The Department of the Navy’s first Chief Information Security Officer Christopher Cleary entered his position as the head of one of four new directorates under the DON Chief Information Officer and Special Assistant to the Secretary of the Navy for Information Management, Aaron Weis, who is charged with implementing recommendations made under the SECNAV Cybersecurity Readiness Reviewl, in October 2019.
As the DON’s Chief Information Security Officer, Cleary is responsible for maintaining the security of DON data and information, regardless of where it resides. He is also responsible for meeting communication security standards, implementing identify management solutions, setting policy and standards across the DON enterprise, and ensuring DON alignment to the Department of Defense cybersecurity architecture.
Mr. Cleary is a 1996 graduate of the U.S. Naval Academy. He has extensive business experience in leadership positions and is a Certified Information Systems Security Professional (CISSP) and Program Management Professional (PMP). Cleary has been a lecturer at the United States Naval Academy, Federal Aviation Administration, Naval Postgraduate School, The New School of Design, Montreat College, DEFCON Security Conference, and the National Defense University.
CHIPS senior editor interviewed Mr. Cleary in mid-January.
CHIPS: Acting SECNAV Thomas B. Modly stated that increased cybersecurity and resiliency will increase the readiness and lethality of the Navy-Marine Corps team. How will CISO actions and policy protect the DON’s operations and warfighters?
Cleary: I love this question. The lethality discussion is one of my favorite topics, and I see that conversation as two sides of the same coin. If we can make our systems more secure, or said another way, more survivable, against an adversary’s ability to deliver lethality against us, then obviously our ability to deliver lethality against them is increased. So when you get into effects-based planning, at the end of the day, I’m trying to defeat the enemy’s mission. It’s not necessarily about lethality, it’s about achieving an end-state.
Lethality is, unfortunately, part of how you get to that end-state. Our adversaries think the exact same way. If an adversary can degrade a piece of equipment’s ability to function, it could prevent a Sailor or Marine from using that equipment to achieve their mission. The more survivable, the more defendable, the more secure our infrastructure is, it takes some of the worry from a Sailor or Marine that their equipment will function as it is designed to do against an adversary.
The security side is more static. The policies, the technologies that we bring to the environment to secure that system through the DON CIO, ultimately, will benefit the user at the pointy end tasked with using it. I see those threads intrinsically linked.
I’ll go back to what I said in the beginning, it’s not necessarily the delivery of lethality, but it’s the survivability of the systems that enables us to deliver that lethality, which will make us more effective as a force. This is our big muscle move. We are very much trying to be aligned with Acting Secretary Modly’s strategy which spills out of the National Defense Strategy, lethality being a piece of that.
CHIPS: The department has already made key decisions regarding the realignment of senior officials responsible for cybersecurity and IT modernization to ensure accountability and clear lines of authority. As the DON CISO what next steps are you recommending?
Cleary: I think they have done a good job setting up the DON CIO office. The simple fact that the department has created a DON CISO position at the Secretariat level is a great first step. It’s really exciting and encouraging to see the DON giving it the level of attention that it deserves.
As far as the next step, it’s kind of like anticipating the next move. The language written in the most recent NDAA (National Defense Authorization Act for FY 2020) introduces this construct of principal cyber advisors (PCAs) for each military service. I believe this is a good next step regarding lines of authority and the importance being placed on cybersecurity. An advisor that will coordinate the efforts of the DON CIO to include the security functions, the warfare component, the cyber component, as well as working with the PCA at OSD, to continue to hammer out all things cyber in this warfare continuum that we are being tasked to support.
I think all the decisions being made are pushing us in the right direction. Having been on the job for only three months, it is hard to say what the next step after the PCA would be, but I will definitely continue to support these decisions and make this construct work as well as it can before recommending what would be the next structural change for this organization.
CHIPS: In this era of great power competition, national security and continued economic prosperity depend on the cybersecurity of U.S. intellectual property and information systems. What organizations and stakeholders are you collaborating with to ensure the security of DON information?
Cleary: The office of the DON CIO has traditionally been a Navy function. Sure, we had a relationship with the Marine Corps, although it might not have been stressed as strongly as the DON would have liked. The nice thing is in the elevation of this office, we are building better relationships in the Marine Corps that might not have been established before.
The organizations that I work with on a regular basis are the OPNAV N2N6 staff (Deputy Chief of Naval Operations for Information Warfare), their counterparts, their Marine brethren in the C4 organization. Deputy Commandant for Information Lt. Gen. Lori Reynolds has been fantastic to work with, as has the DCNO for Information Warfare / Director of Naval Intelligence Vice Adm. Matthew Kohler, Assistant DCNO for Information Warfare Chris Miller, and Navy Cyber Security Division Director Rear Adm. Kathleen Creighton. They have all been very supportive of the construct moving forward.
As the CISO continues to stand up, one of the things that I am attempting to do is identify the community or tribe. There are many CISOs, lots of people with security responsibilities spread across the breadth and scope of the entire department. But I don’t think they see themselves as part of a community of practice right now. I think we feel like we are in our own little islands.
One of the things that I would like to accomplish in the next couple of months, in the first year, is to bring that community together so we can learn from each other, leverage one another. Sometimes you just need to phone someone to ask their opinion and learn from other people’s experiences. So I am looking to build that community of cybersecurity-focused people to collaborate together and get the job done.
CHIPS: Are you talking about the cybersecurity officials in the Echelon IIs?
Cleary: Exactly, the Echelon II organizations, the SYSCOMs (systems commands), the combatant commands, and the Fleet Marine Force and Supporting Establishment. First, working with the OPNAV staff and Marine Corps staff to get down to the levels where a lot of these tools, systems and networks are created and pushed out to the fleet. Then there are those receivers of that information that have their own security responsibilities – those people are also part of the solution. We want to make them feel like they are part of the team and not just at the pointy end of the stick. We are one family.
CHIPS: As the CISO, will your policies enhance the operational and physical security of personnel and installations?
Cleary: If you look at the DON CIO’s vision, the bigger picture of innovate, modernize and defend, within that defend line of effort; I see it broken up into three different focuses – culture, partnerships and technology. The culture and partnership pieces are the biggest. At the DON level, we push out policy, at the operational level it is the Fleet Cyber Command / 10th Fleet community whose job it is to push out and defend. The operational people actually doing the mission are in 10th Fleet. The question is what can we do at the DON level to make them more effective, more efficient, to have the tools, people and policies in place to allow them to operate as effective organizations.
The Navy is going to start re-baselining our networks, flattening our networks. The new networks that come out are going to be designed in such a way that the warfighting community, the operational community, can command and control, operate and defend the networks more aligned with the way the military would operate than let’s say the way a commercial organization would operate.
Ultimately, the CISO’s work will increase the security of the department. As we mature as an organization, one of the unique advantages of building something new is that security will be built into networks from the beginning as opposed to being bolted on.
A lot of the legacy systems we have now, cybersecurity had to be bolted on. The mindset now is that as we build a new network, cybersecurity will be built into it. Now, it becomes the speed in which that can take place, things like the RMF (Risk Management Framework) process and getting ATOs (Authority to Operate) approved. I believe the more effective the security practitioners can be in streamlining and potentially accelerating the RMF and ATO processes, is going to allow technology to be introduced into the environment faster, which will improve security as a whole.
We are seeing more and more that non-kinetic effects can have a physical real world impact. Building a more secure system is all about the warfighter at the pointy end, Sailors and Marines on ships, flying aircraft and doing amphibious operations. So if we can make their networks secure, ultimately, it makes their mission more secure. So yes, I believe it will have an impact.