Rear Adm. Barrett responded to questions in late December.
Q: Can you talk about your job at USCYBERCOM?
A: Sure. As the Deputy Director of Current Operations at U.S. Cyber Command (USCYBERCOM), I work with a team of military and civilian personnel who handle day-to-day execution of cyber operations and defense of the Department of Defense Information Networks (DODIN), which includes both classified and unclassified networks. Our team works 24-7 and coordinates with subordinate commanders, to include Joint Force Headquarters (JFHQ) DoDIN (primarily responsible for the Defense of the DODIN mission), Service Component Commanders, interagency and coalition partners and Joint Force Headquarters Cyber National Mission Force (JFHQ CNMF) among others, to execute our mission sets.
Our USCYBERCOM operations watch floor works closely, around the clock, with the National Security Agency and others in the Intelligence Community as well as Department of Homeland Security and the Federal Bureau of Investigation on cyber issues all day, every day. From a defensive perspective, our adversaries continue to challenge us and it takes the whole synchronized team to ensure we are ready for those challenges; there is never a dull moment.
Q: Are you involved with the process of building the Navy’s Cyber Mission Team for USCYBERCOM? What are the characteristics that make up an effective cyber warrior?
A: USCYBERCOM continues to generate cyber capability and capacity for DoD. Along with the services, we are building a 6,200-person Cyber Mission Force, on track to be fully manned and trained by 2018.
While I am not personally involved at the tactical level to build the Navy’s Cyber Mission Teams (CMTs), we do have others at the command who specifically work with the services, JFHQ CNMF, and JFHQ DODIN on the readiness and build status of each of the teams, and we monitor that closely. As noted, 6,200 personnel will eventually being assigned to these teams and their respective missions sets.
The level of commitment of resources needed to make this happen certainly tells you the importance of the cyber warfighting mission to our overall operational success in DoD. Every mission area relies on cyber; the integration of cyber and its importance to all operations cannot be overstated. Once all the teams are at full operational capability, on track for 2018, their role in using cyber as a warfighting platform not unlike a ship, plane or tank will allow us new opportunities to have and provide expanded options for operations.
An effective cyber warrior in my opinion is a warrior first and a technical expert second.
Understanding operations in a broader context and the processes we use to plan and execute military operations is imperative. Those traditional warfighting processes like operational planning, targeting, battle damage assessment, etc, apply to cyber just as they do to our other warfighting domains.
When it comes to specific expertise in cyber, that operational knowledge and perspective coupled with high levels of technical expertise in cyber operations to include understanding the architecture those networks use to communicate (what we broadly call “transport”— radio frequency, space, terrestrial connectivity, etc.) end-to-end is essential to achieving excellence in both offensive and defensive operations.
I also believe that we have an artificial delineation between offensive and defensive operators that needs to go away. It’s based on constructs that in my opinion are incongruent with current operations. The best defenders I know are those who can excel in the offensive mission and know how the adversary thinks. They understand the tactics, techniques, procedures, capability and intent of our adversaries which makes them best able to pre-emptively and comprehensively apply effective defensive measures for mission assurance.
Q: Can you talk about the relationship between USCYBERCOM and the National Security Agency?
A: There is a unique relationship between the National Security Agency and USCYBERCOM and we work closely to ensure synchronized operations and solutions. That being said, we have very different missions. NSA focuses on foreign Signals Intelligence (SIGINT) as well as Information Assurance (IA) products and services. U.S. Cyber Command is focused on fighting and winning our nation’s wars. At USCYBERCOM, we must protect our networks while enabling the Combatant Commands with cyber capabilities and effects. Both organizations are more able to accomplish their missions by effectively joining forces together and we work closely with our NSA counterparts on all operations. In fact, our watch floors are separated by only a few feet and personnel from both organizations routinely collaborate throughout their watches.
Specifically on the defensive side, we have a strong working relationship with NSA’s Information Assurance Directorate and frequently work together to look ahead and protect against emerging threats. The third critical organization we synchronize daily with in these activities is JFHQ DODIN to secure DoD networks.
In addition to that close relationship with NSA, we also work closely with other government agencies on a daily basis and even have liaison officers from some agencies integrated on our watch floor. Notably, we support the Department of Homeland Security and the Federal Bureau of Investigation, when directed by the president, in defending the nation's critical infrastructure from significant cyber-attack.
Q: What is your definition of cybersecurity — some experts advise that a better method than securing networks is securing an organization’s data — or that decentralizing networks is the best approach?
A: Effective cybersecurity translates to mission assurance. I think any good cybersecurity plan needs to implement a defense-in-depth strategy with a goal for mission assurance, not cybersecurity compliance. We have to get out of the legacy “compliance” mindset. Thinking about cybersecurity in terms of mission assurance vice compliance puts it in a different perspective. Additionally, it’s not enough to focus all of your efforts on the physical layer like networks or “boxes,” you have to protect at the data, application and other key layers as well. Multiple and varied defense mechanisms make it harder for adversaries to get that quick-win, or to find a way in or lurk in our networks.
Long-term, I personally believe that protection at the data element level is extremely important as we move to more cloud computing with the means to quickly and smartly tag data elements. In this kind of web services environment, we will have improved means to tag data at the lowest level, which from a security perspective will also allow for its protection when aggregated with other data that may then make it classified.
Artificial intelligence rules could be put in place to more smartly protect data at that level and to look for anomalous behavior that may indicate an intrusion. We are not there yet as our data and business rules are not standardized, but we can get there with the right focus and I believe we will. Data standardization will enable us to leverage automated tools for scanning, patching, verifying required baseline configurations and as noted previously, searching for anomalous behavior. Those tools could then alert system administrators or take actions based on pre-defined rulesets to pre-empt adversary actions not just respond to them.
We need computers to do this heavy analytic work that is very manpower intensive today. This has to start from the ground up in system design. The best cybersecurity is “baked in, not sprinkled on.” With any new systems, cybersecurity needs to be considered as important as the basic functionality of the system. It needs to be incorporated from the beginning with defense-in-depth mindset for mission assurance being at the forefront of system design discussions.
This coupled with creating and sustaining a culture of cybersecurity ownership by all hands is imperative. The best technical solutions can quickly be undermined by untrained or careless network users who do things to endanger the network or by-pass security measures. There needs to be improved accountability for cybersecurity at all levels of the chain of command and everyone must view cybersecurity as their personal responsibility.
Q: One thing that security experts agree with is that users cause the overwhelming majority of cybersecurity breaches. Why do you think that users continue to be vulnerable to spear phishing — even at the Joint Staff level? Should personnel who cause a cybersecurity breach be held accountable?
A: Spear phishing emails are getting increasingly sophisticated so I don’t entirely blame users. Gone are the days of Mr. Jones from Country X sending an email requesting your bank account information because he won the lottery and wants to share his good fortune. Users need to be savvy and suspicious about any emails with hyperlinks, attachments etc. If you didn’t expect it, send a note to the originator asking if they truly sent it. Sure it takes a minute but it could prevent a virus from being downloaded or worse.
With that being said, we still have lazy or careless users who don’t think before that act. I do believe that those people should be held accountable just as they would be if they were careless or negligent with a firearm. They need to treat our networks and cyber assets like weapons systems. That will only come through instilling an all hands culture of cybersecurity; through training and holding individuals accountable when they disregard rules. This culture, instilled and executed by all hands, could be extended to how they operate at home and would go a long way to helping them avoid becoming a victim on their personal cyber devices as well.
Q: Do you have a cybersecurity nightmare that keeps you up at night?
A: I think the thing that concerns me most is what we don’t know and what may already be lurking in our networks that we cannot detect. I also worry about potential attacks to our national Supervisory Control and Data Acquisition (SCADA) systems that control critical infrastructure (power, water, etc.). There is never going to be enough money or resources to fix all cybersecurity vulnerabilities, which increase daily owing to the agility and creativity of adversaries, and due to the low cost of entry into this warfighting domain (new carrier costs $12 billion, how much does it cost to train a hacker? It’s cheap by comparison). So we need to be smart about the resources we have, investing them in protecting our key cyber terrain and those functions that will ensure we as a nation and a military can “assure the mission” and fight through hurt as we say.
Q: There has been a lot of commentary on various blogs from naval officers and enlisted personnel discussing a lack of naval innovation, unresponsive administrative processes and barriers to innovation. SECNAV launched an innovation website and a group of young officers started the Athena Project to kick-start naval innovation. You wrote an article for CHIPS about fostering fleet innovation within the command structure. Do you think the Navy has lost its edge and why? What can military and civilian personnel do to promote innovation?
A: No, I think we as a service are incredibly creative and innovative; it’s part of the Navy’s legacy and DNA. Let’s face it, there is going to be frustrating bureaucracy in any large organization, you can’t use that as an excuse to not push innovation. The key for leaders is to find those ideas that are truly innovative (not just novel) and champion those people who are innovative and implement change. “Good idea fairies” who just toss out good ideas for “someone else” to make happen are useless — find the person who will push it through to implementation and support them.
Be careful not to assume that innovation is always technology driven either. Sometimes it is, but true innovation always involves process change and that is where focus should be. That process piece is hard, but we can teach people to not take counsel from naysayers and press forward until they get an idea to execution.
We also need to be better as a service about accepting calculated risk and allowing for failure. Subordinates need to see seniors try and fail and try again and ultimately succeed. Sometimes the most important lessons learned are from those situations where we’ve failed but if there is a zero tolerance for failure people will be less inclined to take those calculated risks. Innovating is not easy, but we can encourage and reward a fleet of creative, action oriented innovators by making their ideas reality. For a true innovator, there is no greater reward.
Q: What types of innovative cyber weapons or capabilities are needed in the fleet?
A: Capabilities needed for the fleet are those that will make it easier for Sailors to operate and defend their networks and that can be used without communications back to shore which they may not have in the fight. Right now it’s a tough challenge to get all the networks afloat up to today’s standards and ensure the highest levels of cyber protection.
At some point, serious consideration should be given to a vertical cut (one less ship for example) to ensure command and control, communications, and computer wholeness for all platforms afloat. Budget realities being what they are, those are very tough decisions that leadership does not take lightly as there are serious mission impacts to any vertical cut. It is about where we are willing to accept risk. We have taken risk in our networks for many years but with OPNAV N2/N6’s Task Force Cyber Awakening (now the Navy Cybersecurity Division OPNAV N2/N6F4) and the transition to the longer-term Cybersafe initiatives, they have significantly increased understanding, focus, and funding for cybersecurity in the past few years. So the Navy is making progress.
Another capability I would like to see is alternatives to space for the fleet that include unmanned and autonomous (UV/AV) vehicles and Battle Force Tactical Network-Enhanced to extend command and control should primary means fail. Battle Force Tactical Network-Enhanced will give us capability to do data/voice over high frequency up to 128 kps. Doesn’t sound like much but it would enable your command and control thin line in a crisis.
For the UV/AVs, it would be great to see a framework of “swappable” payloads based on mission requirements. Where a Strike Group Commander could have a squadron of UV/AVs and within minutes put an intelligence, surveillance and reconnaissance payload on it to rapidly gain shared situational awareness of the battlespace, or to quickly employ a robust communications payload instead if denied access to spaced-based systems to extend command and control via an aerial layer communications network, or the Commander could rapidly deploy a kinetic weapon payload for traditional strikes. You can’t put all that capability effectively on one airframe and currently unmanned vehicle designs don’t allow for that kind of quick reconfiguration, but hopefully they will in the future. I’m not disputing it’s an engineering challenge, but think there are innovators out there that would take it on. Bright minds will get us there.
Q: Is there anything else you would like to talk about?
A: Thanks for the opportunity to comment. I think we have exciting times ahead of us and incredible opportunity to be innovative in how we assure our missions for national defense. We are privileged to keep attracting and maintain committed Sailors, officers and civilians with impressive talent at all ranks. They will ensure our progress.