The Washington Post recently reported that the Chinese Ministry of State Security stole a trove of sensitive defense information from a U.S. Navy contractor working for the Naval Undersea Warfare Center. According to the Post, the information included plans to develop a supersonic anti-ship missile for U.S. submarines, along with “signals and sensor data, submarine radio room information relating to cryptographic systems, and Navy submarine development unit’s electronic warfare library.”
It is no secret that the Chinese government has been building its capacity to project military power in the Pacific ocean for many years, and that it has engaged in a corresponding effort to collect intelligence regarding the capabilities of its potential rivals in that theater, including the United States. In this case, the Chinese intelligence services have reportedly acquired information regarding the development of a supersonic, submarine-launched anti-ship cruise missile. So what the heck is that? In short: Modern ship-to-ship naval engagements will likely be conducted “over the horizon,” meaning at ranges where the combatants are unlikely to have a direct visual or radar line-of-sight to one another. As a result, many countries have developed semi-autonomous missiles capable of travelling great distances to a target area, where the missile will then locate and destroy an enemy vessel using its own onboard sensors. These missiles can often be launched from a variety of platforms, including ships, submarines, aircraft, and coastal batteries. Such weapons were employed most recently in the waters near Yemen, where they were reportedly launched by Yemeni coastal forces against U.S. and U.A.E. military vessels (resulting in significant damage to the U.A.E. vessel, a former U.S. Navy asset). For more than 30 years, the U.S. Navy’s principal anti-ship cruise missile has been the Harpoon, which flies at very low altitudes at subsonic speeds. Meanwhile, many other countries (including China) have reportedly developed or procured a variety of anti-ship cruise missiles that either maintain supersonic speeds for their entire flight, or incorporate a supersonic “sprint vehicle” to quickly close with the target during the missile’s terminal attack phase. These flight characteristics may be advantageous in combat. According to the Post, some of the data stolen from the U.S. Navy contractor relates to a U.S. Navy program to develop a new supersonic anti-ship cruise missile that can be launched from U.S. submarines.
As one might expect, there is a constant arms race between the developers of anti-ship cruise missiles and the developers of defenses to anti-ship cruise missiles. To prevent the development of effective defenses, countries generally keep secret the technical specifications and capabilities of their missiles. It is therefore quite surprising that, according the Post, the U.S. Navy contractor was storing information concerning its missile development program on an unclassified computer system. At a minimum, the Post reported, “the material, when aggregated, could be considered classified.” It is also quite surprising that the contractor was reportedly storing information regarding cryptographic systems for submarine communications and electronic warfare information on unclassified systems. Cryptographic systems prevent military communications from being read by foreign military and intelligence services. Electronic warfare systems are used to detect, classify, and, in some cases, disable enemy radar systems. The specifics of the Navy’s cryptographic and electronic warfare technology are closely guarded secrets. It is difficult to imagine a scenario in which that information could properly be stored in an unclassified setting.
Although information on this incident is still unconfirmed and preliminary, professionals responsible for information security (i.e., everyone who works on a computer) can draw some useful conclusions regarding potential weaknesses in their security procedures:
- Match Security to Content. The more sensitive your data, the stronger security protection it should received. That may mean, for example, that higher risk data should be stored on more secure networks, be protected with greater levels of encryption, be more restricted, etc.
- Beware Third Parties. Don’t forget to consider the security environments of your third party vendors — a requirement under some information security laws. Do not share data with third parties without first confirming that the data will be stored in an appropriate location, that adequate security measures are in place, and that the data will not be further disseminated without your express permission. Secure a right to inspect or otherwise confirm a vendor’s security measures from time to time.
- Beware the Potential for Aggregation. Some types of data are innocuous in small doses, but, when aggregated in bulk or with other data, can be mined for sensitive information. Data should be sufficiently segregated to ensure that no single source, if breached, can give away the farm. Where data must be aggregated in a single location for reasons of operational necessity, additional security measures may be appropriate.