Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
U.S. armed forces operate at sea, on land, and in the air. The one place they all operate in: cyberspace. Now the Navy has issued what it called a cyberspace superiority vision. It has three principles: secure, survive, and strike. Federal Drive host Tom Temin was joined by someone to go in-depth on the principles, the Navy’s...
U.S. armed forces operate at sea, on land, and in the air. The one place they all operate in: cyberspace. Now the Navy has issued what it called a cyberspace superiority vision. It has three principles: secure, survive, and strike. Federal Drive host Tom Temin was joined by someone to go in-depth on the principles, the Navy’s principal cyber adviser, Chris Cleary.
Tom Temin: And you have discussed these things, I think, in prior iterations with us before here on the station, but tell us about this new vision that just came out. It’s very brief. It’s a two page document. What are you putting out here?
Federal News Network's DoD Cloud Exchange: From enterprise to the tactical edge — discover how the Defense Department and military services intend to advance their use of cloud technologies
Chris Cleary: Well, it’s by design, we designed the first sort of the vision document to be just that to be short to be consumed very quickly. And to kind of be the North Star for the larger strategy that we’ll be following, probably after the new year that is nested along all the other you know, higher level guidance, we’ve seen a national defense strategy has been released, there’s a soon to be released presidential cyber strategy, which will again, followed by the Office of Secretary of Defense cyber strategy, and then the Department of the Navy will be releasing a strategy right behind it, which is already drafted and sort of follows along the themes and gets into a lot more detail of the three core principles that we’re trying to strive for, which is the secure, survive, strike.
Tom Temin: And what makes this unique to the Navy, what are the Navy’s particular challenges in cyber that call for this vision and for the strategy that’s forthcoming?
Chris Cleary: Well, it’s not that it’s unique to the Navy, I would say all the services have similar threads that run through each of them, kind of the idea behind the strategy as being a Department of Defense, we’ll talk about the first one secure. This is one where Aaron Weiss and I worked very, very closely, actually, he was the father of a lot of the things that live in the secure pipeline. And it’s the things we’ve been talking about for a long, long time, zero trust, identity management, an initiative within the Department of the Navy called Cyber Ready, which is a way of looking at modifying or refining the way that we do the risk management framework and getting to authorities to operate. So that’s really where when you when you get into the secure bucket, those are all the things we’ve been talking about for the long time traditionally referred to that as you know, cybersecurity, and all the things that live and support enterprise IT in cybersecurity. When you get to the other two pillars, those are the ones that become a little more unique to the Department of Defense, and we’ll talk about survive for a minute. So the idea behind survive is look at the end of the day the adversary gets a vote, we can do all the things we need to do to secure our environments. But sophisticated well-resourced, dedicated adversaries always traditionally find ways around these things. At the end of the day, we have to learn to fight hurt, we have to apply basic restore restoration, continuity of operations, to all the things we do in the Navy, we live this at sea with damage control the way that we fight fires and prevent water from coming into ships. As a result of combat activity, we have to begin to adopt that mindset when we get into the information technology space, most notably the way that we look at responding to operational technology impacts. And I’m talking about weapons systems, and defense critical infrastructure and other things that we fight with the things that we need to be sustained water power communication systems that we depend on, to operate and project power.
Tom Temin: And I will just interject there to that or as you deploy more unmanned, remotely controlled, and even possibly autonomous systems, then the protection of those becomes ever more critical because of the nature of the fact that they work directly and as a result of the network.
Chris Cleary: Correct. And this is one of the differentiators between, I’ll say the secure and the survive piece. Secure is just the things that we’ve always done, you know, to ensure the availability of information that information is not getting into the wrong hands. The survive piece is really about ensuring that we can fight and like I’ve already said fight hurt because it’s less about stealing information from let’s say, a weapon system or a defense critical infrastructure when those systems are going to be targeted by our adversaries, you know, the intent is to degrade or deny their ability to operate or to some way or another, destroy them non-kinetically. And this is the kind of mindset we need to take. It’s less about ensuring the availability of these things and more about assuring the sustainment of whatever service or capability they deliver to the fleet, whether it be a weapon system, or a critical resource, like water or power.
Tom Temin: We’re speaking with Chris Cleary, the Navy Department’s principal cyber advisor, then the third element is to strike and sometimes kinetic warfare will take place with bits and bytes, won’t it?
Chris Cleary: Well, that’s exactly it. And I think when we talk about the strike piece now, arguably, this is one that we have not discussed almost intentionally for quite a bit of time. Most of the capabilities developed in this space grew out of the intelligence community. This is where the preponderance of this work had happened, you know, for decades, in some instances, and now that we’ve introduced the Department of Defense, we’ve introduced U.S. Cyber Comm. Each of the services have our respective service cyber component we have the national mission force and one of their acknowledged missions. You back in 2016 when the mission force stood up and reached IOC was offensive cyber operations. It’s not a surprise to imagine that the Department of Defense is going to continue to figure out ways to weaponize and deliver effects in and through this new domain of warfare. And I believe it’s one of these things we need to be starting to talking a little more openly about. It’s no secret that we do these things. Of course, we’re going to talk about how we do them, we’re not going to talk about the vulnerabilities or exploiting or even some of the specifics around the capabilities that we’re developing. But the fact that the Department of Defense to a lesser degree, the Department of the Navy, the Navy, the Marine Corps, is going to begin to specialize, consider this capability core to their mission set, develop a workforce, acquire tools, develop the doctrine, and with it the tactics, techniques and procedures to leverage these capabilities and use them in warfare as a legitimate means and methods of warfare. The whole idea behind strike is beginning to have this dialogue, acknowledging that we do this and then figure out how to talk with industry about working together to develop these capabilities.
Tom Temin: It’s almost when talking about strike capabilities in cyber, it’s almost like talking about submarines. Everybody knows the United States has them. But certain performance characteristics, the location of them at a given time, et cetera, are not known or kept secret. So it’s OK for the enemy to know that we’ve got them. And that enough is a deterrent in some cases, but they don’t know the details of speed, where they are, what they can do that kind of thing. And that the same principle applies in cyber strike.
Chris Cleary: 100%. We talk about a lot of our most sensitive capabilities openly stealth technology, hypersonics undersea warfare, to get into the details of any of those capabilities. specific capabilities is, of course classified and will always remain classified. But you’re right, we acknowledge that there are hypersonics we acknowledge that we’re developing stealth technologies, we acknowledge that we’re working on more and more sophisticated capabilities for undersea warfare. And I use the Columbia class submarine as a good example. You know, we all know what the Columbia class submarine is designed to do, you kind of lead into this very well, that we’re not going to get into any specific design characteristics yield of warheads, you know, specifically Valdez of that submarine, whether its ability to hide the depths that can operate at, but we talk openly about why we have the Columbia class submarine how it fits into our nuclear deterrence strategy, the requirement to modernize and replace our aging Ohio ballistic missile class fleets. So we talk about those openly, we have to figure out how to have a similar conversation around offensive cyber capabilities in the same venue to say how these are going to be incorporated into the Navy, what are we getting some of our policies around using them. But just like with almost everything the Department of Defense does, the end of the day, we don’t make anything. The Department of Defense in almost every instance worked with the defense industrial base through requirements that we have to produce certain capabilities. And we work with the defense industrial base to have those capabilities delivered to us. And I think this space is no different and has to be talked about, just like we talked about anything else that we do,
Tom Temin: And in the development of the doctrine and the ways of operating the concept of operations for cyber offense. In some ways, part of the challenge is developing on a continuum because at some point, firing a cyber barrage, if you will, bits and bytes at the enemy might be defensive to keep that enemy from taking out what you know, its target is. And that’s one of the Navy systems, that’s a shade off of preemptively firing a cyber attack to take out something before it has been aimed at the Navy. Does that make sense?
Chris Cleary: It makes perfect sense. You brought up a great point. A lot of times we will deliver lethality in a defensive fashion. You know, not all tools designed to deliver lethality or offensive minded. There’s lots of things that we do that are defensive minded, but yet are every bit as lethal to the adversary. Some of the cyber capabilities you might find in that same venue. And again, but this it’s the service’s responsibility to man, train and equip. So you know, we the Navy, the Marine Corps, bring in sailors and Marines train them in this field, but then present them to combatant commanders to do with what they’re going to do. And so most of the forces that we present, obviously go to U.S. cybercom, as really, as the leader, the one with through has all the authorities to leverage these kinds of capabilities. And of course, that happens all under the guise of general Nakasone, over there. But then some forces we see assigned to, you know, indo-PAYCOM, or the way that we build ships or submarines or aircraft, those all go off to joint combatant commanders for employment. It’s really the Navy’s responsibility to ensure that these tools work, people are trained on them, and they are presented to those that have the authorities to use them.
Tom Temin: And the new strategy that you mentioned, which is hinted at in the already out vision. Just briefly, once again, the timeline for that, when will that be unveiled?
Chris Cleary: So we have one in draft right now it’s gone through the proverbial e-ring here in the building. We are waiting for the other higher order cyber documents to come out. You know, it’s never good to get in front of your boss. So OSD has a cyber strategy that they’re going to be releasing. I think we will see that after Christmas after New Year’s sometimes it’s certainly very early in the I guess Q2 of FY 23. And then the services or the department strategy will follow you know, right out After in sequence, and what you will see is a little more in depth, obviously, you know, I call the vision just that as a vision and as a primer, and the strategy will go into detail on how we’re going to execute individual lines of effort that live within the secure survive strike higher guidance.