Fifty-one years ago, the loss of 129 sailors aboard the USS Thresher prodded the Navy to pioneer world-class safety protocols that have kept the submarine fleet safe from catastrophe for more than four decades. In the aftermath of a major breach of Navy IT networks, officials are making an urgent attempt to repeat the process in cyberspace.
A “Cyber Awakening,” the moniker Navy officials have applied to the process, began quietly in July. It aims to export the same level of rigor and discipline the Navy famously applies to nuclear and submarine safety to all aspects of how it acquires and manages information technology.
It includes a top-to-bottom scrub of every Navy system with a network connection, whether or not it’s connected directly to the public Internet. By midway through 2015, the task force will recommend immediate steps that must be taken to close cyber vulnerabilities not just in the day-to-day business IT systems that tend to get the most attention, but also in network-connected combat systems that may have fallen below the waterline of the cybersecurity discussion so far.
“A lot of people ask why we’re calling this an awakening, because cyber has been part of the picture for a decade,” Matthew Swartz, the director of the Navy’s cyber awakening task force told reporters Friday. “The reason we chose that word is because it is now commanders’ business. Cyber and IT is now part of the warfighting system. We’ve elevated it from a business discussion to a warfighting discussion.”
Navy officials said the foreign intrusion into the Navy-Marine Corps Intranet (NMCI), known internally as Operation Rolling Tide, was one of a few very recent incidents that put officials on notice that cyber attacks could impact their ability to perform the Navy’s core missions, and that the threats also potentially implicate its industrial control and weapons systems.
They declined to identify the other incidents, but suffice to say the combined effect got the attention of the service’s most senior leaders. Four separate task groups are moving forward with the explicit blessing of the Navy Secretary and the Chief of Naval Operations. Each group is due to report its findings and recommendations by midway through next year, with several interim requirements along the way.
A cybersafe mentality
Some of the objectives involve immediate remediation plans to patch network- connected systems that the Navy fielded decades before the term “cybersecurity” entered the military’s lexicon. Other elements of the task force are charged with developing long-term strategies to make sure that every new item the Navy buys or builds fits into a “CYBERSAFE” mentality — the Navy’s new IT analogue to the SUBSAFE program that was borne out of the Thresher disaster. Other missions include identifying weapons systems that must be protected from cyber threats at all costs.
“An adversary wouldn’t design an attack that’s specifically tailored for a combat system versus a business system. They’re going to design a cyber attack, and then they’re going to apply it against any system that has vulnerability,” Swartz said. “We might have put a system in one category or the other, but the enemy couldn’t care less. They’re going to use their capabilities against us wherever they can, and is the consequence more severe on a combat system? Without a doubt. And when we say that we need to protect those systems, we also need real-time awareness of their current state.”
As one objective of the project, the Navy wants to be able to describe the overall cyber readiness of the fleet in the same way it talks about the readiness of carrier strike groups — something it can’t do right now. By cyber readiness, it doesn’t just mean NMCI, its main shore-side network, it means the health and security of the entire interconnected system of technology on every one of its ships, submarines, aircraft and shore installations.
To that end, one of the project’s task groups is focused mainly on getting the Navy’s various technical communities to talk to each other about how to identify and manage cyber threats, and then build systems that are more resilient against attacks.
The engineers who design and field airplanes at Naval Air Systems Command, ships at Naval Sea Systems Command and installations at Naval Facilities Command are all top-notch experts in their own right. But the Navy says they haven’t yet been on the same page when it comes to managing cybersecurity as an enterprisewide concern.
“This task force includes all of them,” Swartz said. “The awakening means that the folks that traditionally have managed and developed combat systems — the people at the pointy end of the spear — are now part of this, and we’re doing this as a collective for the first time” Swartz said. “Cyber risks are as critical to our systems commands as they are to our business systems. It’s imperative that we can share information, both on and off the ship.”
By next summer, the Navy says it will have drawn up a prioritized list of actions it must take to define a cyber boundary around the systems it has to protect and the immediate actions it must take to make that happen.
But Swartz said the awakening isn’t a one-off project because the Navy cannot realistically catalogue and protect every IT system in one go-round. So the task force’s real job is to institutionalize its new, broader take on cybersecurity and inculcate the “CYBERSAFE” mentality into everything the Navy does, from the time it develops a new requirement to the time it sends a vessel to a salvage yard.
“There will be very specific recommendations that come out of this, but the primary goal is to establish a framework that lets us continue to do this in the future,” he said. “I think the most important takeaway isn’t necessarily going to be the plan itself, but the steps we took to create the plan. How did we assess our gaps?
“How did we prioritize? Handing that framework over to whoever is going to own this as a long-term responsibility is as important as building the initial list of actions.”