The Navy has plenty of ways to measure the cybersecurity of the IT systems that underpin its military capabilities. But so far, it’s not had much success in describing to commanders exactly how the cyber vulnerabilities it finds threaten their day-to-day operations. Officials are trying to change that through a set of pilot programs called “cyber risk to mission.”
For the first pilot, beginning this year, the Navy picked the ongoing modernization of its nuclear command and control systems — a project that top Defense officials have said is a major priority, but that could also introduce new risks as the military moves from antiquated systems that, in some cases, still rely on floppy disks, to new ones that are more modern but also potentially more vulnerable to cyber attack.
“As the Navy’s doing technical upgrades to that infrastructure, we want to understand how that risk profile changes in going from the old technology to the new technology and be able to describe that to our fleet commanders,” said Brian Marsh, the assistant chief engineer for certification and mission assurance at the Space and Naval Warfare Systems Command.
A second pilot, focusing on cyber systems that support ballistic missile defense, is scheduled for next year.
In both cases, cyber experts from the Navy’s system commands will assess whether systems still in development meet the service’s cybersecurity standards. But from there, they’ll also attempt to communicate to operational commanders what the consequences are for leaving any particular security problem unaddressed.
“In the past, when we’ve talked to fleet commanders about where we are with cyber, we’d turn to an admiral and say, ‘You’ve got seven category ones, 12 category twos and you’re 83 percent compliant on STIGs.’ The fleet commander has no idea what that means in terms of ability to complete mission,” Marsh said. during a panel discussion at the annual Sea Air Space symposium in National Harbor, Maryland. “So the team is trying to expand beyond just the specs and standards and articulate the operational capabilities and limitations we bring to the table from a cyber perspective. That’s what we do in every other warfighting domain.”
Jared Serbu discusses this story on Federal Drive with Tom Temin
The “risk to mission” approach is mainly a recognition of budget realities: Navy officials say it would be cost prohibitive to fix every potential cybersecurity problem, so the commanders whose missions depend on the systems need to be able to help decide which holes to plug first. Once those commanders understand their most urgent security problems, they can help triage and advocate for more resources to fix them.
“A lot of what they’re doing here is trying to focus on mission assurance and the resilience of a particular mission, understanding the risk we’re accepting and how to best address it,” said Rear Adm. Nancy Norton, the Navy’s director of warfare integration for information warfare. “We’re not trying to boil the ocean. We’re not trying to solve every problem.”
The new pilots dovetail with a broader shift in the Defense Department’s approach to assessing the security of its systems. In 2014, the Navy and other military services began transitioning from a certification and accreditation process known as DIACAP to one based on the National Institute of Standards and Technology’s Risk Management Framework, which emphasizes the need to assess the seriousness of cyber vulnerabilities and then make informed decisions about how and whether to mitigate – not necessarily eliminate them.
From there, the Navy stood up a Technical Authority Board (TAB) that approved two dozen standards and specifications so that it could apply consistent security controls across its most critical systems.
“DIACAP was focused a lot on compliance and vulnerabilities. We really want to move more toward risk management, and we’re trying to take people who have lived in a DIACAP world and turn them into RMF people,” Marsh said. “They’re great people who understand the fields they’re working in to a T, but giving them the skill set to make that transition is a challenge. Our team is trying to do some of the heavy lifting to make that culture shift.”
Shore-side facilities are one example of the areas in which the Navy has recognized it’s not feasible to fix every cyber vulnerability in every piece of critical infrastructure or thermostat that’s connected to a network.
Instead, at least for the time being, it makes more sense to rely on defense-in-depth approach that applies security checks to successive “enclaves” of systems, rather than demanding perfect security from every device that happens to involve a microchip and a network connection, said Robert Baker, the chief information officer for Naval Facilities Engineering Command.
“So if some adversary were to get into our advanced metering systems, for example, they wouldn’t be able to move left or right into our emergency management or utility systems,” he said. “We’re focused on the important stuff, but that leaves us with maybe another 109,000 facilities that we are not focused on at the present time. It’s a very large problem.”