Once upon a time, it was a hard sell to get people to care about cybersecurity. Cybersecurity professionals were viewed as pests, irritating impediments to getting the real work of an organization done. That pretty much has changed due to the never-ending spate of cyber intrusions across business, financial, retail and government networks. Each day brings fresh horrors about the exposure of personal information, stolen intellectual property and identity theft. Businesses and individuals alike are reeling from the losses.
At the national level, the White House has called for a comprehensive plan to address the interconnectedness of computing devices within the Internet infrastructure to secure the nation. From the electrical grid to financial systems, to home and car automation, the potential for disaster is staggering, government officials predict.
“The Navy gets it,” said Rear Adm. (Select) Creighton, Chief of Staff for the CNO’s Task Force Cyber Awakening (TFCA). TFCA was stood up in August 2014 for one year to take a holistic view of the current Navy cybersecurity posture and make recommendations for an overarching cybersecurity strategy. “Previously, programs of record and the PEOs (program executive offices) secured their individual systems without thinking too much about how their systems were interconnected with the Navy’s other systems and networks,” Creighton said.
“When I was a lieutenant in 1997, serving as a Flag Commo for a strike group. I had to apologize when I asked people to follow network security rules,” Creighton said at an AFCEA event in Norfolk, Virginia, Nov. 12. “It was hard to get people to care about cybersecurity. However, as systems have become increasingly interconnected and our adversaries have become more sophisticated, the value of cybersecurity has been better understood, but we still have a ways to go.”
There were several events that led the Navy to organize to meet the challenge. Operation Buckshot Yankee in 2008, in response to the proliferation of USB drives and their inherent lack of security control, and the more recent Operation Rolling Tide, in response to a foreign intrusion on the Navy Marine Corps Intranet, were awakenings across the Navy, Creighton explained.
“In June, CNO asked a question about which single organization could provide him with an
authoritative report on the Navy’s cybersecurity posture. Creighton stated that “at first, I would have said Fleet Cyber Command/10th Fleet because of their mission. But in reality, Vice Adm. Ted Branch, DCNO for Information Dominance, said there was no single organization or person who can do that. As a result, the CNO directed the stand-up of Task Force Cyber Awakening to look at cybersecurity holistically across the Navy.”
The dawning realization that the Navy’s command and control (C2), C4I systems, combat systems and hull, mechanical and electrical (HM&E) shipboard systems — and ashore networks are all interconnected required that a cross-section of individuals across the systems commands, program executive offices and Navy leadership at the highest levels participate in the effort.
“We realized the risk wasn’t just in C4I systems, but could be in gas turbine generators as well, for example,” Creighton said.
“The effort is not N2/N6-centric," the admiral (Select) said. "The ‘cyber platform’ spans the entire Navy.”
Task Force representation includes professionals from the Space and Naval Warfare Systems Command, Naval Air Systems Command, Naval Sea Systems Command, Naval Facilities Engineering Command, and cyber partners, including U.S. Fleet Cyber Command/U.S. 10th Fleet, Navy Information Dominance Forces Command, the Assistant Secretary of the Navy for Research, Development and Acquisition (ASN RDA) and Navy Staff. (See Figure 1.)
“The Task Force is looking at parts of the enterprise we have never looked at before through a cybersecurity lens — such as combat systems and control systems — across the whole DOTMLPF (doctrine, organization, training, materiel, leadership and education, personnel, facilities and policy),” Creighton said.
The TFCA task groups (Figure 2) are using existing mechanisms where possible. In addition to threat and investment assessments, progress will be achieved through routine cyber hygiene, such as improving fleet scanning and patching of software; improving Fleet Host Based Security System (HBSS) performance and use of the Vulnerability Remediation Asset Manager (VRAM), Creighton said.
The aim is to change the culture to one of procedural compliance by emulating the concept established by the submarine community with its SUBSAFE methodology. In the same way, the Navy will use a CYBERSAFE program to ensure procedural compliance, Creighton said.
Cybersecurity must be a resourcing and organizing principle, Creighton explained.
“Different groups would recommend to the CNO, ‘we have to upgrade the OS’ or others would say, ‘we need to invest in better patching.’ But that isn’t looking at systems across the Navy holistically. We can’t protect every system at the same priority and same risk factor so we have to come up with a way to prioritize investments for the CNO to identify which are the most pressing,” Creighton said.
“When we laid our current cyber capability across Fleet Forces’ Readiness Kill Chain, we found glaring seams — a lack of shared understanding of the cyber platform, IA standards not uniformly applied across all networked capabilities and no one organization responsible from a C2 perspective. Cyber is as important as the next missile or platform… it’s now commander’s business,” Creighton said.
Much of the work is at an intense level of detail with comprehensive lists of ongoing cyber threat mitigation actions and assessments intended to prioritize resources. The TFCA working groups meet monthly with an executive committee led by ASN RDA to report on progress.
“We meet monthly with PAC Fleet, Fleet Forces and the three-stars … A lot is at stake. We have a chance to make things better,” Creighton said.
“We didn’t get into this predicament in a short time, and it will take some time to fix. But it has been said: ‘Insanity is doing the same thing over and over and expecting different results.’ This is a huge change from when young LT Creighton was trying to get someone to care about cybersecurity.”