What the U.S. Navy is Doing about Cyber Security
The U.S. Navy has reaffirmed its commitment to information dominance and issued guidance to its sailors regarding how to minimize the risk of cyber threats.
The cyber threat reaches beyond traditional information technology (IT) networks and computers to systems that affect nearly every aspect of the Navy's mission. Machinery control, weapons and navigation systems may be vulnerable, as well as the networks and computers commonly used by Navy personnel.
To protect against these threats the Navy has made significant changes, including how it is organized and how much it invests in cybersecurity.
In 2014, the Navy established Task Force Cyber Awakening (TFCA) to improve cybersecurity after its network was compromised the previous year. The mission of the task force was to take a comprehensive look at the Navy's cybersecurity and make changes to improve its defenses.
TFCA established priorities for protecting the Navy based on recommendations from industry, the cybersecurity community and stakeholders. Using these priorities, the task force evaluated hundreds of funding requests for addressing vulnerabilities, which resulted in $300 million being set aside in fiscal year 2016 for solutions that strengthened the Navy's defenses and improved awareness of its cybersecurity posture. TFCA used the same approach to evaluate over 300 competing funding requests for the next five years of the Navy's budget.
Isolate Breaches
One of these funding priorities was for control points which allow the Navy to isolate portions of the network after a breach is detected. Much like the watertight compartments on a ship, these control points will allow the Navy to limit the impact of a compromise and keep adversaries from moving to other targets in the network. These control points will also allow the Navy to selectively limit connectivity for parts of the network if increased cyber activity from adversaries is expected, similar to how ships set different material conditions of readiness.
CYBERSAFE Project
The task force also formed a Navy-wide group to implement the CYBERSAFE Program. CYBERSAFE is modeled after SUBSAFE which is the rigorous submarine safety program begun after the loss of the USS Thresher (SSN 593) in 1963. Like the submarine program, CYBERSAFE will harden a critical subset of warfighting components, which could be certain computer systems or parts of the network. CYBERSAFE will apply more stringent requirements to these components before and after fielding to ensure they can better withstand attempted compromises. CYBERSAFE will also require changes in crew proficiency and culture to implement these requirements.
In September 2015, the CNO established the Navy Cybersecurity Division on the Navy headquarters staff to continue the transformation started by TFCA. The new division will oversee the Navy's approach to cybersecurity, developing strategy, ensuring compliance with cybersecurity policy and advocating for cybersecurity requirements. The division will also evaluate and prioritize major investments and manage the CYBERSAFE program.
Information Dominance
The commissioning of U.S. Fleet Cyber Command and reestablishment of U.S. 10th Fleet on January 29, 2010 closely followed the Navy's 2009 acknowledgement of information's centrality to maritime warfighting, known as Information Dominance.
Information Dominance is defined as the operational advantage gained from fully integrating the Navy's information functions, capabilities and resources to optimize decision making and maximize warfighting effects. The three pillars of Information Dominance are assured command and control, battlespace awareness and integrated fires (Naval Integrated Fire Control-Counter Air.)
Fleet Cyber Command's strategic plan includes five primary goals, which are to: operate the network as a warfighting platform, conduct tailored signals intelligence, deliver warfighting effects through cyberspace, create shared cyber situational awareness and establish and mature the Navy's Cyber Mission Force.
“America’s long-enjoyed military superiority does not extend automatically to cyberspace; we will have to earn it,” states the plan.
The command’s Strategic Plan 2015-2020, released in May, can be found here.
