The Navy is several months into a major effort that aims to draw up the service’s first comprehensive, enterprise-wide approach to cybersecurity. So far, there is good news and bad news.
On the plus side, the Navy thinks it has a robust accounting of all of its systems’ cyber vulnerabilities for the first time ever, both ashore and at sea. But the logistical challenges involved in plugging each of the holes one-by-one make it wildly impractical to do so, even if the Navy had enough money in its budget to pull it off — and it doesn’t.
The improved IT security picture comes from a project called Task Force Cyber Awakening, which the Navy launched last July following a series of worrisome attacks, including one that compromised portions of the Navy-Marine Corps Intranet (NMCI).
The task force has much more work to do before it delivers final recommendations to service leaders later this year, but a new repository of known vulnerabilities is among the initial work products: It contains nearly 500 items, and fixing each one would cost an estimated $8 billion, Matthew Swartz, the task force’s leader told a Navy IT conference in San Diego last week.
“If I want to address it vulnerability-by-vulnerability, it’s unexecutable because of the nature of the Navy, and it’s also unaffordable because nobody can possibly reprogram that much money,” he said. “So, we’re going to have to prioritize, and we’re doing it based on consequence. We’re going to do what we need to preserve the capability to prosecute the fight, and understand that there are some consequences that we can’t accept. As we define the things we can’t accept, we can build in layered defenses to make sure we don’t have to. Right now, that’s how we’re prioritizing.”
Making investment decisions based solely on how bad things would be if something went wrong is not an ideal way to balance risk, but it’s the best option available at the moment, Schwarz said, because the Navy is missing one key element of information that’s usually part of the military’s risk calculus: the severity of the threat.
“We talk about the threat, but we can’t really quantify it yet,” he said. “We can qualify it a little bit and identify who they are, but we can’t quantify their intent, what tools they’re going to use, what they’re planning to do right now. So the threat right now is hard and we’re still trying to work through it. But if that information is still taking shape, I can’t use it to prioritize yet because I don’t know what it is.”
However, the Navy has also taken into account how probable it is that an adversary could mount a successful attack against different categories of its systems, and based on the assessments it’s done over the past year, it’s invested heavily in technologies to protect its key Internet-connected networks, including NMCI, its shore-based network and Consolidated Afloat Networks and Enterprise Services (CANES), its shipboard network.
But the task force is still trying to think about how to prioritize cybersecurity spending for other systems, such as those that handle industrial processes like electric distribution or other critical warfighting capabilities aboard ships and installations.
Since many of those systems are theoretically disconnected from networks that hackers could exploit, the probability of them being penetrated is ostensibly low. If they were, however, the consequences could be catastrophic.
“But right now, as we start to look at this with industry, this is an area where we’re still in research mode,” Swartz said. “We’re still trying to find out what technologies are available and design solutions, so the types of dollars we’re going to invest there are going to be mostly directed at research and development. And right now, the discussion the task force is having is whether industry is able to push this, or whether the Navy and the Department of Defense is going to have to take ownership of the innovation curve on how we close that gap. We’re not sure industry has the same challenges we do. I would argue there are at least some areas where DoD is going to have to own the responsibility to innovate here.”
Part of the task force’s charter is to make sure that any systems the Navy buys from now on — from ships to backend business systems — fit into a forthcoming set of commonly-understood “CYBERSAFE” standards, so the Navy will have an ongoing understanding of its cyber posture rather than having to identify and inspect myriad stovepiped systems. Accordingly, the executive committee behind the task force is co-chaired by both the vice chief of Naval operations — the head of the Navy’s requirements community — and the service’s assistant secretary for research, development and acquisition.
But in the meantime, the Navy is going to be fighting with IT systems that were built without the benefit of centralized cybersecurity management for many years to come, Swartz said, so it also needs to make sure the systems it already owns can head into a warfighting environment against high-end cyber adversaries.
As one solution, the task force is looking toward compartmentalization: if an attacker makes its way into a Navy network, the attack could be contained at a network boundary, much in the same way a flood might be controlled by sealing a hatch aboard a ship. It might also mean intentionally shutting down key IT systems for a while.
“So, if we know we’re going into harm’s way, maybe we shut down our real-time maintenance systems for a period of time while we’re executing a fight, and then bring those net-centric capabilities back on to enable the supply chain and the sustainment of the ship once we’re out of the fight,” Swartz said. “But right now, we can’t do that. We need to inject technologies so that we can be more maneuverable, and compartmentalize the platform in ways that let us be both more proactive and reactive.”
In the end, the Navy says it wants to replicate the success it has had with its submarine safety program, known as SUBSAFE.
After all, the undersea predecessor to CYBERSAFE has managed to keep the Navy clear from serious submarine casualties for more than 50 years, and Navy officials like to draw other analogies, including the fact that it took a serious and publicly- visible episode — the sinking of the USS Thresher — to trigger the standup of a comprehensive and successful safety program.
From the point of view of deployed, legacy capabilities, the scattered cyber environment the Navy is working in now is remarkably similar to what it was dealing with decades ago when it first launched SUBSAFE, said Brian Marsh, the task group leader in charge of technical standards for Task Force Cyber Awakening.
“If you think about SUBSAFE, there was a lot of existing infrastructure back then — it wasn’t starting from a clean sheet of paper. The Navy was trying to think about how it could move to a place where you could actually provide a certain level of safety for the entire crew in the submarine community,” Marsh said. “It’s the same thing in cyber. We’re not starting with a clean sheet of paper, and we know we have to figure out how to migrate it over time. It means we can’t just start with a materiel solution. We need to think holistically about the cyber challenge and how we address that.”