Cyber Resilience Is Key To Protecting U.S. Naval Manufacturing

Regulatory filings last month have revealed new information about the amount of personal information compromised in a ransomware attack on Fincantieri Marine Group (FMG), the U.S. subsidiary of an Italian shipbuilding company that contracts with the U.S. Navy. The incident highlights the need for improved cybersecurity measures to protect the defense-industrial base (DIB) from global cyber risks.

Last April, FMG discovered a security breach in its computer network following a ransomware attack that lasted at least six days. FMG responded quickly by securing its systems and sharing information with relevant stakeholders. However, the attack disrupted information servers and manufacturing machines, causing a delay in the production of combat ships at FMG’s shipyard in Marinette, Wisconsin. This incident compounded the Navy’s existing challenges in meeting production targets due to labor shortages.

By November, FMG had determined the hackers had also compromised nearly 17,000 people’s personal information, including their names and Social Security numbers. In early January — nine months after the initial breach and two months after discovering the leak of personal information — the company notified the appropriate regulators and sent breach notification letters to the affected individuals, in compliance with state regulations.

The cyberattack on FMG is part of a larger trend. As maritime-focused law firm HFW and cybersecurity firm CyberOwl concluded in an October 2023 report, the maritime industry is an “easy target” and is facing increasingly costly cyberattacks.

In December 2022, the Port of Lisbon suffered a ransomware attack. In January 2023, hackers shut down the servers of a global ship classification and certification organization. Another ransomware attack hit Japan’s largest port in Nagoya in July. In November, denial-of-service attacks disrupted operations of the four largest ports in Australia for three days. And last month, another U.S. Navy contractor, Austal, suffered a ransomware attack that ultimately did not affect operations or compromise personal or classified data information.

The U.S. Navy has taken note of the challenges facing its contractors and the broader maritime industry, releasing its long-awaited cybersecurity strategy in November. The Navy pledges to strengthen DIB cybersecurity by exchanging threat information with contractors and other relevant stakeholders and by providing small- and medium-sized contractors with resources to help them safeguard their data. The strategy also commits to helping DIB partners include stricter cybersecurity language in their own contracts with outside vendors.

These measures aim to minimize cyber risks to avoid manufacturing delays and to strengthen supply chain resilience. But, just as with the Biden administration’s National Cybersecurity Strategy, effective implementation will be key. The White House has prioritized implementing its national strategy. The Navy — and the Department of Defense more broadly — should similarly follow through on its commitments to exchange cyber threat information and identify supply chain risks so the DIB partners can mitigate or manage them. When the DIB has poor cybersecurity, the country’s national security is put at risk.

Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Sophie McDowall is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focused on national security and foreign policy.