“What is cybersecurity, how is it really performed, how much is it really worth?”
This was the stage set by retired Rear Adm. James Rodman — former chief engineer at the Space and Naval Warfare Systems Command and currently CEO at XSITE — for the Cyber Security panel at the recent Fleet Maintenance and Modernization Symposium. As Rodman noted, when it comes to ship maintenance and modernization, these questions get even harder.
Andrew Santell, SSC Pacific’s chief engineer and architect for a Navy enterprise cybersecurity effort, said while SSC Pacific and a bevy of other Navy commands are tackling the cyber challenge, there is still a lot of work to be done in this rapidly evolving field.
“I don’t think any nation state or anyone has really figured out the cybersecurity problem,” Santell said.
One of the first steps to ensuring secure networks — ashore and in the fleet — is people: training current personnel on cyber hygiene practices, but also hiring and retaining top talent.
“It’s not just the user behavior that we need to anticipate, maybe because they either negligently or maliciously clicked on that link or gave out their passwords or put them on a sticky note,” Santell said. “It’s also about hiring, retaining and training the right people.”
Santell used his personal experience to illustrate the problem. Of the 100 graduates in his master’s program in information security technology and management at Carnegie Mellon University, only five went on to work for the U. S. government. These five were paid 20 to 40 percent less than the median income of their class, which contributed to four of the five deciding to leave government work. Santell is now the only one from his class still putting his skills to use for the government.
“That is way too low. We are starting to see some efforts in the right direction — universities working with government on scholarships to have people go work for them afterwards. We’re starting to see specific cybersecurity billets — it’s just not happening fast enough and that is something I think we are significantly lacking.”
On the training front, Santell said staging more realistic cyber exercises as the Navy does with every other domain of war — think Trident Warrior, Citadel Protect, RIMPAC, etc., — would be beneficial. He said often the red team versus blue team, or offensive cyber versus defensive cyber, exercises are too constrained to allow personnel to actually uncover vulnerabilities that can then be addressed.
Another item on Santell’s cyber wish list, as it were, is better protection of the patching system and a more comprehensive understanding of patching information. Patches are pieces of software that fix a vulnerability or update existing software.
“That patching information is, I won’t say readily available, but it’s available to our adversaries, so when it comes to modernization, one thing I would encourage us to think about is to better protect that data,” Santell said. “The other thing I think we need is better situational awareness of what’s going on. When it comes to patching, we’re never going to be 100 percent patched, but at least if we know what we have patched and what we don’t have patched — if we can monitor those specific hosts or IPs or whatever — when attacks do come in against those open patches we’re ready to respond.”
Santell was joined at the Fleet Maintenance and Modernization Symposium at the San Diego Convention Center by SSC Pacific’s Carly Jackson, director of prototyping for Information Warfare, who shared information on the new advanced naval technology exercise concept meant to accelerate acquisition through rapid prototyping, and Tom Tiernan, the Center’s executive portfolio manager, who shared background on SSC Pacific and its mission.