Testifying before the Senate Armed Services Committee this year, Vice Adm. Michael Gilday, commander of U.S. Fleet Cyber Command/U.S. 10th Fleet, stated, "U. S. Navy freedom of action in cyberspace is necessary for all missions that our nation expects us to be capable of carrying out including wars, deterring aggression and maintaining freedom of the seas."
Cybersecurity is a priority for the Navy, not only during Cybersecurity Awareness Month, but every month of the year because it enables the freedom of action in cyberspace described by Gilday.
The systems and networks the Navy must protect, its "cyber platform," is complex and daunting in size. More than 500,000 computers are connected to our networks, but the cyber platform also includes ships' hull, mechanical and electrical systems — such as those that control steering and power — weapons and navigation systems, aviation systems, and the technology controlling physical devices on bases and facilities-control systems.
With today's rapidly evolving threats, ensuring complete security is impossible. Instead of attempting to address every possible weakness in its cyber defenses, we are executing a cyber resilience strategy that will enable it to "fight through" the inevitable compromises.
Cyber resilience is like shipboard damage control. If a ship is hit, the crew quickly determines what has been damaged, isolates the damage, makes repairs, implements work-arounds and continues fighting.
The Navy's strategy for cyber resilience includes making significant investments in people, processes and technology to: account for what needs to be protected (Identify), harden the Navy's cyber platform (Protect), identify anomalous behavior (Detect), respond to compromises (React) and restore normal operations (Restore). The strategy also includes investments and initiatives for the Cyberspace Workforce (Foundational).
We are executing the cyber resilience strategy across the entire force — afloat, undersea, aloft, ashore, command, control, communications, computer and intelligence-space, Military Sealift Command and fleet. Plans supporting the strategy include core tasks that are common across the Navy as well as domain-specific tasks. Included in the plans are Department of Defense and Congressionally mandated tasks such as the migration to a more secure way of logging onto computers and the assessment of weapons systems and control systems for vulnerabilities.
The priority placed on cybersecurity by the Navy is evident from the level of senior leadership involvement in this critically important issue. The Navy's Cybersecurity Executive Committee is co-chaired by the vice chief of naval operations and the Assistant Secretary of Defense for Research, Development and Acquisition. The executive committee provides cybersecurity oversight and conducts progress reviews of Navy cybersecurity initiatives, including progress on each domain's cyber resilience plans.
We have made significant investments to improve its cyber situational awareness across all domains.
We are protecting our networks and systems with a defense-in-depth approach that layers sensors and countermeasures to increase the difficulty of attacks and segments the network to keep adversaries from moving laterally in the network. This type of architecture also allows compromised systems to be isolated so damage can be contained during recovery operations.
The Navy also continues to identify and harden mission critical systems through the CYBERSAFE Program. CYBERSAFE is modeled after SUBSAFE, which is the rigorous submarine safety program begun after the loss of USS Thresher (SSN 593) in 1963. Like the submarine program, CYBERSAFE will harden a critical subset of warfighting components, which could be certain systems or parts of the network. CYBERSAFE will apply more stringent requirements to these components before and after fielding to ensure they can better withstand attempted compromises. CYBERSAFE will also require changes in crew training and procedures.
In addition to devoting time and resources to mitigating current cyber threats, we are also preparing for future threats by mandating that cybersecurity is addressed during the development of new systems. One of the ways program managers are meeting this requirement is by applying Navy cybersecurity technical standards throughout the lifecycle of the various systems.
Gilday's comment before Congress that "we believe our people… can make the network stronger" explains the emphasis the Navy has placed on providing cyber and cybersecurity training for its personnel. Because our entire Navy needs cyber training but not everyone requires the same level of instruction, we have developed tailored cyber training for our cyberspace workforce, leaders, users and enhanced users.
- For the cyberspace workforce, the Navy is providing training that enables them to manage, defend and attack information technology.
- Cyber training is also being delivered to an increasing number of officers by integrating that training into their professional military education, as well as their undergraduate and graduate curriculum. The Navy has also begun to address the need to integrate cyber training in other leadership development courses.
- All Navy personnel are required to complete online cybersecurity awareness training upon hiring or accession, with an annual refresher.
- As part of this effort, systems and operational commands have identified enhanced users who require specialized cybersecurity training based on the roles they perform. For example, certain engineers at the systems commands will receive cybersecurity training so they are able to build better defended networks and systems. Some of this training is already underway.
Our cyber resilience strategy is well suited for today's rapidly changing threats. There is certainly more work to be done to fully implement cybersecurity and change the culture across the force. As Chief of Naval Operations Adm. John Richardson reminds us, "It's not just in October, we're in the cyber fight 24/7, 365 days a year … cybersecurity is an all hands, all the time effort. Let's get after it."
Watch the CNO's video about the Navy's cybersecurity focus here.