The Navy has just wrapped a one-year project designed to “awaken” the service to the need to drive cybersecurity concerns into everything it does. It’s now transitioning the lessons it learned into a permanent organization called Navy Cybersecurity.
The enduring organization will be part of the Navy’s headquarters staff at the Pentagon, consisting of about 40 people whose full-time job is to make sure the service’s acquisition policies, its personnel practices and its general culture are all pointed toward greater cybersecurity. Officially, it will sit within the office of Vice Adm. Ted Branch, the Navy’s chief of information dominance and chief information officer, but its policy, budgeting and oversight roles will extend far beyond traditional IT systems and into anything the Navy buys that might have a microchip inside it: in other words, almost everything.
The office is meant to carry on the work of Task Force Cyber Awakening (TFCA), the temporary organization the Navy created last year to force its organizational culture to pay more attention to cyber after several worrisome incidents, including one that compromised the Navy-Marine Corps Intranet (NMCI) in 2013.
On that score, Branch said the task force did what it was supposed to.
Insight by HighPoint Global: Federal practitioners provide examples of the digital customer experience in this exclusive executive briefing.
“The fundamental change TFCA made was to make cybersecurity an organizing and resourcing principle, and it wasn’t before,” he told reporters. “It’s been a great success in cobbling together a lot of different non-parallel efforts and focusing them in one direction with organizational relationships that will be enduring and a clear path for follow-on effort.”
The top-to-bottom scrub the task force undertook over the past year caused the Navy to reallocate roughly $300 million in existing funding to remediate cyber problems on its networks, within its weapons platforms and in the industrial control systems that keep the lights on aboard its bases. The Navy also used the task force to make tradeoffs between roughly 300 competing cyber spending priorities between now and fiscal 2021.
That’s one reason the Navy decided it needed a brand new standing organization rather than transitioning TFCA’s work to the 10th Fleet, the existing Navy component of U.S. Cyber Command. Branch said the organization needed to have the authority not just to command and control the service’s networks on a day-to-day basis, but to help direct its cyber investment priorities.
“From a resourcing construct it made the most sense,” he said. “It gives us a tie-in between the acquisition community and the resource sponsor here in the office of the Chief of Naval Operations (CNO). As chief of information dominance, I don’t have any direct tie, really, into our acquisition commands. They work primarily for [assistant secretary of the Navy for research, development and acquisition] Sean Stackley. But in this new construct, I get my guidance both from the CNO and Mr. Stackley. By doing it that way we get everybody in tune and have some levers to have action to take place. If it was under 10th Fleet, they have no ties to the acquisition community.”
The new cybersecurity organization also will take charge of the CYBERSAFE program the Navy launched a year ago. Officials think of it as an information-age corollary to the multi-decade SUBSAFE program the service launched following the 1964 sinking of the U.S.S. Thresher in order to head off any further undersea catastrophes.
CYBERSAFE will eventually include major cyber hygiene components through which the Navy hopes to influence individual sailors’ behavior, but for now, it is highly focused on ensuring cybersecurity is a key priority in Navy procurement plans. So CYBERSAFE offices are also being set up the Naval Sea Systems Command, the Naval Air Systems Command and the Space and Naval Warfare Systems Command.
While those acquisition commands will be in charge of certifying the equipment they’re procuring as “CYBERSAFE,” the central Navy Cybersecurity division will try to ensure they’re doing so with a coherent and common set of guidelines, said Troy Johnson, the division’s civilian director.
“What we do is provide the money, the policy and oversight to synchronize and orchestrate across these commands. Normally it’s OK to say, ‘You handle the ships, you handle the subs, you handle the aircraft,’ but cyber is different,” he said. “Cyber affects all of those things, so we needed an orchestrated approach across all of those functions.”
For instance, Branch said the new division will need to guide Navy decisions about when and how CYBERSAFE standards should actually be applied. Since they will demand high reliability and rigorous documentation of the supply chain involved in building any piece of hardware, they’re virtually guaranteed to drive up the cost of IT products, so the Navy wants to apply the strictest standards only where needed.
“Because of SUBSAFE, you can go to a nuclear weld on a submarine, pull the records, and know who did it, what his or her background was, what day it was done and what the material was they used to put it together. We’re going to need the same kind of approach in CYBERSAFE at least some cyber components,” he said. “Part of the effort will be identifying the cyber system level which talks to the role and criticality of that system in the mission of the ship and then the cyber system grade, which gets to whether commercial off the shelf is suitable in a certain instantiation or whether it needs to be a no-kidding CYBERSAFE component from a trusted foundry.”
And just as ships are designed with the ability to close watertight hatches to contain flooding in the case if a hull breach, the Navy wants to be able temporarily bifurcate its networks in such a way that parts of them can be isolated from others if a ship is headed into hostile cyber territory or under an actual attack.
“In a maximum condition of readiness, you’d close off all of those compartments and make that ship as compartmented as possible. In CYBERSAFE conditions, we’ll have and ability with networked systems to do that same thing. We’ll be able to preemptively segment networks and have admittedly less connectivity but less vulnerability too,” he said. “You could do that for a period of time if you felt an attack was imminent and then restore more network connectivity as the situation allowed.”
Navy officials also said the new division will play a major role in the upcoming updates to the Navy-Marine Corps Intranet. NCMI already has undergone major changes in the past three years as it transitioned from a contractor-owned network to a government-owned one under the Next Generation Enterprise Network contract, and Navy officials said that fact alone has made NMCI more agile in adapting to the government’s cybersecurity demands.
But last month, the Navy released a request for information in preparation for a new competition for vendors’ right to operate the network. The next round of contracts could involve multiple vendors operating different NMCI enterprise services rather than the winner-take-all approach the Navy settled on for the first NGEN contract.
“The whole concept behind NGEN was to be able to parse out different services and capabilities and get the best value. Clearly, cybersecurity has value, and so the vendors that come in with inherently more cybersecurity will be able to expound on that aspect of their offering,” Branch said.
Navy officials said the early efforts of the new cybersecurity organization are heavily focused on physical objects and IT services, but the division will also be paying a lot of attention to user behavior across the fleet as the organization matures.
“CYBERSAFE goes to a cultural change in the Navy,” Branch said. “It goes back to the damage control analogy where every sailor has the responsibility to do their part to make the ship more secure and fight through a casualty. Every sailor also has the responsibility to make the network more secure and not do dumb things. Resistance to phishing attacks are learned behaviors. We have to train the force in what those common human-induced vulnerabilities are. This is about recognizing information as a warfighting domain and then recognizing that the network is a weapons system in that domain. Everybody who touches a keyboard or piece of electronic equipment is a piece of that fight, and we’re going to be driving that down to the unit level.”