lionchild]

Clearly, contract requirements should also now include proof of engagement in best practices of network and data security.

Re:Contract Requirements

[CaptainDork]

That will not fix the problem.

Nothing will.

IT has been recommending best practices for decades and top brass shrug it off.

A fucking document will not plug the fucking hole. The military contractors are as hardened as Equifax and Yahoo!, right? What's a document going to do?

When contractors included security as an option in their bids, the Feds said it was too much - get costs under control.

When the punishment meets the crime...

[Lucas123]

"One major breach of a Navy contractor, reported in June, involved the theft of secret plans to build a supersonic anti-ship missile planned for use by American submarines, according to officials."

When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

Re:When the punishment meets the crime...

[Ken+McE]

When contractors are held criminally responsible for their poor security resulting in military secrets being stolen by our enemies, then maybe they'll get serious about plugging the holes.

If you hold them responsible for being the victim of a crime, they'll stop reporting crimes.

Re:When the punishment meets the crime...

[john.r.strohm]

The problem with your point of view is that the contractors themselves committed a serious Federal crime when they put that classified information onto computers that were accessible from the outside world.

Someone is going to have to do a lot of explaining on all this.

Unfortunately, we will probably never hear the full story.

Computer security seems an oxy-moron

[Seven+Spirals]

I worked for years as a security analyst mainly just developing exploits and pen-test frameworks. I have to say that I'm now completely disillusioned with IT security and it now bores me to tears. The Chinese and/or other state actors have stolen soooooo fucking much from us. The F35, hypersonic missiles, complete lists of government agents/employees from the OMB, the list is very very long. You partisans will probably all assume I am a Trump-lover but I don't like him. I do, however, have to admit that he seems to at least be able to talk about Chinese IP theft unlike 99% of other politicians who just seem so sprung on the globalism gravy train they can't see that these people are behaving like *enemies*. Love or hate Trump, we gotta address this problem. My preference would be to emulate the Skunkworks and be super militant about physical security and just crucify a few people for bringing in USB sticks and smart phones in to flaunt the rules. I'd also force people to stop using computers for things they didn't need them for and just put the data/research at greater risk. Computers don't solve all problems with equal effectiveness, despite some people wanting to use them everywhere. However, I'd also take action against China. I bet if you started de-coupling all their domains from DNS root servers you'd get their attention. If they broke off and formed "Chinanet" then that'd be just fine - fewer hacks on our servers from their dirtbag inhabitants and government. When I geoip block China on my firewalls hack attempts go down by about 90%. They are rarely smart enough to use on-shore machines to hack from (it happens, but rarely, I found some Chinese hosting asshole in LA that had a nest of them once).

Personnel...

[mi]

It is a well-known fact, that ethnic Chinese abroad spy for China en-masse. Some willingly, some — under coercion.

One immediate step a country could take is to treat them with increased suspicion, which in the US is both against the laws and the morals — targeting expats from a particular country is denounced (and even prosecuted) as "racial profiling" — a trait Chinese society itself does not poses.

Until we overcome this weakness against Chinese — the way we are overcoming it with the Russians, for example, our highest-tech research will remain at risk.