Vice Admiral H. Denby Starling II assumed command of Naval Network Warfare Command June 15, 2007. He is responsible for operating, maintaining and defending Navy networks, and conducting information operations, space and fleet intelligence operations.
Overseeing a global force of more than 14,000, he is also the functional Component Commander to U.S. Strategic Command for space, information operations and network operations.
CHIPS spoke with Vice Adm. Starling, with other members of the media, after he participated in a panel discussion about cyber security challenges at a major defense conference in San Diego in February.
Q: In the panel, you spoke about the need for network visibility. I thought the Cyber Asset Reduction and Security and Consolidated Afloat Networks and Enterprise Services projects were addressing the other networks that are not part of the Navy Marine Corps Intranet. What is not visible in the Navy network enterprise?
Vice Adm. Starling: We eventually would like to see as many of the Navy's ships and other networks as possible riding on a single enterprise network. I suspect that we will always have a requirement for some number of networks that are not part of our enterprise system but are protected behind a firewall, for example, research and development networks. Today, the educational networks exist as 'excepted' networks because they have requirements that are, in many cases, fundamentally non-military functions.
Our supply corps will always need to interface with the banking system so their automated teller machines will work. Our hospital networks will always need to electronically interface with other health systems so that healthcare for those in the Navy is seamless.
We contracted with EDS to provide us network services for NMCI. But as the commander at NETWARCOM, I do not have the ability in real time to look into the NMCI network to evaluate its health and whether or not somebody is attacking the network. As we move into the Next Generation Enterprise Network, NGEN will move us from a completely outsourced network to one that the Navy has the ability to exercise a greater level of command and control over and more visibility into.
The percentage of the Navy's networks that are in NMCI today is somewhere near 55 percent. There are large portions of the Navy's networks that are still outside of NMCI, all of our at-sea networks, for example. The Bureau of Medicine and Surgery is outside of NMCI.
CARS has done tremendous work in reducing the number of legacy networks that are out there. The number has gone from 1,200, and we are now in the mid-400s range and hope to get down to 200. As you mature that enterprise network and turn it into a government-controlled network, we'll want to have the tools in place that will give the commander the ability to physically look into the network.
Q: You mentioned Navy excepted networks, aren't they operating under the same Navy security standards?
Vice Adm. Starling: They do, for example, if Company X provides the media for a software tool and they patch it, and they shove out a patch to us across the Navy, we would hand it to NMCI and tell NMCI to push it across all the networks and tell us when they are done.
Then we would pass the patch to all the other guys that own networks, and tell them to put it on their network, and tell us when they are done. They would all report to us when they were done and I would think life is good, but I don't have a way to go in and see if it is really done, I have to depend on what they told me.
We have [network defense and information assurance] systems in the Navy called the Online Compliance Reporting System (OCRS) and the Joint Task Force–Global Network Operations [to protect the Global Information Grid], all the services use these. I then have to go after all the other Navy networks and all the other Echelon II chief information officers and say, do this, and tell me when you have done it.
With NMCI, I only have to tell one 'person,' so I can immediately get the patch out to 55 percent of the Navy's networks. On all the others, I have to wait for them to do it, and tell me they did it. [But] I don't have any way to verify that.
We are deploying Host Based Security System (HBSS) across the Navy. One of the things the HBSS will be able to do for us is to baseline the condition of all the computers in the Navy. As we get this capability fully deployed, it will give us the ability to automate and roll this information up. Then I don't have to depend on somebody telling me that they did it, [instead] all the machines on one layer of the network tell the next layer, tell the next layer, tell the next layer… It all happens automatically.
The bad guys can move quickly. We don't want to have to figure out during the log review, or some other administrative action, that something went wrong. We would like to have better systems to tell us in real time.
Q: Can Navy networks use cloud computing?
Vice Adm. Starling: This is a whole new area for us. From a technical point of view, I am not sure I could give you a well-informed answer right now, but we do have our technical staff looking into it. If you talk to commercial vendors, they have many of the same challenges, like Verizon and AT&T. They operate big networks, and they have real security concerns. Those guys only have to defend the perimeter of where you enter their network.
If I am a customer of Cox Communications at home, and I do a crummy job of keeping my computer patched, I am probably only going to hurt myself. Cox will keep me from doing something stupid that will infect their whole network. In the Navy, I have to care about everybody's computer. If we have a problem, it goes all the way out to the tactical edge; that makes our world unique.
Even if today I restructured the whole Navy [to take advantage of new technology], I would have to keep the network operating and find the resources to do that. I would have to explain to my leadership why that was important, and what the return on that investment would be. It couldn't be just a performance improvement. It has to be a security improvement. It also has to be a business process improvement.
Q: With NGEN how will you balance accessibility with security?
Vice Adm. Starling: I am security conscious. My job is to guard the gate. Given options, I will normally tend toward the option that is more secure. There are a lot of young people in the Navy who grew up carrying multiple electronic devices. Young Sailors coming into the military today want access. We have to balance that with our requirements for information and network security.
When we first formed our unclassified networks in DoD, these labor-saving devices became great tools with tremendous amounts of capability. Today, we could not live without our unclassified networks. But the unclassified networks are connected directly to the Internet with all the inherent risk.
We have to continue to develop the technology that will allow us to operate in cyberspace where everybody else is and do so in an intelligent fashion so that we can provide an acceptable level of security for the government's unclassified networks.
We have workforce training challenges that any big company has. How do I train the Sailor that just came into the service and is used to clicking whatever he wants to on his home computer or connecting to a P2P (peer-to-peer) server that there are some things you can't do any more?
We do well with that but considering that we have about 700,000 users, if even a small percentage of those don't want to follow the rules you have an opportunity for significant vulnerability. We have to continually address that problem.
We want to be good; we want to be leading edge. Perfect can be the enemy of good enough. We have to ask ourselves what are those essential military functions we want to be able to do. Then we need to buy the technology that will enable us to do them and make sure that those are assured and completely reliable.
The other part of it is that the attack methods change all the time. We have gone from hackers that wanted to take control of your box to the smart guy that doesn't want you to know he was there. We have gone from an era where most of the attacks were phishing to where we see more compromised Web sites and challenges on the Web.
Q: Is NETWARCOM planning mandatory security training for the Navy?
Vice Adm. Starling: We just had a Navywide security focus day to raise the awareness of computer network security for everybody across the Navy. The Chief of Naval Operations directed all Navy activities to conduct a network security training and awareness day no later than Feb. 28. He mandated the training in response to recent security incidents on Navy computer networks.
All Navy commands were given a list of specific training areas and topics, from safe home computing, to phishing, to policy while they are operating Navy computers. NETWARCOM's network security training was Feb. 23 at Naval Amphibious Base Little Creek's theater.
This was not just a one-time initiative. Increased network security must become ingrained in our daily activity on the Navy network. We are trying to tackle a cultural issue.
We often say that the network is a weapons system. In reality, not everybody in the Navy gets to operate a weapons system every single day. While I think that folks who operate at the tactical edge understand this, does the staff officer or the Sailor who works in a staff position? He sees his computer as an e-mail machine or the machine that he does spreadsheet work on, but does he understand that every time he sits down and logs on to that computer, he steps into the exact same battlespace that the bad guys of the world operate in?
I look at computer security the same as force protection, and there is a certain level of awareness that you have to maintain for force protection all the time. After 9/11, everyone's awareness was high. The further away you get from a big event, the level of concern tends to drop off. Once in a while, we need to make it an organizational focus to remind people why this is important.
That is what we wanted to do, remind everybody in the Navy why this is important. All you have to do is open the paper to understand why. It is important to make folks recognize [that] as members of DoD our folks are a target, and they have responsibility to operate their computer in a responsible fashion.
Q: It was reported in the news that embedded chips in card readers that were manufactured overseas were programmed to divert money from bank accounts. How does outsourcing IT affect our national systems?
Vice Adm. Starling: It is not a surprise to anyone that stuff is being preloaded in commercial software. It is something we have to be aware of. We have committed ourselves across DoD to commercial off-the-shelf solutions; we are going to buy our computers from commercial vendors. The cost to do otherwise would be prohibitive. It is something you have to walk into with your eyes wide open, and it is something you shouldn't kid yourself about.
Since I am probably not going to disassemble and inspect every machine that I ever get and probably wouldn't be clever enough to find everything that might be there even if I did, it becomes all the more important that we continue to develop the tools to help us understand the network's health. Then we can detect anomalous activity on the network and understand what that means as opposed to chasing down everything that is in the box.
Q: Do these concerns that we discussed make conducting electronic warfare and information operations difficult?
Vice Adm. Starling: The ability to do computer network operations: computer network attack, exploit and defend, is dependent on the ability to understand your own network to a very high degree, as well as understanding an adversary's network.
While I provide trained folks who can do the exploit and attack mission, it is not a function that inherently resides within my organization. We have national level organizations that have that responsibility.
We certainly want to have as much knowledge about the adversary's network as I am going to have about my own. Somebody made a good comment earlier [in the panel]: You can't defend what you can't see. We will get better at this. It is recognized that we need to do more, but it is a question of what resources you have available to apply to the problem.
Q: We read about the cyber attacks in Latvia/Estonia and Georgia. Are we in better shape than they were?
Vice Adm. Starling: Estonia was an interesting example a few months ago. Estonia, like a lot of countries that have emerged from dark places, was very highly network leveraged. You can deploy networks quickly and because of that they were very vulnerable.
We are certainly dependent on our networks, but I would argue that our networks are more diverse and more highly dispersed. I think that we have more national capability than Estonia did to understand our adversaries and take appropriate steps.
What we need to understand when we see events like those in Estonia and Georgia is that this is a precursor to the next kinetic fight — or perhaps in place of it. In fact, CNO has stated that the next battle will be in cyberspace, and it has already begun. Our President recognizes this and is taking steps to strengthen our national cyber infrastructure.
For more information about NETWARCOM, go to www.netwarcom.navy.mil.