The military has plenty of cybersecurity challenges on its plate as it is trying to ward off threats from unfriendly governments, unaligned hackers and criminal syndicates. But it’s not doing itself any favors by insisting on buying the cheapest possible equipment it can find to build and defend its own networks, the Navy’s top cyber officer said Tuesday.
Vice Adm. Jan Tighe, who became commander of the Navy’s Fleet Cyber Command earlier this year, said that despite pressures on the overall budget, her service needs to reexamine the calculus it has tended to use up until now when weighing costs against security within its cyber systems. She framed the refocus as in- line with official military doctrine, which now stipulates that cyberspace is truly a warfighting domain, on par with and interdependent with the old-fashioned ones: land, sea, air and space.
But the way the military has been purchasing capabilities for cyber hasn’t necessarily reflected that dynamic.
“For a great many years, there has been a lot of pressure put on obtaining capabilities for communications and networks at the lowest price,” Tighe said. “That pressure for fiscal efficiency is at odds, in some cases, with being secure and knowing exactly where you’re getting that router or switch from. There will continue to be budget pressure that pushes our acquisition system to get low prices, but the lowest price is not always the most secure.”
Tighe, speaking at the Center for Strategic and International Studies in Washington, said the push for low pricing in cyberspace is an outgrowth of the notion that all information technology should be treated as a commodity, regardless of its application, and that the government would be best served by relying on industry to innovate, and then demand the lowest price from the commercial marketplace.
“That’s the line of thinking we’ve been operating under, but you would never buy a weapons system in that manner,” she said. “Nobody goes out and says ‘Let’s buy the cheapest system we can find’ in the kinetic arena. We study what we should be buying, we ask what’s the realm of the possible with physics and technology, and we understand its capabilities before we go out and buy it. We have to bring cyberspace more into that realm, thinking about it like we’re acquiring a weapons system. It has to be defendable. It absolutely has to be defendable.”
Fleet systems vulnerable
Meanwhile, Tighe said fiscal considerations in other areas of the Navy’s budget also are creating significant concerns about the defensibility of the Navy’s systems. Since ship procurement and operating dollars are on the wane, the Navy is stretching out over longer periods the broader fleet modernization programs.
That means existing vessels are out to sea for longer than planned, and don’t adhere to their regularly-scheduled maintenance routines. In an earlier age, that might have meant that a turbine engine didn’t get as much attention as it should have. While that’s still true, cyber brings an entirely new set of considerations. Many of the computers aboard those vessels are growing increasingly outdated, and consequently, more vulnerable, Tighe said.
“When we delay modernization of our systems, we are delaying the upgrade of our operating systems, and it’s very difficult to defend an old operating system against new zero-day vulnerabilities, and those new attacks surface on every given day these days,” she said. “Suddenly, your attack surface has grown wherever that vulnerability happens to be across the Navy network.”
The budget-driven decisions the Navy makes to slow or spread its shipbuilding plans are usually based on the service’s best judgments about the demands that will be placed on its ships and the impacts those programmatic choices will have on the fleet’s overall ability to be physically present in the places where combatant commanders want them.
But Tighe said up until now, they have not taken into consideration the impact of those decisions on the Navy’s overall cybersecurity posture.
“I think we’ve identified that as a significant issue, but we need to figure out how we’re going to change the programming, planning, budgeting and execution process to reflect that,” she said. “We need to figure out what the sustainment plan of our cyber systems looks like across all kinds of systems, especially shipboard systems because of the restricted maintenance availabilities they have now. Those factors haven’t been well understood in the past, and decisions have been made without understanding their long-term effects. Sustainment of software- heavy systems — which includes most of our systems these days — has to account for the fact that vulnerabilities will happen, baseline changes need to be made, and the longer it takes us to do that, the more opportunity we’re presenting for the bad guys out there.”
Certified “Cyber Safe”
That rethinking of the role of cyber in the decision-making process for ship programs is part of the Navy’s Task Force Cyber Awakening, a program it started earlier this year to expand its overall thinking about cyber beyond the provenance of the Navy’s IT community.
One objective is to make sure that all the systems the service buys and operates are certified as “Cyber Safe.”
“We want to make sure we look at it across the entire kill chain,” Matthew Swartz, the task force’s leader, told reporters last month. “We need to look at all of our systems, from the initial thought of a concept of a capability to the acquisition of that capability to the deployment of that capability until we finally retire that capability. We need the ability to monitor those from end-to-end and track them through the entire lifecycle. We’ve realized that the acquisition part of this is just as critical as the operational part. We need to make sure that as we’re designing and acquiring things, we’re doing it to a Cyber Safe standard.”
The Navy envisions that one day in the near future, there will be one single official in charge of certifying that all of its proposed systems are “cyber safe” before it greenlights the procurement of any new system, but it hasn’t yet settled on exactly who that cyber czar would be or how the decision-making process would work. Answering those questions is one of the central functions of the new task force.
In any case, Tighe said the Navy needs to start treating its cyber systems as what existing military doctrine already strongly implies they are: weapons systems, not just computers and cables.
“Whether we like it or not, cyberspace is an established, operational, warfighting domain,” she said. “Just like sea, air, land and space, it has to be defended, and we’re also going to need to use it to deliver effects against adversaries that want to do us harm.”