Submersive Security: How The Data Protection Efforts Of DCNS Were Torpedoed

What could shipbuilder DCNS have done to better protect its sensitive documents detailing the build specifications for the Scorpene submarine? James Henry, Consulting Practice Director for Auriga, looks at the lessons we should all take from the incident.

News of a massive data leak affecting French shipbuilder DCNS emerged this week regarding the Scorpene submarine. More than 22,400 pages were stolen detailing the technical capabilities of the vessel in a leak to the Australian media (whilst DCNS won a major contract from the Australian government to build a fleet of submarines, the Scorpene vessel is not one of them.)

The disclosure of the intellectual property – said to include stealth, electromagnetic and infrared data – is liable to cost the shipbuilder both in terms of future business and in its reputation. The leakage included data specifying the makeup of the submarine’s critical systems could have huge implications in the effectiveness of deploying it.

DCNS was commissioned to produce six Scorpene’s for India back in 2005, (the first of which is undergoing sea trials with the second in production) and has also produced vessels for Brazil which were due to be deployed in 2018 as well as for Malaysia and Chile.

Investigations are still underway by the Indian Government, with reports thus far quoting Defence Minister Manohar Parrikar as saying “I understand there has been a case of hacking” and the Indian Ministry of Defence stated “the source of the leak is from overseas”.  Clearly more information will filter out as investigations continue but there is already wide spread speculation over whether this was a case of industrial espionage or political hactivism.

DCNS has issued a statement confirming that local security countermeasures are being employed and has speculated that the hack could have been motivated by ‘economic warfare’. DCNS fought off stiff competition to win the Australian contract for 12 submarines and is currently tendering for military contracts for Norway and Poland. That said, Reuters also drew attention to the intensification of the Chinese presence in the Indian Ocean while Indian suspicions also included Pakistan.

Whether the work of commercial espionage or a nation state, the hack does seem to have exploited a weak spot in the organisation’s infrastructure, with reports suggesting data was mishandled back in 2011 by a former French navy officer who then became a DCNS subcontractor. The data is since said to have circulated in Asia and through several pairs of hands before being disclosed in Australia.

While we don’t yet know the exact methods used to extract the data or how long it has been in the wild if these reports are to be believed it seems odd that DCNS failed to notice the breach.  Why did it take publication via the Australian media for DCNS to become aware? Such organisations should be constantly patrolling for information indicating a leak, both on its own systems and externally by listening to social media, forums, and the dark web.

The leak highlights the vulnerability of even the most security-conscious companies when it comes to protecting highly-sensitive classified information. Clearly the supply chain is still an Achilles heel, proving that protecting the castle is not enough.  Businesses need to engage and cascade obligations to all users of key sensitive data including third party suppliers, partners, customers and contractors to ensure they adequately manage the security of the data provided to them in line with requirements and expectations.

Then there’s also the post-leak scenario to consider. Once it was alerted, was the Incident Response process timely and extensive enough to limit the damage and identify the area of exposure? And has the shipbuilder done enough to reassure its customer base that this was an isolated incident and demonstrate the level of data protection awarded to other vessels/contracts? What assurances will it give the four governments affected by the breach?

These are all questions we may never know the answer to. But we should all be watching how this story unfolds, and how security is redressed, given the dependency of every modern business on the extended supply chain.  And it also holds lessons on how important it is to listen in on what is happening out there on the wider web.

[su_box title=”About James Henry” style=”noise” box_color=”#336588″][short_info id=’87646′ desc=”true” all=”false”][/su_box]