In recent communications to Navy personnel, Secretary Richard V. Spencer and CNO Adm. John Richardson called on Sailors to bring forth innovative ideas that will enhance the performance of the force and capitalize on our best talent. Our team of five Sailors recently completed a weeklong visit to Norfolk, Virginia as part of the Space and Naval Warfare Systems Command (SPAWAR) Reserve Program (SRP) Defensive Cyber Operations (DCO) Systems Operability Testing (SOT)/Cybersecurity Shipboard Engagement Training Team (CSETT) evolution.
The SPAWAR Reserve Program is the singular Reserve capability focused on current readiness of SPAWAR capabilities across the fleet. The SRP is comprised of about 400 Sailors distributed to 18 units across the country. Within the SRP are 20 programs. The DCO is a SRP with a mission to help monitor and report fleet cybersecurity readiness; train and assist the fleet cybersecurity workforce, and develop emergent cybersecurity capabilities. In FY17, the DCO program provided 6,355 total hours of direct cyber support to 59 ships in 10 fleet concentration areas.
While the original mission in Norfolk was focused on systems operability testing of one Nimitz class carrier, we were able to provide additional CSETT visits to four DDGs (destroyers), one LSD (dock landing ship) and one T-EFP (expeditionary fast transport ship). The state of each ship’s cyber health and readiness varied — yet in all cases — ship’s force and leadership all signaled demand for consistent, additional support to maintain cyber readiness.
The most compelling interaction took place in the wardroom of a DDG. The commanding officer (CO), executive officer (XO), chief information security officer (CISO) and communications officer (Commo-O) hosted our team to review cyber readiness. The XO offered an analogy between the ship’s 5-inch gun and the Vulnerability Remediation Asset Manager (VRAM) which automates information assurance compliance for fleet IA managers. The XO said he can understand, troubleshoot and explain the impact on readiness if there is an issue with the 5-inch gun. But for a platform such as VRAM, which he characterized as a “defensive cyber weapon,” he doesn’t know how to evaluate and assign risk or explain the impact on readiness.
The CO was pleased with all the progress our team had made in one day and asked when we could be available to visit again or if we could interface on an ongoing basis. He suggested that we become the ship’s Reserve force for cyber issues and even offered to provide a ship’s ballcap. As our team walked off the pier, the concept of a SurgeCyber team, based on the SurgeMain Framework and dedicated to a ship or group of ships, was born.
SurgeMain Framework and High-Velocity Learning
Surge Maintenance (SurgeMain) is an innovative Naval Sea Systems Command (NAVSEA) program whose mission is to recruit and train Reservists with needed, targeted technical skills and place them in shipyards and on engineering projects where they can most effectively provide support. The SurgeMain program’s priorities include pairing those trained Reservists with signaled needs from the shipyards, searching for and recruiting the most effective and motivated personnel available — and ensuring productive professional development for those Reservists. To accomplish these critical and complex goals, SurgeMain is a nationally-directed program with dedicated units distributed among nearly all the states.
In recent years, this program has grown to include over 1,800 enlisted and officer technical experts. Importantly, the shipyards and the active duty engineering community see SurgeMain as a part-time, highly flexible maintenance workforce with vital skills and surge capability for responding to urgent and rapidly evolving demands. SurgeMain Reservists typically spend their annual training — and sometimes inactive duty training or funded active duty training — working in a shipyard or other facility where there are projects in need of their level of supplemental support. This adaptable and responsive workforce offers pluggable and highly motivated manpower, expertise and leadership anywhere and anytime they are needed.
In addition, leaders within the SurgeMain community manage their activities using internally-developed foundation-level training in acquisitions, contracting and project management. In other words, they bring business and management expertise along with an extensive range of technical skills. SurgeMain functions as an agile personnel management layer integrated into the various engineering communities in the Navy such as industrial maintenance, combat systems, divers, heavy lift, strategic systems, and platform-specific teams.
The proven model that SurgeMain exemplifies is not restricted to addressing needs within the Navy’s mechanically or physically-oriented engineering infrastructure. The concept of maintaining a highly-skilled, focused surge force applies to a variety of major activities within the Navy. This highly dynamic approach to addressing the impact of massive, expensive workforce shifts requires and enables a kind of as-needed problem-solving innovation and the continuous process improvement that underlies the Navy’s growing culture of high-velocity learning. High-velocity learning involves leadership development through efficient sharing of information and systematically harvesting lessons from inefficiencies or mistakes. The knowledge gained from this practice is used to empower personnel at all levels of an organization, encouraging stakeholders (i.e., anyone working on a project) to identify and contribute to resolving inefficiencies. It is important to note that this article represents a deliverable resulting from employing high-velocity learning.
The SurgeCyber idea has the potential to address multiple areas of concern across several stakeholder groups. CSETT teams have encountered, across numbered fleets in ports around the globe, the constant personnel churn, training gaps, and inconsistent cyber health of ships. Active duty personnel are looking for support, training and skill development opportunities while Reserve Sailors wish to contribute their experience and abilities, remain connected to the fleet, useful — and a part of ship’s company. Every ship in each ship class is searching for a stable, repeatable, consistent approach to maintaining and defending its network, digital assets and sensitive information. Fleet and ship leadership desire stable and dependable assets whose cyber profile can meet the ongoing global Naval requirements.
A two-year pilot phase of the program would consist of one “Continental United States” (CONUS) and one “Outside of the Continental United States” (OCONUS) team of SurgeCyber personnel supporting ships located in Norfolk and Pearl Harbor. The Reserve personnel, during the course of the year, work exclusively on certain ships in a Reserve crew model. The Reserve personnel would provide ongoing assistance with open support items while the ship is in port or underway. While in port, the Reserve personnel can take on time-intensive tasks that free up ship's company for training or higher priority tasks. A recent example from the Norfolk visit was the need for a DDG’s SIPRNET laptops to be re-imaged. This task would require 300 hours of ship’s force time yet could be tasked to a SurgeCyber team during a weekend or as an annual training evolution.
While underway, Reserve personnel can work open task items with program of record owners so that resolution can be more quickly achieved. If necessary, Reserve personnel could be sent to a port and meet a ship or ships to continue work on maintenance, upgrade or training needs. Active duty personnel enjoy the benefits of Reserve personnel experience and consistency while Reserve personnel make meaningful contributions to fleet operational support and readiness. This dynamic provides a conduit for the Navy to support current active duty Sailors while realizing and benefiting from the training investment already made in Reserve Sailors.
After the two-year pilot phase, the program could be expanded in years three and four to the additional CONUS fleet concentration areas of Mayport and San Diego and OCONUS Rota, Spain or Yokosuka, Japan for further validation and development. Should the program prove as successful as SurgeMain, a full-scale implementation will include Bremerton, Washington; Kings Bay, Georgia; Bahrain; and Guam.
Planned and executed properly, a SurgeCyber program can meet the challenges encountered across numbered fleets in ports around the globe. The constant churn of active duty and Reserve personnel, gaps in training and skill set, and inconsistent cyber health of ships can all be addressed to varying degrees. In a SurgeCyber model, our Sailors, Navy’s most precious resource, are better supported in both the active duty and Reserve realms. Sailors, from seaman to CO, will gain improved knowledge on cyber systems, how to defend them, and how to assess risks associated with them. The cyber health, readiness and risk profiles of ships across the fleet all over the globe will improve, and consistency has the potential to become the norm rather than the exception.
This group of junior officers looks forward to furthering dialogue and action that will allow for a pilot of this concept to take place. The encouragement of both SECNAV and CNO provided the impetus for this notion and article. The call for urgency and innovation has been heard and this is one answer. We stand ready to pilot this program in support of our nation, our Navy, and especially that one DDG from Norfolk — you know who you are.
Non sibi sed patriae — "not for self, but country."