Department of the Navy (DON) Chief Information Security Officer (CISO) Chris Cleary has been selected as the DON Principal Cyber Advisor (PCA).
The position of PCA is mandated by the National Defense Authorization Act of FY2020, and in his new role, Cleary will work in close coordination with the DON CIO, the DoD PCA, and the DoD CIO, and will assume responsibility for advising the Secretary of the Navy, the Assistant Secretary of the Navy (Research, Development, and Acquisition) (ASN (RDA)), the Chief of Naval Operations, the Commandant of the Marine Corps and appropriate senior civilian and military officers.
Mr. Cleary will also be responsible for achieving or realizing the DoD’s Cyber Strategy within the DON by coordinating and overseeing the execution of the DON’s policies and programs relevant to the following:
- The recruitment, resourcing, and training of military cyberspace operations forces, assessment of these forces against standardized readiness metrics, and maintenance of these forces at standardized readiness levels.
- Acquisition of offensive, defensive, and DoD Information Networks cyber capabilities for military cyberspace operations.
- Cybersecurity management and operations.
- Acquisition of cybersecurity tools and capabilities, including those used by cybersecurity service providers.
- Evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations.
- Cybersecurity and related supply chain risk management of the industrial base.
- Cybersecurity of DoD information systems, information technology services, and weapon systems, including the incorporation of cybersecurity threat information as part of secure development processes, cybersecurity testing, and the mitigation of cybersecurity risks.
Mr. Cleary brings to the position a wealth of experience. He is a Naval Academy graduate and retired Navy Reserve Officer who served 16 of 24 years on active duty in a variety of leadership roles, he has held several leadership positions in the private sector and has been the DON Chief Information Security Officer for the past year.
CHIPS: How does your role and responsibilities differ from the DON CIO’s responsibilities since DON CIO Aaron Weis also serves as a Principal Staff Assistant to SECNAV for information management, digital, data and cyber strategy?
Mr. Cleary: You are right in that we are both advisors to the Secretary. Aaron Weis’s job as the CIO is a big one. Basically, if it has a 'one' or a 'zero' traveling on the network, regardless of where it lives, Aaron has his arms around it. The PCA is more about the application of cyber and the way we are going to emphasize cyber as a warfighting domain, and work to integrate all the different organizations in the Department of the Navy who have cyber in their job.
Think about the key players, DON CIO, Naval Information Forces (NAVIFOR), the Deputy Chief of Operations for Information Warfare (OPNAV N2N6) and Fleet Cyber Command/10th Fleet, Deputy Commandant for Information and Marine Corps Cyber Command, it’s really about helping bring those multiple organizations together to make sure we are all working from the same sheet of music – and then advising the Secretary in the way the office can focus resources and funding to the mission of cyber and IT.
So there are some overlaps for sure. The DON CIO has authorities that I do not; my job is to be a neutral arbiter to advise the Secretary.
CHIPS: As the DON Chief Information Security Officer for the past year, you certainly have an edge in your new role as PCA. What have you learned about the DON’s cybersecurity environment? You must have some ideas that will influence your work as the PCA.
Mr. Cleary: Most certainly. One of the things that I have observed, and I have talked about this with the leaders of these respective organizations, is the idea that good fences make good neighbors. We tend to try to do each other’s jobs, we need to be better about recognizing we are doing this. Each leader must understand what their respective organization's mission and function are and then ensure its getting done and then be aware when you might be spilling over into another organization’s lane.
It’s human nature to try and do it all. I think if we got back to our positions and played them appropriately, we would be more successful. For example, Fleet Cyber’s mission is to operate and defend. NAVIFOR’s mission is to man, train, and equip, N2N6’s mission is to resource, DON CIO’s mission is to set the policy and guidance for all of that to happen. So it’s not Fleet Cyber’s mission to go off and try to build the network. It’s not N2N6’s job to operate and defend the network, we tend to get into each other’s spaces, and we need to be better about that.
CHIPS: You have quite a number of responsibilities as the new PCA, from workforce management, to cyber capabilities acquisition, to the cybersecurity of the Defense Industrial Base. How will you prioritize your taskings and coordinate the various relationships with the offices and individuals you will be working with?
Mr. Cleary: From a priority standpoint, it’s not that the work isn’t being done. Using Solarwinds as an example, Fleet Cyber, and MARFORCYBER, working with U.S. Cyber Command and Joint Force Headquarters-DoDIN, did a masterful job of responding to the event. The organizations that are tasked do their jobs, do them well. Aaron Weis is doing a great job at modernizing, innovating, and defending the networks when it comes to prioritizing. Fleet and Marine Corps Cyber Command do a great job operating and defending the networks. N2N6 and DCI are doing a great job identifying requirements and providing resources to do all of the above. But what does cyberwarfare look like, and what does it mean to the Department of the Navy in the next 10 years? That is one of the things we are struggling with, and figuring out the DON’s role in cyber warfare is my first task.
CHIPS: So would you say that the office of the DON CIO is more focused on support IT as opposed to tactical IT and that you will focus on tactical IT?
Mr. Cleary: All IT has an enterprise and tactical component to it, and that’s one of those things we have to realize moving forward. Regardless of what kind of network you have brought into the Navy, it has a warfighting function. Even the network designed to order pencils, our supply systems are every bit as important to warfighting as a Sailor firing a missile from an Arleigh Burke destroyer. It’s an ecosystem that needs to have a symbiotic relationship for it all to function.
I don’t know that I would say my job is to do tactical things, and Aaron’s job is to do administrative things, it’s the idea that all these things [enterprise networks] work in concert. As the PCA, I will be more focused on increasing the cyber offensive capability development for the DON cyber forces.
CHIPS: How will you be working with the warfighting community in “evaluating, improving, and enforcing a culture of cybersecurity warfighting and accountability for cybersecurity and cyberspace operations”? Do you view this responsibility in terms of ensuring warfighters maintain a technical advantage in a contested environment?
Mr. Cleary: Going back to good neighbors, good fences, and accountability, this is very much a NAVIFOR, Naval Information Forces responsibility; they man, train, and equip. So I will work with NAVIFOR to ensure the proper requirements, training programs, accession plans and readiness issues are being addressed so that when NAVIFOR trains a cyber warrior assigned to a cyber protection team, or a cyber national mission or support team, and that team gets chopped to Fleet Cyber Command for direction, NAVIFOR is providing the right capability training at the right readiness level for operational commanders to use that capability. Yes, I view this responsibility as ensuring warfighters maintain a technical advantage and I think we are still seeing some gaps that need to be addressed.
CHIPS: So how do you plan for that since cybersecurity threats are continually evolving in scope and risk? You mentioned Solarwinds, no one expected that threat?
Mr. Cleary: That’s right, Solarwinds, in particular. Once the threat vector was identified, I’ll go back to saying Fleet and Marine Corps Cyber did a masterful job to protect us from that threat. From the time they were informed, to the time they locked it down was very, very short.
Our adversaries understand our weaknesses in the supply chain, so we have to figure out how to work with acquisition, the Defense Industrial Base, and to work through some of the DoD CMMC (Cybersecurity Maturity Model Certification) requirements to make everyone aware that it’s not only the DoD itself that will be attacked. We have anticipated it; we just haven’t had the resources to focus on it. We have recognized where some of our shortcomings are, and we are in the process of working with the Defense Industrial Base and Fleet Cyber to figure out how we are going to plug that hole. We must focus less on specific technologies, since these are continually evolving, and focus more on security goals and cyber resilience.
CHIPS: Going further on cyber training, the Chief of Naval Operations has emphasized the need for the force to have critical thinking skills. So, in addition to the cyber training forces need, would critical thinking be a skill they need as well?
Mr. Cleary: Absolutely, it's every bit as important in cyber as it is in the other more traditional warfare areas. Why I get so excited about the cyber warfare mission is there hasn’t been anyone who went from ensign to four-star admiral in cyber as a career path. It just hasn’t been around that long. We stood up USCYBERCOM, MARFORCYBER and Fleet Cyber in 2010. So as a mission space, dedicated Title 10 assets doing cyber operations, we have only been doing it for a decade, which in the military is half of a career, if we say 20 years is the typical career in the military. Not to say we weren’t doing these things before 2010, we absolutely were. But we weren’t doing them in such a concerted effort that we are doing them now that we have Fleet Cyber, Joint Force Headquarters-DoDIN, and U.S. Cyber Command. We hadn’t even identified this as a mission space or a career path.
We’ve got a ways to go until we’ve had a whole generation that’s grown up in the cyberspace career path. Until that’s happened, we’re still going to be questioning what it is because we’ve been doing every other warfare domain for decades, in some cases, centuries. The Army has been doing land warfare for centuries. We’ve been flying airplanes for more than 100 years. We haven’t been doing 100 years of cyber operations yet.
CHIPS: Do the other warfighting domains recognize the importance of cyber, or is it still a back-office function they don’t want to think about?
Mr. Cleary: It’s not that they don’t want to think about it, but if you look at any new warfighting capability that has come on to the battlespace, there is doubt. The airplane and the submarine operated independently when they were first introduced because people just didn’t understand how to do combined arms. Then inventions like the radio came along, and a guy on the ground could talk to a guy in the airplane, or two airplanes could talk to each other, and then you get this idea of combined arms.
I think there is a language barrier between the cyber world and the kinetic warfighting world. They are still speaking two different languages. They haven’t fully figured out how to connect kinetic and non-kinetic operations. So cyber is probably looked at much the way the airplane or the submarine was looked at in the early 1900s – you go off and do your own thing. The thinking is, 'I understand you need to be on the battlefield, I kind of know what you do, but I haven’t figured out how to work with you yet.'
CHIPS: Will you be working to build on the successes the DON has achieved in 2020 in advancing the strategic objectives (Modernize, Innovate, Defend along with the ISV strategic assets of Leveraging Data to Drive Advantage and Empowering the DON’s Digital Workforce) of the Information Superiority Vision in your new role?
Mr. Cleary: Absolutely! Not directly in my role as PCA, but having been the CISO, I believe 100 percent in the Information Superiority Vision Aaron has laid out. One of the beauties as PCA is I can carry his message to other communities. I don’t think the PCA’s job is to figure out cyber, and I know I said at the beginning of the interview, there is a component of working together we need to figure out. But for the other 95 percent of the Navy and Marine Corps that doesn’t understand cyber, part of the PCA’s job is to bring that vision, working together, that awareness of what happens in cyber to those other communities. It’s to be the advocate, the evangelist for what cyber is and can do for the other warfighting disciplines.
CHIPS: Will you be working with the System Commands in the Navy and Marine Corps?
Mr. Cleary: I think so. If you read the NDAA language, obviously, you are a cyber advisor to the Secretary, CNO and Commandant, but your immediate contacts are the DON CIO, N2N6, Deputy Commandant for Information on the Marine side, and then the two Service cyber components, Fleet Cyber and MARFORCYBER. There is another organization at the OSD level, called the Defense Digital Service, another touchpoint, and at DoD, the PCA that works for the Secretary of Defense, and there is another linkage there. Those are primary touchpoints for the PCA. You will obviously get beyond those in interactions with the SYSCOMs but not directly. It’s the job of the PCA to advocate for some of the things we need, such as offensive toolsets, and supporting the joint warfighting architecture that is being led by DoD and CYBERCOM, and taking a leadership role in that.
CHIPS: You could really help advocate for modernization in DoD. The Defense Department has already shown how quickly it can roll out new capabilities, such as CVR, Commercial Virtual Remote MS Teams and Microsoft 360, to expand telework and productivity. I don’t think anyone wants to go back to the way things were.
Mr. Cleary: Yes. We’ve got to ensure that the things we accomplished through necessity, which proved to be very useful and very successful, don’t go back to the same old way of doing things. We learned a ton from doing CVR. We took a lot of risks, we accepted many risks, and we took a couple of lumps along the way. But just because the COVID vaccine is out shouldn’t be an excuse to go back to the way things used to be. We can telework effectively. We can have a better work/life balance. You don’t have to drag yourself into the Pentagon five days a week. We can work from home securely with all the tools we need to do our jobs. It’s all possible, and we just can’t lose sight of that.
Mr. Cleary was interviewed by CHIPS senior editor Sharon Anderson.