“…we’re in the cyber fight 24/7, 365 days a year, and our foes in that fight are sophisticated, and technologically advanced, and they are very well resourced, and they are focused on penetrating our systems.”
– Adm. John Richardson
Chief of Naval Operations
Any electronic device that stores or processes data is at risk of being compromised, regardless of whether or not it’s connected to the internet, and Navy networks go far beyond the desktop computers, laptops and handheld devices we use every day. They include hull, mechanical and electrical systems; systems that control steering and power; weapons and navigation systems; and aviation systems. Because some of our industry partners store and process sensitive data, we must also consider the security of their networks to fully protect our assets.
Prevention is of course the first line of defense: cyber warriors add layers of sensors and countermeasures make attacks more difficult, and they segment the network to contain damage. While the hope is to avoid conflict altogether, attacks on our networks have proven inevitable, so in the same way that a ship is designed to withstand a potential kinetic attack, and crews are trained to mitigate and control damage, the Navy has designed its networks and systems to be resilient.
Resiliency allows Sailors, systems and platforms to “fight through” – just as they would if a ship’s hull was breached or steering was lost – in the event that an adversary were to penetrate our cyber defenses. Like the damage control teams on a ship, our cybersecurity workforce is able to detect compromises, determine what has been harmed, isolate the damage, make repairs, and implement workarounds so the mission continues uninterrupted.
The lines of effort for this strategy include identifying what needs to be protected and conducting risk assessments; protecting or hardening systems and networks; detecting anomalous behavior that might represent an attack; reacting to compromises or potential compromises by containing the breach and mitigating damage; and restoring basic functions in an effort to return to normal operations. All of these lines of effort are supported by recruiting and retaining top talent within the Navy’s cybersecurity workforce, and training users on best practices and data protection.
The Navy has made significant investments in each of these areas, and is executing plans in support of cyber resilience across the force. Examples include transitioning to the Risk Management Framework for assessing and managing systems’ cybersecurity risk, which can be used to “bake in” cybersecurity during systems development instead of being “bolted on” later. The Risk Management Framework also requires continuous monitoring, which helps the Navy maintain secure systems throughout their lifecycles.
The Navy also continues to identify and harden critical components through the CYBERSAFE Program, which was modeled after SUBSAFE, the rigorous submarine safety program instituted after the loss of USS Thresher in 1963. Like the submarine program, CYBERSAFE seeks to harden defenses before, during and after systems and their components are fielded to ensure they can better withstand attacks.
In response to sustained malicious attempts to access Navy data, the Department of the Navy published guidance to increase the accountability of contractors and subcontractors responsible for handling our data. This guidance gives the Navy more visibility into contractor networks and increases contractors’ security requirements, as well as significantly shortens the time for contractors to report compromises.
And as the Navy moves software and data from local computers and Navy-owned data centers to the cloud, it is taking steps to ensure cybersecurity is not compromised in the process.
To implement these reforms and maintain readiness in the cyber domain, the Navy needs its best and brightest at the helm. The department is acting with urgency to recruit and retain top talent in the workforce by leveraging Direct Hiring Authority for civilian cybersecurity personnel, offering incentive pay and direct commissions to civilian personnel with advanced cybersecurity expertise, and expanding the Cyber Warrant Program to incentivize Sailors.
Improving the Navy’s cyber resilience is an operational imperative requiring sustained effort and significant investments, and with the help of our entire Navy team, we will continue to meet the many complex and evolving threats posed by adversaries in the cyber domain.
Over the next two weeks, we’ll describe how you can contribute to the Navy’s cyber fight, and what steps you can take to protect yourself online – at work and at home.