Q: Why did SPAWAR establish a Cyber Readiness Team (CRT) for the fleet?
Wolborsky: There are a lot of indicators of what and why we decided to establish a Cyber Readiness Team, but the main reason is we consider it a main battery function for SPAWAR. Today, there are a lot of indicators to the problems and challenges associated with cyber: the threat and the impact of that threat growing significantly over time. Everybody’s reliance on data and the network is growing in parallel with that threat.
In response to that threat, experts from cyber, networking, COMMS (communications) and the rest of the Navy C4I enterprise are stepping up and addressing cyber from an enterprise perspective. Today, there are myriad disparate mandates, requirements and directives that [are] issued to address cyber challenges which are currently addressed in a federated manner. As a result, the response and the level of readiness associated with that is lower than if we looked at this from an enterprise perspective.
Last year, SPAWAR leadership, [Rear] Adm. Patrick Brady, mandated in the Commander’s Guidance that we stand up a Cyber Readiness Team. We took action and started to build the team to improve the fleet’s performance in cyber and started to formulate a plan. As a result, there are many specific things we’re looking at and [we] are currently taking action in many different areas. I’d say the relevance of cyber is growing; the importance of the network is growing; and the impact the threat could have with the Navy’s ability to operate is growing. The response was not a consistent effort so we are being tasked to take control of this and implement an enterprise approach to increase cyber readiness to the fleet.
Q: What was the response from the fleet in reference to the announcement of the CRT at the C4ISR Symposium in April 2014?
Robey: I think the positive response was that people were happy SPAWAR was taking an enterprise approach to the problem. The negative response was, in aggregate, pretty small. A few folks were surprised we were standing up a CRT. The readiness term catches some people’s attention as a SYSCOM (system command) is doing a TYCOM-like readiness responsibility.
What we really are doing is readiness-centric: improving the tools and other SYSCOM niches to improve fleet readiness. Once we got around to telling people what we were doing with the CRT, they were very pleased because what we are doing is very complementary to what they are doing, cyber inspections being one of those things. They are working hard at doing current readiness assessments and using our tools to improve those assessments.
Wolborsky: We’re trying to make the capabilities that are delivered onboard ships, subs, shore sites, and aircraft as cyber-ready as possible so that the operators can better perform their cyber defense or cyber warrior missions. We are not performing the mission but we are facilitating their ability to perform that mission through the tools and capabilities they have to be cyber secure.
Today, there are large scale data collection efforts and research being conducted to determine potential issues and challenges on the network. We’re in the process of creating an enterprise structure to automate these capabilities and continuously monitor them so they can immediately ascertain, derive and take action to address those issues in the fleet. Today, it is a very federated and labor intensive process and [we] are moving towards a more agile and aggressive ability to address real-time issues in the cyber domain.
Robey: I would add how burdensome it is for the fleet to keep up with cyber hygiene management, which is similar to the automatic periodic software patches that we are all used to having applied to our home computers. It’s not easy for the Sailor on the ship to have that same effect. There’s a lot of manual work they need to do to load patches on the network and we are trying to make the process easier for them, making the tools to do the reconciliation of what should be on the ship versus what is actually on the ship. Those are some things right now that take a lot of effort for the ship to do. I think what we are doing in the short term will make it a whole lot easier. We can do better assessments that will be patched and will allow them to be more efficient.
Wolborsky: Additionally, we’re supporting the other Navy SYSCOMS, to improve their cyber readiness [by] including them in our enterprise efforts and expanding this activity to look at cyber readiness from an entire ship perspective. We are deploying SPAWAR cyber experts to the other SYSCOMS and Program Executive Officers (PEOs) in order to ensure enterprise adoption of the tools and processes that are coming out of the SPAWAR cyber activities.
Q: What does the CRT look like? How many people are on the team? Do you go in as a team?
Robey: The CRT is a cross-functional team that includes FRD (SPAWAR’s Fleet Readiness Directorate), 5.0, 8.0. The PEO [C4I] is also a part the team. In aggregate, it includes full-time and some part-time people, about 18 in total. It is more like an IPT, a cross-functional team across competencies. Rob is the executive sponsor for that group. . . We are doing our developing and are currently working with the Teddy Roosevelt Strike Group, which will deploy early next year. We are deploying training teams composed of Reservists, FSETs (Fleet Systems Engineering Teams), some of our cyber readiness team, and SSC Pacific experts in some of these toolsets, to Norfolk in November to do on-ship training in the tools.
Wolborsky: We want to accelerate the delivery of these enterprise toolsets. In preparation, we’re helping crews be as proficient on these enterprise toolsets and capabilities. We will call it something along the lines of “Cyber Ready Strike Group.”
Robey: This strike group has a number of activities going on in order to tailor their cyber readiness efforts. For instance, Information Dominance TYCOM activities, such as going around and working on the hygiene management, such as software patches. We’re going to go in November and train them up on the four or five tools that are significant to the cyber readiness hygiene piece. Some of the tools that are critical SPAWAR developed and sponsored, such as VRAM (Vulnerability Remediation Asset Management). It is one the fleet and programs of record use to identify what patches and configurations the ship should be using that incorporates/integrates with the latest DISA (Defense Information Systems Agency) scanning tool: Assured Compliance Assessment Solution (ACAS).
VRAM and ACAS help the ship determine whether or not they can reconcile and patch their system to the current level required by Fleet Cyber Command and DISA.
Wolborsky: The ACAS tool will automatically scan on the ship and report back to VRAM whether or not a patch/update has been successfully installed. When it has not been successful, you know right there — in a single place — what action you need to take or what patches you do not have on this specific system. You at least understand what your vulnerabilities are and what to look for from a readiness perspective. this is a key element to attain continuous monitoring and cyber situational awareness.
Robey: Another critical tool is Windows Server Update Service (WSUS), a PMW 160 product, which functions kind of like your home computer with the patches and updates you get from Windows on a periodic basis. We are watching how well the ships are using the WSUS tool and working with the TYCOMS and the ships to improve their patch readiness.
Wolborsky: There are some settings and configurations they need to stay in, in order for the patches to flow through the network and all of the way to the client. Another tool we’re working to utilize is the SAILOR 2.1 web portal. We are working to make SAILOR 2.1 the “one-stop-shop” for system software patches. Our efforts with SAILOR and integrating it with VRAM will tell the fleet what patches they need that and, ultimately, go to get the patch from SAILOR 2.1 that will present the patches much like our PCs [and] smart phones update patches and apps.
Robey: VRAM is really what the fleet is using to assess the ships performance in this area, so some of these type commanders are trying to use this tool already to make these cyber readiness assessments. The better we make the tool, the more accurate the assessments are going to be. That’s why everyone is excited about what we are doing — because it’s going to make that tool and the data in it authoritative and very usable.
Wolborsky: Within SPAWAR, everyone is adopting VRAM and now we’re going out to NAVSEA and NAVAIR and working with them to adopt VRAM as well. In a remarkably short period of time I think everyone will be using that tool. That by itself will be a force multiplier to cyber readiness and will improve our ability to maintain and persist this capability for the fleet.
Robey: It’s really mandated and at some point everyone is going to have to get onboard with VRAM. That’s been our message. You have to get there eventually, and we are facilitating the process.
Wolborsky: We are proactively facilitating the adoption of this tool faster than it would without our team focusing and taking it on.
Q: What are some of those challenges?
Robey: Rob pointed it out earlier. The data is federated. It’s everywhere. What we are trying to get to is platform readiness, rather than individual system readiness. So, as a result, the data in the databases around SPAWAR are focused on a system. We are developing what we are calling platform cyber-baselines. We’re going to identify what software is on a ship, which may surprise some that we haven’t look at it that way, but we haven’t for a lot of reasons.
We are trying to pull data from a number of databases to develop these baselines. The baselines are huge. You can go one-stop-shopping for one ship and say this ship is deployed, perhaps they’re under attack or there’s a vulnerability, and ask how patched they are for that threat. It is basically a threat assessment for a platform or strike group.
Wolborsky: I would add that there is a lot of variance out there as far as C4I or networking capabilities is concerned. The variance goes from very old legacy systems and capabilities to state-of-the-art systems, like CANES (Consolidated Afloat Networks and Enterprise Services). This presents a challenge to get everyone to a threshold level of cyber readiness and is a key reason that we need to take an enterprise approach to cyber readiness.
Robey: Despite all the difficulties and visibility on cyber, everyone has been very supportive as we have gone around and asked for information. I’ve been very impressed with how forthcoming everyone has been sharing information in order for us to build a baseline and get an understanding of what we have out there in the fleet from a platform view. I don’t want to leave the impression that there’s a lot of non-compliance on a wide scale, because there’s something to be said about the architecture that we have in place that provides defense-in-depth and, ultimately, helps mitigate some of the risk. I think the stuff we’re doing will certainly increase the readiness of an individual platform.
Q: Does the CRT have a relationship with the Navy’s Task Force Cyber Awakening (TFCA)?
Wolborsky: Absolutely, our SPAWAR FRD Technical Director, Bob Stephenson, is a key technical member on the task force. We briefed the fleet and the task force on what we were doing today in support of the larger TFCA mission. We are a supporting element from a technical “touch the fleet” perspective. If you look at what TFCA’s role is, it’s to get us to define that desired end-state, or cyber-wholeness, and increase current readiness.
We are very much plugged into the path and direction so that we can be sure we are focusing our resources and activity to be complementary and facilitate the success of the TFCA mission moving forward. We’re touching the fleet today and improving their cyber readiness and posture, today. There are a lot of issues that TFCA is addressing to permanently fix the big issues out in the fleet. Those are the long-term issues, like the variance and other things out there, such as prioritizing the big Navy’s resources to best address cyber within the funding constraints that we have.
Robey: TFCA goes after big rocks, such as eradicating obsolete operating systems. The baselines will help the modernization, because they can see in aggregate where we have issues such as obsolete operating systems. Once we understand some of these issues, we can focus activity and funding to eradicate the old OS (operating system) or other readiness risk issues.
Robey: They are also going to look at process. TFCA is way beyond just modernization. They are going to look at how we operate as a Navy in the cyber domain: how we address the threat; how we develop capabilities and define requirements and bake cyber into future requirements and specifications and system development; and how we deliver capability to the fleet and warfighter from a cyber-whole perspective. The process of maintaining that level of cyber excellence is really what TFCA is addressing. We’re helping to inform them so that they can build that vision into the future.
Q: How are you addressing those layers of bureaucracy in the Navy, with all the resource sponsors?
Robey: Having leadership, advocacy and entities like TFCA helps us weed through some of the limitations that we might otherwise have if it wasn’t sponsored by senior leadership. I think Rob characterized it well. It’s going to be a journey and not a quick “a year from now and we’re all cyber safe” or some of these terms we’re using. It’s going to be a long haul. The good news is that we have a robust architecture that provides a level of security that mitigates a lot of the risk we’re concerned about.
Wolborsky: I would say that the CNO, ASN RDA (Assistant Secretary of the Navy for Research, Development and Acquisition) and all the SYSCOM commanders are all completely committed to supporting the effort moving forward on cyber. I’ve been in many discussions and have seen first-hand their level of commitment to this effort moving forward. I’ve never seen anything like that level of alignment and commitment. It’s a kind of “aligning of all the stars” to support our ability to support the mission. I’m confident that we will make a tremendous amount of progress over the near to mid-term in this domain.
Q: Can the fleet take advantage of any of the IT improvements and efficiencies that have occurred on shore, such as data center consolidation and cloud computing?
Wolborsky: I’d say that those are things that are being planned for the future of cyber, but in the near term, we are doing many of things on the shore, with the VRAM consolidation being a big plus, a host-based security element being taken to an enterprise-shore-approach so that it makes it easier for the ships to operate proficiently while also improving the ability to secure them.
Data center consolidation helps the ships have the ability to be more effective in planning and maintenance, but as far as what the ships do, they have to be able to operate disconnected from the shore.
Robey: The nirvana is continuous monitoring of the ships from anywhere. From a security perspective, going on to ships is not always feasible; migrating and monitoring some of these tools with shore-based architectures is a significant challenge. We’ll eventually get to the point where we can just remotely monitor ship readiness. Right now, it’s pretty much an honor system and self-reporting for a good portion of the patching and compliance measures, which mean you have to go on the ship to confirm their readiness.
Wolborsky: It’s a significant burden on the warfighter and not necessarily the most effective means of maintaining cyber readiness.
Robey: The frustration you hear from the fleet, I think is because of the burden of this type of stuff. It is no wonder they struggle. It’s very hard, and I think that’s why I want to stress that we’re working on the tools and getting the programs of record to populate the configurations in different places. That’s where they get really excited. It’s real; it’s near. The average fleet operator doesn’t feel technology that’s five years away will help him. That’s why our stuff is very impactful.
Q: Why aren’t routine modernization and cybersecurity upgrades sufficient to address cybersecurity vulnerabilities?
Wolborsky: They are a complementary piece of the answer. But the issue is like your computer at home: you can’t get the latest version of your antivirus and the current operating system baseline and think you’re good for the next few years. You are always addressing discovered vulnerabilities and emerging threats. The cyber world is not a physics-based type of static threat that you’re dealing with. You are dealing with a dynamic and asymmetrical emerging threat.
What modernization is doing, with CANES, for example, is providing you with the foundation to be able to maintain an optimum cyber posture at all times. But you’re always going to be finding and addressing vulnerabilities over time. I think what we’re doing is complementary, but you have to do both. You have to field the modern capable systems that allow you to maintain a cyber-posture and to maintain that cyber hygiene for that system over time. You have to do both.
Q: What is the CRT’s role in assisting and preparing the fleet for their cybersecurity inspections?
Robey: We have had an emerging role this last year that requires us to do advance work prior to inspections, both afloat and ashore. We have a team that goes with the inspection team from Fleet Cyber Command, which is considered part of the team. They are with the inspectors while they are doing scans and looking at the findings; they root out the false findings. There are a number of those when you do a scan, so they reconcile the findings.
We build up a history of knowing what they will find before they get there. What we we’re doing now are several pilots with ships having upcoming inspections. We inform them of what will come up with their inspection and then work on the tools, like VRAM, so they know how to use them. We are optimistic that the next couple of ships coming up with cybersecurity inspections will perform better than they would otherwise. Modernization is necessary to improve those scores. Unless you have the latest host-based security system on board, you will lose points on the inspection. Some things you just can’t fix with proactive activities; it must come with modernization.
Wolborsky: I’ll also add that everything that the CRT is doing today will be reflected in improving cybersecurity inspection performance and scores. The things we do over time, and the more discipline instilled over time, the higher the scores are going to do. We are directly involved by helping them prepare for these inspections. Bringing those enterprise toolsets and capabilities to these platforms in advance of their cyber inspections will be the next step we’re going to take.
Robey: There is one ship in the Roosevelt Strike Group that we anticipate will get a much better than average score based on our activities and efforts. We’re going to prep them for their inspections and we’re also going to put all these new tools and capabilities onboard as part of this cyber ready strike group effort. Our goal is to improve the cyber readiness for all the platforms out there in the fleet
Q: How many people are on a team? How long are they on board? Are they military or civilian, where do they come from, what is their background?
Robey: The teams as a whole don’t go to the ships but are the Echelon 3 and SSC Pacific CSI (Critical Safety Items) experts in the field of cyber readiness. That’s about a team of seven people right now. The teams we’re going to deploy for the Teddy Roosevelt will on the order of about five or six people per ship.
The Reservists component is another element bringing leadership capability to the teams. When they go to the ships they will take a number of services to the fleet, such as cyber security certifications and other IT certifications that system administrators will be required to have. The Reservists will also bring training packets to train them up and get them certified. We’ll bring some of that with our team, too, so if they’re deficient on certifications or qualifications, we’ll also be able to get them trained up.
We’re still firming the details up before going onboard the Teddy Roosevelt Strike Group in late October or November. There are five ships scattered between Norfolk and Mayport we’ll be working with and deploying teams to go onboard as trainers and facilitators to train them up. Afterwards, we’ll be able to get before and after data and gauge any improvement. We know that once we get VRAM tuned up, they will look better. We want to get them before they deploy, because once they are out there, it’s hard to get to them. The Teddy Roosevelt Strike Group is the first cut at this, so this is our first run at doing a real focused cyber-readiness event for a strike group.
Q: What does the future look like for SPAWAR’s Cyber Readiness Team?
Robey: If we demonstrate success early with the Teddy Roosevelt Strike Group, as an example, we will prove that there is value-added to what we are doing. We will then be able to fine-tune that, mature it and then standardize the best practices of those things and get in a battle rhythm of doing strike groups. Some of what we’re doing is building enterprise processes, which will help define how we will work it through the system to get it adjudicated. There is a lot of process mapping going on as to how to do this.
Wolborsky: It will be very busy! I’d say that we’re melting the snow off the tip of the iceberg right now, and I think that cyber and cyber readiness will be an enduring role for us. We need to be persistent and consistent in our ability to maintain a high level of support to the fleet. We stood up these teams at the beginning year, and we’re already seeing a positive impact as we move forward. I think the SPAWAR Cyber Readiness Team is going to be a main element of the current readiness execution arm for the TFCA effort to address, adapt and optimize the cyber posture in the fleet.
SPAWAR - Twitter - http://twitter.com/SPAWARHQ or Facebook - www.facebook.com/