“Cyber resilience is guiding Navy investments and actions,” said Troy Johnson, director of the Navy’s Cybersecurity Division, in the office of the Deputy Chief of Naval Operations (DCNO) for Information Warfare (OPNAV N2N6FE).
Johnson underscored the Navy’s ongoing journey from the stand-up of Task Force Cyber Awakening (TFCA) to its cyber resilience strategy in the Information Warfare Pavilion at the Sea-Air-Space Exposition in National Harbor, Maryland, May 17.
When then-CNO Adm. Jonathan Greenert asked Vice Adm. Ted Branch, DCNO for Information Warfare, for a cybersecurity posture assessment across the Navy’s networks and platforms, Branch found that he could not provide data with confidence due to a disconnected response across stove-piped systems across the enterprise, Johnson explained.
Next, a startling wake-up call occurred in 2013 with a foreign intrusion on the Navy Marine Corps Intranet. The response, Operation Rolling Tide, led by U.S. 10th Fleet, identified areas of poor cyber hygiene and other areas that were more advanced in cybersecurity, Johnson said.
Operation Rolling Tide included a cyber-platform risk assessment and a unified response through TFCA. TFCA examined Navy IT systems holistically in response to cyber threats that run the gamut from an individual sophisticated hacker to rogue and nation-states.
The effort is “not N2N6-centric, the cyber platform spans the entire Navy,” Johnson said. “We used existing mechanisms where possible and found that cybersecurity must be a resourcing and organizing principle. Accountability and rigor are key to an assessment.
“What we found through TFCA is that we could not fix everything, and it was unaffordable to try, so we organized under mission priority and cyber resilience as opposed to cybersecurity,” Johnson said.
“We realized the cost of adding resources for every individual solution is unaffordable, that an impregnable defense is very costly and complex. Instead, we should focus on mission prioritization, recovery and fighting through. Industry experts agree this is the right approach,” Johnson said.
Johnson explained the TFCA hypothesis — to achieve robust cybersecurity, the Navy needs to make cybersecurity a resourcing and organizing principle; and address all known deficiencies immediately. The expected outcome will be a Navy that has the right command and control (C2), accountability, and an affordable set of cybersecurity solutions. (See Figure 1.)
To advance this goal, the Navy has included a Cyber Resiliency Baseline Assessment Memorandum (BAM) inclusive of the full DOTMLPF in Program Objective Memorandum (POM) FY17, Johnson said. A BAM is an assessment, which considers the total cost of resources required to achieve or maintain a stated level of capability. It represents the absolute funding required to reach the level of capability identified for a particular topic/sub topic. "DOTMLPF" stands for doctrine, organization, training, materiel, leadership & education, personnel, and facilities.
“Today, cyber assessments, initiatives, investments across the enterprise include all systems — afloat and ashore, command, control, communications, computers, and intelligence (C4I) capabilities, weapons systems and even hull, mechanical & electrical (HM&E) and industrial control systems, like SCADA (Supervisory Control and Data Acquisition),” Johnson said.
“Non-traditional domains, like naval bases, were less aware of the complex cybersecurity threats emanating from their HVAC systems and pier connectivity,” Johnson said. “We found incredibly varied problems so everyone has to systematically solve the issues we uncovered.”
Johnson explained his team is writing technical standards specific to the Navy based on the National Institute of Standards and Technology Cybersecurity Framework to measure performance. The IT/IA Technical Authority Board has completed 20 of 48 standards signed, or being reviewed. Two CYBERSAFE standards have been signed and four of 16 FY16 standards are being reviewed, Johnson explained. “Navywide risk will be measured using the cyber resilience framework,” he said. (See Figure 2.)
The idea is that commanders will apply the standards in a way that fits their actual domain. The question will be whether leaders are complying with the standard and how they are proving it, Johnson explained. “We don’t think there is a one-size fits all approach to how these standards are applied.”
The overarching cybersecurity requirement scales from small assets to large platforms, Johnson said, and includes weapons systems, ships, aircraft and squadrons.
“Technical standards were key in the 1960s in SUBSAFE, it’s about keeping the water out of the people tank,” Johnson said. “From the network perspective, we need the same rigor and approach, technical standards to build upon with a certain acceptance of risk.”
The Navy stood-up the CYBERSAFE program to assess and provide maximum reasonable assurance of the survivability and resiliency of critical warfighting information systems and platforms. CYBERSAFE is modeled after SUBSAFE, which is the rigorous submarine safety program begun after the loss of USS Thresher in 1963.
Traditionally, cybersecurity has focused on the protection of systems and networks, Johnson explained, but to be cyber resilient requires more. “Cyber resilience equals [the lessons learned from CYBERSAFE]: Protect – strengthen assets against threats; Detect – identify and assess adversary actions; React – fight through with pre-emptive or reactive measures; and Restore – restore assets to normal operations.
“We need the ability to detect an anomaly and to fight through it. We need redundancy. Ships, submarines and nuclear power plants are constructed this way,” Johnson said. “We can do this for the shore community, the ability to segment and control boundary points with defense-in-depth.”
Aiming for zero defects is too expensive, but there are things that you can do to reduce the attack surface, Johnson said, such as stripping out unnecessary functions from systems and software, and separating software from operating systems.
“You have to assume you have been attacked or will be, so you have to accept some risk,” Johnson said. Test and evaluation in a cyber range, for example, can be important for program managers in developing systems, he said.
Program managers will push back and say building in cybersecurity is too hard because money is finite, Johnson said. “This has always been difficult to measure — how much is a pound of cybersecurity protection worth? This is not new; in IT you have always been on the hook for information assurance… Program managers may have to realign priorities; there will be tradeoffs in the capabilities that can be delivered.”
Training is an important part of the cyber resilience strategy, Johnson said. There are working groups assessing, synchronizing and creating training programs for users based on their level of access.
“Cybersecurity training at all levels is critical,” Johnson said, “especially, anti-phishing training.” Phishing schemes have snagged users even at the highest leadership levels, he said.