As directed by the Chief of Naval Operations, the Deputy Chief of Naval Operations for Information Dominance (OPNAV N2/N6) Vice Adm. Ted Branch has been tasked to deliver fundamental change to the Navy’s organization, resourcing, acquisition and readiness by extending cyber security beyond traditional information technology (IT) to combat systems, combat support and other information systems while aligning and strengthening authority and accountability. Task Force Cyber Awakening (TFCA) was established to execute the CNO’s directive.
Mr. Swartz, Director, Communications and Networks Division Deputy Chief of Naval Operations for Information Dominance (N2/N6) and Navy Task Force Cyber Awakening (TFCA) Lead responded to questions in writing in early October.
Q: Vice Adm. Branch has been talking about a cyber-awakening at the Pentagon for some time now; can you explain what it means?
A: Recent real world events and attacks on our Navy systems make clear the cyber threat is increasing. The risk calculus in the cyber domain has changed. Our reliance on connected capabilities has significantly increased the potential consequences of a cyber-attack. These factors combined with the acknowledgement that our "cyber platform" extends beyond traditional IT to our warfighting control systems, are driving a cyber-awakening across the Department of Defense.
Q: TFCA has been created to “gain a holistic view of cybersecurity risk across the Navy and address the fragmented and uneven efforts across platforms and systems.” This is a huge undertaking, how will the assessment be conducted?
A: TFCA will leverage expertise from across the Navy to create a total force solution that builds on existing mechanisms where possible. TFCA’s initial effort is to develop an assessment framework which will inform the following major deliverables:
- Develop a prioritized Cyber Resiliency Plan based on the compilation, evaluation and synchronization of all existing major cyber security initiatives;
- Define a limited subset of critical components that will comprise the CYBERSAFE Area of Responsibility (AOR) and determine necessary modifications to the existing structure and method;
- Evaluate current Navy Cyber Security governance to include a broader scope of systems and processes in order to provide reasonable assurance of survivability of critical platform components necessary for mission success such as Navy networks and control systems; and,
- Outline the necessary organizational construct, internal composition and establishment timeline required to establish a Navy Cyber Security governance body that: (1) identifies assessment and certification roles (including the associated structures and general methodologies), and (2) develops an integrated human capital strategy for the employment of our highly-talented cyber security workforce.
Q: Why aren’t routine modernization and cybersecurity upgrades sufficient to address cybersecurity vulnerabilities?
A: The current organizational construct for modernization and cybersecurity upgrades allows the Navy to focus needed attention and resources on traditional Navy business networks (e.g., CANES, Tactical Switching (TSw), NMCI/NGEN) but does not provide the basis for improving Navy’s cyber security posture holistically (e.g., Hull, Mechanical & Electrical Systems and Combat Systems). Currently, there is no single enterprise authority to manage cybersecurity from the inception of a requirement to the eventual decommissioning of the acquired capability. This shortfall results in ineffective cyber defenses and leaves operations vulnerable to exploitation or attack. TFCA will create the organizational changes required to address organizational, resource, and procedural gaps in Navy cyber security allowing us to develop capabilities to mitigate the risks to our key cyber terrain.
Q: Can you talk about the work of the four Task Groups (TG) that will have representation from across the Navy and Marine Corps?
- TG Capabilities will look at major actions and assessments already underway or recently completed and will prioritize investments to ensure that we are taking the right steps in the near-term. TG Report due: November 2014.
- TG CYBERSAFE will construct a program that is patterned after the SUBSAFE program. SUBSAFE is a material quality assurance program which enforces technical specifications and standards in the design, procurement and fielding of critical submarine systems. Conceptually, CYBERSAFE will be a quality assurance program which will enforce full spectrum DOTMLPF standards in the "thin line" of critical warfighting systems and processes (C4I/Combat Systems/Control Systems, etc.). CYBERSAFE will apply to a hardened, very limited subset of components and processes and will include rigorous technical standards, certification and auditing. TG Report due: March 2015.
- TG Navy Cyber Security will evaluate current authorities, methods and resources to identify enhancements required to ensure the application of rigorous technical standards, certifications and assessments across the Navy. TG report due: August 2015.
TG Technical will support the other TGs and will be comprised of senior engineers from the systems commands to ensure that robust, common technical standards and authorities are in place to drive cyber programs and systems. TG report due: April 2015.