Tag Archives: cyber

Sea Control 133 – Hacking for Defense with Chris Taylor

By Matthew Merighi

Join the latest episode of Sea Control for a conversation with Professor Chris Taylor of Georgetown University to talk about the Hacking for Defense (H4D) movement. Pioneered by Stanford Professor Steve Blank, H4D is bringing Silicon Valley’s innovation ethos to combat national security challenges. Chris takes us through the defense innovation ecosystem, the partnerships which support it, and how H4D is becoming a fixture in university classrooms.

For those interested in learning more about H4D and the Silicon Valley principles which guide it, Chris recommended the following resources:

Download Sea Control 133 – Hacking for Defense with Chris Taylor

The transcript of the conversation between Chris Taylor (CT) and Matthew Merighi (MM) begins below. Special thanks to Associate Producers Roman Madaus and Ryan Uljua for helping produce this episode.

MM: As I mentioned at the top I’m here with Professor Chris Taylor of Georgetown University and a member Hacking for Defense. Professor Taylor, thank you very much for being with us on Sea Control today. Now as is Sea Control tradition, Professor Taylor, please introduce yourself tell us a little bit about your background and how you got to be where you are right now.

CT: I spent 14 years in the Marine Corps as an enlisted infantryman and force recon. I finished undergrad at night. I went to night school my last three years. I left the Marine Corps and went to business school at the College of William and Mary where I earned an MBA and worked for five years after that. I went back to school at the Harvard Kennedy School where I earned an MPA in political economy and international security. I’m a two-time defense industry CEO and as you mentioned I’m an adjunct professor of national security studies at Georgetown University.

MM: You obviously have a very broad array of different experiences both in the military, outside of it, leading businesses, but also a very diverse educational background. What were the key decision points in your life as you were building your career and your educational background that guided you on the path which you eventually went down?

CT: I spent 14 years in the Marine Corps. I wanted my bosses’ job at the time I was a staff sergeant. My boss was a Major. When I did the reverse math, I would have had to have spent 10 more years to get promoted to Major just to have that job. As I evaluated all of the fantastic experiences that I had in the Marine Corps and what it had done to develop me as a leader, I thought maybe there was a different way and I wanted a way to push my Marine Corps experience through some sort of framework. I chose business school. I don’t regret that at all, it was fantastic. I loved every minute of my 14 years in the Marine Corps but I loved business school. I had a fairly easy transition to school, I got out, worked for five years in the private sector and then decided with the same formula; I had five years of experience and I didn’t know what framework to push it through to get the most of out it or contribute the most with it. So I went back to grad school at the Kennedy School. I was very fortunate. I had fantastic classmates, fantastic professors. Secretary Ash Carter was actually my adviser. So I had access to brilliant national security minds helping me think through how my experience would allow me to contribute further. That led me to leading some businesses that were successful and now I’ve dipped my toe into the teaching part of life to see how my experiences could help push forward the next few generations of national security leaders. That’s how we got to be on the phone today.

MM: Let’s talk a bit about the educational piece. I have here on the hacking4defensegu.com general info page a class titled “SEST-701 Hacking for Defense: Solving National Security Issues with the Lean Launchpad,” which I kind of understand as a man with a security and startup background. Walk us through this title. What exactly is Hacking for Defense and why is the Lean Launchpad a part of solving national security issues?

CT: Hacking for defense was a name that came along with the package when I was first asked to participate. Most people when they hear it only think it’s about cyber; that’s not true. Think about it in the way you’d think of life hacks: easy and quick ways to get things done which result in great benefit. The Lean Launchpad is a class that legendary Silicon Valley entrepreneur Steve Blank has been teaching which is basically about how to create and run a startup. It came through a series of conversations that happened out at Stanford where Steve was teaching this with Pete Newell who is a retired Army Colonel and Joe Felter, also a retired Army Colonel. The thought was “how do we apply the Lean Startup methodology to national security challenges?” MD5, which is the national security technology accelerator at National Defense University run by [Adam] Jay Harrison, is the U.S. government proponent for the entire education program. I’ve known Pete and Joe for a number years and when they decided they were going to syndicate the class to universities across the country I raised my hand and said I wanted to bring it to Georgetown. We’re about to close out our first Hacking for Defense class on May 1.

MM: So this is just the first iteration of it?

CT: It’s the first iteration at Georgetown. Stanford begun their second iteration. There are others at U.C. San Diego, Boise State, University of Pittsburgh, and James Madison University.

MM: So the model is proliferating across different universities but it is still very new. Now that you are finishing your first session, from the feedback you’ve gotten from Professor Blank and the other institutions, how has the course been going so far? What have been the things that you expected and what has surprised you?

CT: First and foremost, the most exciting thing is that I have nothing but complete confidence in our graduate students across the country to solve national security problems going forward. Our class has been nothing less than stellar. They are smart, they are committed, they work well in teams, they’ve been doing lots of discovery. And they’ve been doing a lot to solve problems. It’s fantastic. The second thing is that what we’ve learned is that when you allow students to self-organize into diverse teams around a problem, you get exponentially better results than if you assigned them to a team and then assigned them a problem. We’re very clear that self-organization leads to the best outcomes. One of the amazing things about the Hacking for Defense class is that it’s actually a team of teams. The center is the student. Surrounding them are the teaching team: myself and Army Lieutenant Colonel Matt Zais, who is the Deputy Director of the Strategic Initiatives Group at U.S. Army Cyber Command, and my teaching partner.

Then we have a series of corporate partners. Companies like SAIS, Amazon Web Services, SAP National Security Solutions, and many others come every class to support the student teams if they get to a point where their problem-solving requires a specific resource, an engineering resource for instance, an instance in a cloud environment, or mentoring for how to think about a problem. We also have mentors who bring experience in the national security ecosystem and in business that they contact to discuss their problems and think differently. And then we have military and intelligence community liaisons. These are active duty military and people currently serving in the intelligence community who can ensure that these teams can reach out to people within the organizations they are working with, which we call their problem sponsors, to elicit as much information as they can to help solve the problem they have.

This semester, we are working on four problems. One is from Special Operations Command: it’s a cross-domain solution. The next is how to use augmented reality to help military and intelligence personnel see bad guys in unstructured crowds. The next one is a social media problem: how do we use social media from an information warfare perspective to better understand what our adversaries might be doing with social media against us. We also have a counter-drone problem. It’s all the rage; everyone is writing about counter-drone. We have a team that’s working on how to use low-cost solutions to counter drones, particularly drones you might see ISIS flying.

MM: That’s a really broad array of different topics. You mentioned at the top that this isn’t just about cyber but a very broad set of challenges. I’m curious about the people who are self-organizing in these teams, since I imagine this is offered through the Security Studies Program, correct?

CT: That is correct. The Security Studies Program (SSP) is where I teach. Bruce Hoffman and Dave Maxwell have given us exceptional support to continue doing this.

MM: In terms of the students who are in these teams, do they have technological backgrounds? Are they primarily ex-military or current intelligence officers? What are the demographics of the people participating in this?

CT: All of the above. We have tech folks. We have former and current military folks. We have data analytics folks. We have linguistics folks. We have policy folks. And then of course we have the SSP folks. The course is open to all schools and all programs across Georgetown University and next year we’re going to open up Hacking for Defense to all graduate schools and graduate programs in the National Capital Region. So instead of solving four problems next year we’re going to solve 40 problems. A bit ambitious and it keeps us moving but if we want to start to develop the capability to solve problems quickly, effectively, and cost-effectively, then there is no better group of talent than America’s graduate students to be able to help us do that. That’s why we are trying to expand it the way that we are.

MM: So this course will be open to everyone in the National Capital Region starting next year which, as a person who currently works in academia, I know that getting even simple things like cross-registration agreements handled can be a challenge, so best of luck to you as you navigate those minefields on the bureaucracy side; but it’s really exciting that so many people are getting engaged. The other method of engagement that I’ve noticed is that you livestream all of the lectures for this course, correct?

CT: Every class session is livestreamed on Twitter @h4dgussp and also on our Facebook Hacking4DefenseGeorgetown. Every week we put it out there. It’s kind of like our own national security reality TV show. We put it out there because we want people to see the quality of students that we’re attracting to this class and the difficulty of some of the problems that they’re working on because, quite frankly, for many of these students this is a 13-week job interview. Many of our corporate partners have reached out to our students and said “look, when this is done I’d really like to speak to you about this” and that’s because they’re doing it well. They’re digging in, they’re becoming better problem solvers, they’re becoming better team members, and they’re leveraging everything that they’ve learned in graduate school and everything they haven’t learned yet. They are learning on the fly to solving the particular problem they are working on.

MM: So you’ve seen firsthand the positive feedback loop of the organizations supporting the course wanting to continue getting access to the students and looping them into their own work.

CT: I just spent last Friday with one of our sponsors, OGSystems in Chantilly, Virginia where the CEO and two other executives sat us down and said “we want to be part of this forever.” And the reason is because we get to see some of the problems plaguing national security but the most interesting thing is that the talent sitting in that classroom is unbelievable. We have not seen that in any other classroom environment and so they, admittedly selfishly, want to find out how to hire the very best students out of Georgetown to become part of their companies. We’re ecstatic about that.

MM: Definitely. That’s always the concern, as a recent grad school graduate; the top of mind concern for those going through their final exams right about now. I’m curious that you have OGSystems and all of these other corporate partners and the military and intelligence liaisons. How did you go about building this diverse, multi-stakeholder team? It couldn’t have been easy to sell organizations, especially ones that aren’t as used to working with the military or with Georgetown in getting involved with this very ambitious, very unique program.

CT: It was a little bit of everything. A lot of it came from my own personal network from being involved in the business of national security for so long. Certainly the folks at Stanford at Hacking for Defense Incorporated (H4DI) were very helpful in introducing us to different folks who wanted to be involved. I’ve gotta be honest with you: it’s not a difficult sell. This is the coolest class being taught. If you’re any type of international relations, national security, diplomacy, government, or business geek at all this is the coolest class being taught anywhere. So it’s not a hard sell. But we want to get the right people involved because there are investors in the classroom as well. At the end of the day, if there’s a “there” for the solution that the student teams have come up with, either the government will give them some money to continue their work or they’re going to start a company and they’re going to get venture money to get it going. There’s nothing else like this happening around the country right now.

MM: What is the next step for Hacking for Defense, the course you in particular are teaching, besides expanding it to the other schools in the National Capital Region? What do you see as the vision for where you want this very unique and clearly very successful business model to go?

CT: I’m involved on the education side, so I want to continue working with the Hacking for Defense and H4DI folks out in Palo Alto and also with MD5 to make sure we can leverage all of the talent in the National Capital Region. There’s 16 different universities in the National Capital Region consortium and we want to take advantage of all of that graduate school talent across all of the schools and programs against the hard problems our problem sponsors are giving us. What we’re coming to find is that now there’s international interest. Oxford University has interest in forming a partnership at Georgetown. I know that the NATO representative at the Pentagon for Strategic Transformation, General Imre Porkoláb, is all over trying to bring this to NATO. From an education perspective, Georgetown will play a role in the National Capital Region. From an enterprise-wide perspective, a company out in Palo Alto called BMNT has the lead on bringing the Hacking for Defense methodology into government offices, corporations, and friendly and allied militaries. So there’s a corporate and commercial side to this with BMNT and there’s an education side and that’s H4D.

MM: And for the people who are out there, whether they are currently in the Fleet or listening to our partners at the University of Kiel in Germany or down in Australia, what would you recommend for ways for those people to get involved or to learn about your organization?

CT: First, I’m glad you mentioned Australia. One of our mentors for Hacking for Defense at Georgetown is a gentleman by the name of Jamie Watson and he is an Australian military liaison for innovation and technology. He’s actually helped bring Hacking for Defense to the Australian military already. So if you’re out in Australia, we’re coming to a base near you. BMNT is bringing it out there. If you are a member of the military or intelligence community and you have a particularly difficult problem and you don’t have the capacity to solve it yourself, they should go to H4DI.org and register as a problem sponsor. Darren Halford who runs H4DI.org will help them curate the problems and then get it in to the hands of the right university who can help them solve the problem. We want as many problems as the national security ecosystem can give us and we want to put as many talented graduate students against them as we can. But it has to start with a problem. So for anyone who has a challenge they want looked at, they should go to H4DI.org and start the process.

MM: Obviously the program sponsors and liaisons are very helpful for building this Hacking for Defense system but there are other innovation initiatives happening within the defense community or outside of it. What other organizations have you been working with and what sort of support, whether it’s financial or advocacy or guidance, have you been getting from outside the Hacking for Defense Initiative?

CT: Everyone has been supportive. [Defense Innovation Unit: Experimental] DIUx has been fantastic to us. The Defense Innovation Board has been very involved; Josh Marcuse and Aaron Schumacher from the Defense Innovation Board have been exceptionally supportive of us. The Defense Entrepreneur’s Forum (DEFx), run by Jim Perkins and Ben Taylor, have been all over us. They serve as mentors for us, they get the word out to the innovation community. They very much welcome this new thing into their innovation meadow and we all try to help each other make progress together. I can’t say enough about the Defense Innovation Board, DIUx, the Defense Entrepreneurs Forum, and the Vice Chairman of the Joint Chiefs of Staff General Selva’s office has been exceptionally supportive. And of course our friends at MD5: Jay Harrison, Joe Schuman, and Libbie Prescott have been fantastic to us, as has everyone out at Stanford. It’s a rockstar crew and we couldn’t be happier to be working with all of them.

MM: As you approached these organizations for the first time, were they receptive right off the bat and wanting to work on partnerships and provide support or was it something that you need to sell?

CT: It was not a difficult sell but I’ll tell you what sold everybody is inviting everybody to our opening class at Georgetown. We had 20 students but 113 people in the classroom. And they were all curious about how this Hacking for Defense program was going to work. At the end of the class, everyone was on board. We have routinely 80 people in the classroom every week for 13 weeks working on helping us get better. The corporate partners are fantastic, too. They step up every time. Once the different islands of innovation, like DIUx and Defense Innovation Board, saw it? Sold. It was kind of like finding a kindred spirit in the national security innovation wilderness.

MM: It’s very interesting what you’re working on but we’ve started to reach the end of our interview. As is Sea Control tradition, from time to time, I want to know more about what you’re reading. What things have you been reading recently that will either help the audience learn the ideas behind Hacking for Defense or even unrelated topics?

CT: Since we’re still in the semester, I am focusing on the books that we are using for Hacking for Defense. One of them is called Value Proposition Design by Alex Osterwalder. Steve Blank’s book The Startup Owner’s Manual is one of our texts and it is fantastic. His other book, Four Steps to the Epiphany, is also great. As I mentioned before, it’s important for students to understand how to better have conversations and elicit information so Talking to Humans is a great book. Personally, I just finished Ed Catmell’s book Creativity, Inc which was just amazing to me. I thought it was one of the best books on not only business management but also on how to think through problems. For national security stuff, I’ve become addicted to the Cypher Brief. They do really smart stuff by really smart people. It’s different from what everyone else is doing. I read it every morning.

MM: Everything you’re working on is wonderful. It’s exciting to me personally. I may go down the hall tomorrow when everyone is back to work after Patriot’s Day and talk to the people at the Security Studies Program at Fletcher about maybe trying to start a course like this. Thank you very much for the work you’re doing on behalf of the nation and world security. Thanks for being on Sea Control today.

CT: It’s absolutely my pleasure. Thank you.

Chris Taylor, a global business leader and entrepreneur, is a two-time national security industry CEO. A veteran of 14 years in the Marine Corps, he has an MBA from the College of William & Mary and an MPA from the Harvard Kennedy School of Government. Chris serves as an adjunct associate professor of national security studies at Georgetown University’s School of Foreign Service Security Studies Program where he teaches “The Business of National Security” and “Hacking for Defense.”

Matthew Merighi is the Senior Producer for Sea Control. He is also Assistant Director of Maritime Studies at the Fletcher School at Tufts University and CEO of Blue Water Metrics.

The Threat, Defense, and Control of Cyber Warfare

NAFAC Week

By Lin Yang Kang

The Internet has grown phenomenally since the 1990s and currently has about 3.5 billion users who make up 47 percent of the world population.1 Out of the 201 countries surveyed, 38 percent have a penetration rate of at least 80 percent of its population.2 The ubiquity and reliance on cyberspace to improve the efficiency and capability of government, military, and civilian sectors lead to the Internet of Things (IOT) for day-to-day operations and in this pervasiveness of the use of Internet lies the potential for devastating cyber-attacks.

This paper seeks to discuss the crippling effects and dangers of cyber-attacks and outline the defensive responses against and control of cyber warfare.

The lethality, and hence appeal of cyber warfare, lies in its asymmetric3 and stealthy nature. Little resource, such as teams of experienced hackers, is required to render a disproportional amount of devastating damage to the core and day-to-day operations of both the government as well as the military. Unlike conventional warfare where a military build-up and transportation of resources are tell-tale signs of preparation, cyber-attacks can be conducted without warning. In this regard, it is akin to covert operations, such as the use of Special Forces or submarines, with added advantage of not exposing soldiers to the risk of harm. Coupled with the inherent difficulty in pinpointing attribution,4 subjects of a cyber-attack are left with the choice of either doing nothing except to try to recover or to retaliate against the suspected attacker without concrete proof and lose moral high ground, neither of which is optimal.

An example of a well-coordinated attack demonstrating the covert nature of cyber warfare occurred in 2007 when the Estonian government and government-related web-services were disabled.5 Though no physical damage was inflicted, it created widespread disruption for Estonian citizens. While Russia was the suspected perpetrator, it was never proven or acknowledged. In 2010, it was discovered that Iranian nuclear centrifuges that are responsible for enriching uranium gas had been infected and crippled by a malware, codenamed “Stuxnet.”This successful insertion of this malware effectively set the Iranian nuclear program back for a few years and demonstrated an effective and non-attributable way7 to pressurize if not exert will without the use of military might as it achieved what the United Nations Security Council (UNSC) had hitherto failed to do, i.e., curtail the development of nuclear weapons by Iran.

The above examples illustrate the potential damage of small-scale and limited cyber-attacks. Extrapolating from these examples, it is conceivable that the damage from a successful large-scale cyber-attack on a well-connected country that relies heavily on IOT can range from disruption of essential services, crippling confusion and even operational paralysis of both government and the military. For the government, a cyber-attack across every essential means and aspects of daily living including but not limited to destruction of financial data, records and transactions, forms of travel, communication means, and national power grid create chaos and confusion resulting in psychological shock that will in turn sap the will and resilience of the citizens. For the military, the irony is that the more modern and advanced a military is with its concomitant reliance on technology and network centric warfare, the more vulnerable it is to a potential cyber Pearl Harbor attack that will render its technological superiority over its adversary impotent. Given the symbiotic relation between the government and the military, a successful simultaneous cyber-attack on both government and the military can achieve Sun Tze’s axiom that the supreme art of war is to subdue the enemy without fighting.

Given its unique nature and unmatched demonstrated potential for lethality, it is understandable the attractiveness of cyber warfare as an instrument of choice for all players, both state and non-state actors and even individuals. As with all other forms of warfare, the need for defense against should be proportional to the threat. It is a game of cat and mouse,8 where hackers seek to find security vulnerabilities while defenders attempt to patch them up as soon as they are exploited and redirect the attackers to digital traps, preventing them from obtaining crucial information or cause damages. Specialized cyber warfare military branches have been formed in many countries, and extensive cyber defensive measures and contingency plans are being developed by government, military, and civil sectors of states. Through inter-cooperation, potential attacks could be resolved in the shortest time possible and minimize disruption, while preventing future attacks. As the world begins to witness the increasing use of cyber warfare as a weapon, cyber-attacks may not be as easy to conduct as before as states that understand the lethality of such attacks seek to safeguard their nation.9

Beyond defense at the national level, there is a lack of well-defined norms on the rules of cyber warfare as the international law community is still interpreting how current law of war can apply to cyber warfare. Recently, Tallinn Manual 2.0 was published by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDOE) and is to date the most detailed study of how existing international laws can govern cyber operations.10 However, it currently serves as a reference and is non-binding. It is crucial for nations to iron out the rules for cyber warfare together and abide by it, ensuring that it will not affect the lives of civilians and minimize potential damages to non-military installations by cyber-attacks and cyber warfare.

Cyber warfare is a real and growing threat which has the potential to create disruption that the world has yet to witness. As nations become even more reliant on cyberspace as it ventures into automation and smart cities, they need to invest adequately in cyber defense and ensure that this new frontier is well-guarded. Apart from dealing with it domestically, on an international level, rules of cyber warfare need to be clarified and be abided by the international community to safeguard civilians. Cyber warfare may be threatening, but if the international community abides by clarified rules of cyber warfare and has sufficient cyber defensive measures established, the potential devastation caused by cyber-attacks could be minimized.

Yang Kang is a naval officer from the Republic of Singapore and a freshman at the Nanyang Technological University (NTU) in Singapore currently studying Electrical and Electronics Engineering. Before attending NTU, Yang Kang underwent midshipman training in Midshipman Wing, Officer Cadet School of the Singapore Armed Forces and was appointed Midshipman Engineering Commanding Officer during the Advanced Naval Term, his final phase of training.

Bibliography

Barker, Colin. “Hackers and defenders continue cybersecurity game of cat and mouse.” ZDNet. February 04, 2016. Accessed March 28, 2017. http://www.zdnet.com/article/hackers-and-defenders-continue-cyber-security-game-of-cat-and-mouse/.

Davis, Joshua. “Hackers Take Down the Most Wired Country in Europe.” Wired. August 21, 2007. Accessed March 21, 2017. https://www.wired.com/2007/08/ff-estonia/.

Geers, Kenneth. Strategic cyber security. Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2011.

Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired. November 03, 2014. Accessed March 21, 2017. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

“Cyber Warfare Integral Part of Modern Politics, New Analysis Reaffirms.” NATO Cooperative Cyber Defence Centre of Excellence. December 01, 2015. Accessed March 15, 2017. https://ccdcoe.org/cyber-warfare-integral-part-modern-politics-new-analysis-reaffirms.html.

“Global Cybersecurity Index & Cyberwellness Profiles Report.” April 2015. Accessed March 23, 2017. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

“NATO presents the Tallinn Manual 2.0 on International Law Applicable to cyberspace.” Security Affairs. February 05, 2017. Accessed March 25, 2017. http://securityaffairs.co/wordpress/56004/cyber-warfare-2/nato-tallinn-manual-2-0.html.

“Internet Users by Country (2016).” Internet Users by Country (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users-by-country/.

“Internet Users.” Number of Internet Users (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users/.

“The Asymmetric Nature of Cyber Warfare.” USNI News. February 05, 2013. Accessed March 20, 2017. https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare.

“The Attribution Problem in Cyber Attacks.” InfoSec Resources. July 19, 2013. Accessed March 25, 2017. http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/#gref.

1. “Internet Users.” Number of Internet Users (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users/.

2. “Internet Users by Country (2016).” Internet Users by Country (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users-by-country/.

3. “The Asymmetric Nature of Cyber Warfare.” USNI News. February 05, 2013. Accessed March 20, 2017. https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare.

4. “The Attribution Problem in Cyber Attacks.” InfoSec Resources. July 19, 2013. Accessed March 25, 2017. http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/#gref.

5. Davis, Joshua. “Hackers Take Down the Most Wired Country in Europe.” Wired. August 21, 2007. Accessed March 21, 2017. https://www.wired.com/2007/08/ff-estonia/.

6. Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired. November 03, 2014. Accessed March 21, 2017. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

7. The United States and Israel were allegedly responsible for this cyber attacked but as with the Estonian example, it was never proven or acknowledged.

8. Barker, Colin. “Hackers and defenders continue cybersecurity game of cat and mouse.” ZDNet. February 04, 2016. Accessed March 28, 2017. http://www.zdnet.com/article/hackers-and-defenders-continue-cyber-security-game-of-cat-and-mouse/.

9. “Global Cybersecurity Index & Cyberwellness Profiles Report.” April 2015. Accessed March 23, 2017. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

10. “NATO presents the Tallinn Manual 2.0 on International Law Applicable to cyberspace.” Security Affairs. February 05, 2017. Accessed March 25, 2017. http://securityaffairs.co/wordpress/56004/cyber-warfare-2/nato-tallinn-manual-2-0.html.

Featured Image: U.S. sailors assigned to Navy Cyber Defense Operations Command man their stations at Joint Expeditionary Base Little Creek-Fort Story, Va., Aug. 4, 2010. NCDOC sailors monitor, analyze, detect and respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Petty Officer 2nd Class Joshua J. Wahl)  

The Fight to Know

By Jack Whitacre

The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2

Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis  argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.

Oceanic Applications

Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.

In 2016, The Economist and The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.

On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system). New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.

Preparing Cyber Leaders

Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.

 (March 25, 2011) – Aerographer’s Mate 3rd Class Nick Pennell, a watch stander at the Naval Oceanography and Anti-Submarine Warfare Center, looks over a Japan Self-Defense Force Mobile Operations sheet at Commander Fleet Activities Yokosuka (CFAY). (U.S. Navy photo by Mass Communication Specialist 3rd Class Mikey Mulcare/Released)

Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7 By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.

The Polaris of Programming

Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.

Conclusion

When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.

An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.

References

1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8

2. Charles Seife, “Decoding the Universe,” p. 8

3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143

4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.

5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp

6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4

7. Ibid.

Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)

A Cyber Vulnerability Assessment of the U.S. Navy in the 21st Century

By Travis Howard and José de Arimatéia da Cruz

Introduction

The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.

Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.

This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.

Navy Network Threats and Vulnerabilities

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.

Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.

Figure 1. Navy depiction of the “cyber kill chain

One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).

The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.

Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”  Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.

The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.

As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.

Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.

Technical Security Measures and Controls

The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.

The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.

Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.

The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.

Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.

Information Security Policy Needed to Address Threats and Vulnerabilities

The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).

Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.

Figure 2. NIST Risk Management Framework

This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.

Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.

Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.

Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities

It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.

Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.

Figure 3. Threats and Motivations, Strategic Focus of Navy Cybersecurity 

Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.

A recent  article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.

Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.

Conclusions

This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.

The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.

In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.

Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.

Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.

The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.

Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)