Warship Wi-Fi: Betrayal and Insider Threats on the USS Manchester
An unauthorized Starlink satellite Wi-F system on the USS Manchester highlights a tale of betrayal, deceit and shadow IT in the US Navy. This example shows how real-world insider threats can happen – and what could have been done to discover and mitigate the threat.
Streaming movies. Sports. Chatting with friends and family. Acting as a beacon for adversary signals intelligence in the West Pacific. All in a day’s work for the enlisted leadership and the shadow IT network they built on board the littoral combat ship USS Manchester.
The Manchester’s Chiefs Mess unwittingly posed as the ultimate insider threats in this sordid tale. These leaders are the go-to resources for enlisted sailors and officers, mentoring and sharing institutional knowledge and collective wisdom gained from decades of combined experience. The warship’s Chiefs Mess gold crew used that information to create an operational risk to security onboard a US warship that is almost unthinkable.
The ship’s highest-ranking Chief purchased a $2,800 Starlink High Performance kit and worked with co-conspirators to clandestinely install the satellite dish on the Manchester’s weatherdeck. The accompanying unauthorized WI-FI network was intended for the Chiefs Mess only, not the officers or the enlisted.
Source: Navy investigation via Navy Times
Once the warship was underway, the Chiefs realized the Wi-Fi signal needed to be stronger for everyone who paid for it to access it. Ever the problem solver, the senior chief bought cable and signal repeaters during a port visit in Hawaii.
The shadow WI-FI network wasn’t a secret for long. The network appeared in multiple assets and systems with a highly suspicious name. Scuttlebutt swirled, but the Chiefs Mess closely guarded their secret network. Compounding the deception, the network was renamed, hiding in plain sight as a wireless printer—never mind that there were no general-use printers onboard the ship.
There was grumbling among the enlisted. There were complaints by officers. There were anonymous comment cards to the Commanding Officer. Officers opened investigations and swept inside the ship, looking for the unauthorized system. Twice. The Chiefs Mess stuck to their story. They continued to deny the presence of an unauthorized Wi-Fi network.
Until a civilian installing an authorized Starlink satellite observed the existing one. The unauthorized dish was removed, but the subterfuge continued. The Chiefs Mess continued to control the narrative with lies and excuses, altering usage data from Starlink’s website to show that the network was only used while in port. This went on for weeks until the lead conspirator confessed her exploits directly to the ship’s commanding officer.
Even allowing for the most innocuous intentions, the risk to the ship’s cybersecurity cannot be overstated. This unauthorized system by a group of unintentional insider threats jeopardized the vessel’s operational security and demonstrated how shadow IT can infiltrate even the most highly secure environments.
Best Practices for Insider Threat Mitigation
It’s horrifying tales like these that keep CISO’s awake at night. The Chiefs Mess took advantage of loyalty and their vast institutional knowledge, counting on no one noticing their unauthorized network in (literally) an ocean of extraordinarily diverse digital assets and technologies. In this case, the co-conspirators were not particularly sneaky or doing anything particularly bad. That doesn’t change the fact that the Chiefs Mess made their ship more vulnerable to enemy eavesdropping and cyberthreats.
Every organization should follow a series of Insider Threat Best Practices to protect against even the most trusted staff and leaders.
Develop a comprehensive insider threat program.
This program includes policies for onboarding, offboarding, and real-time activity monitoring of staff and their digital assets. Ideally, this program is deeply collaborative across the organization and includes departments like Human Resources, Information Technology, Security, and Legal Counsel. Onboarding should include an inventory of the assets, what they are connected to, their intended use, and how they are used. All this information creates a baseline for your network security solution’s anomaly detection capabilities.
Assess and re-assess risks regularly.
Because things slip through the cracks in large organizations, periodic assessments will help identify deviations and inconsistencies, detect vulnerabilities, and evaluate cyber security controls. Assets can be inventoried and classified based on purpose and priority, and traffic patterns must be well understood.
Implement robust access controls.
Apply the least privilege access principles and multi-factor authentication before granting authorization and access to new devices that automatically broadcast their availability. Tools that enrich asset data can be beneficial in identifying shadow IT, OT, and IOT assets.
Monitor network activity in real time.
Systems monitoring is a must, as traffic patterns and usage data are used to detect abnormal behaviors.
Conduct regular compliance audits and reviews.
Regularly audit the insider threat program and asset compliance, creating a closed-loop system that capitalizes on past incidents and findings.
Situations like the one aboard the USS Manchester illustrate how easy it can be for trusted staff to install and use a shadow IT network. They didn’t intend to become insider threats, but it was the inevitable outcome.
Fortunately, Forescout for Network Security solutions offer advanced capabilities to effectively detect and manage such unauthorized networks and rogue devices.
Forescout for Network Security
Forescout for Network Security is a comprehensive network visibility and control platform designed to address the challenges posed by insider threats, shadow IT, and rogue devices.
Real-Time Network Visibility
Forescout offers real-time visibility into all devices connected to, and attempting to connect to, the network. By continuously checking and analyzing network behavior and traffic, Forescout can detect devices and systems not part of the authorized
infrastructure. In the case of the USS Manchester, Forescout would have alerted the Forescout Platform’s console and administrator with an “unrecognized wireless device”, allowing for swift investigation and action.
Automated Policy Enforcement
Network operators face the ongoing challenge of ensuring that unauthorized devices do not compromise security. Forescout’s automated policy enforcement features help mitigate this risk by applying predefined security policies to all connected devices. For example, Forescout can use the DOD Comply to Connect program’s policies to automatically block, quarantine, and report on the unrecognized device. This automation helps maintain network security and compliance without requiring constant manual oversight.
Integration With Existing Security Tools
Integrating solutions allows for coordinated responses across multiple environments and technologies that would be siloed otherwise. For instance, if the Forescout for Network Security solution detects an unrecognized network device, it can work with a Service Impact and Event Management system to analyze the potential impact and coordinate a response that involves multiple security layers, including firewalls and intrusion detection systems (IDS).