Tag Archives: featured

Onslaught: The War With China – The Opening Battle

Poyer, David. Onslaught: The War With China – The Opening Battle. New York City, St. Martin’s Press, 2016, 320 pp. $20.99
By Michael DeBoer

When I was in high school I was walking through a Borders (I know this dates me) when a book caught my eye. Its cover featured a small ship, photographed from directly above, in a sea of red. The book was China Sea, and when I read it, I made a lifelong friend. I’ve followed David Poyer’s character, CAPT Daniel Lenson, from his junior officer tour to the present series of novels of his major command, starting with The Cruiser published in 2014. Lenson’s integrity and competence was a part of my inspiration to accept an appointment to the Naval Academy when I was an enlisted Sonarman, and his stories provided me some measure of context when I was there and later, as I read the books through my career. In short, I’ve loved following Dan Lenson’s career and I’ll miss him when he is gone.

Poyer’s stories feature a mix of the high drama and the cold technical nature of combat at sea. In that aspect the author’s latest story, Onslaught, is an excellent contribution to the series, I would argue one of the most notable collections of sea literature of the modern era. Fans of the series will find old friends inside, while new readers will discover a set of strong, relatable characters: Teddy Oberg, Poyer’s Navy SEAL, Aisha Ar-Rahim, NCIS Special Agent, ADM Jung, South Korean Navy commander, Cheryl Staurlakis, indefatigable XO, Matt Mills, ultra-competent Ops Officer, and Amy Singhe, impertinent upstart JO, are all back. Poyer’s characters are believable and rich, with complex motivations and deep emotions. Moreover, all are strongly affected by events around them. In Poyer’s typical fashion, the work features four concurrent stories: Lenson’s command of USS Savo Island on an ASW barrier in the Miyako Gap, Special Agent Aisha Ar-Rahim’s investigation of a violent rapist onboard Savo, SOCM Teddy Oberg’s assault on Woody Island, and Lenson’s wife Blair’s participation in strategic planning for the coming war with China at SAIC. These four stories are interspersed with the searing exhaustion that only members of the sea services can recognize as an authentic portion of Navy life.

Poyer’s Onslaught describes where many think the series was always headed: an all-out war with the People’s Republic of China. However, despite my expectations that the book would take off into ultra-intense combat immediately, the novel instead features the slow burn of increasing tensions and asymmetric tactics. Lenson’s Savo Island heads a surface action group on ASW station in the East China Sea attempting to hold against attempts by PRC submarines to gain the Philippine Sea while providing missile defense to Taipei. Lenson’s Savo, a notional Ballistic Missile Defense (BMD) configured cruiser, allows the author to write rich and genuine series of combat. Only Poyer’s shootout in the Strait of Hormuz during Tipping Point exceeds the vignettes in this book. Moreover, the author’s depiction of BMD operations makes a complex and often arcane art easily accessible and exciting.

Poyer’s story features many operational considerations familiar to CIMSEC readers. The ballistic missile barrage across the Taiwan Strait, PRC aggression in the South and East China Seas, Anti-ship Ballistic Missiles, and a U.S. Navy struggling to maintain access to the East Asian littoral remain the major security issues of our time. Moreover, lack of ASCM inventory, of launcher capacity, and the vulnerability of multi-mission ships when operating in a BMD role are tactical issues well known to U.S. naval planners.

Onslaught, like Poyer’s previous book Tipping Point, has an air of the coming of a cataclysm. Images of the Guns of August abound, as do instances reminiscent of the Solomon Islands and Sunda Strait. Poyer clearly fits the difficult portions of America’s last naval war in Asia, entirely forgotten by the American public and largely ignored by the strategic community, into his narrative. The result is a sense of high tension and intense foreboding.

If I could provide a slight criticism, Special Agent Ar-Rahim is at times irritating. She remains the worst developed Poyer character and contributed little to the story. Aisha can, at times, who at times comes off as more of a caricature than an actual person, though Poyer’s effort to convey diverse viewpoints is indeed commendable and usually very effective.

Poyer’s work should be strongly recommended by CIMSEC readers, especially to friends who may not understand both the complexity, tension, feeling, and exhaustion of combat at sea. In an era where many question the value of allies, the importance of forward naval forces, and likelihood of great power war, Onslaught provides a stunning and believable narrative of the importance of all three. The pace is fast, the combat visceral, and the emotions intense. Poyer remains one of our modern masters of nautical fiction and the emotions of war at sea. Tipping Point and Onslaught are strongly recommended to anyone who is interested in potential conflict with a hegemonic China, loves a good story, or lives their professional life at sea.

Read CIMSEC’s interview with author David Poyer here.

Michael DeBoer is part of the CIMSEC book review team.

Featured Image: Illustration by Sarah Eberspacher. (Getty Images)

Challenges to Access: Past, Present, and Future

By Bob Poling

Anyone who has followed the development of the Air-Sea Battle Concept (ASBC) turned Joint Access for Maneuver in the Global Commons (JAMGC) and the closely associated term, A2/AD, knows this amalgamation of terminologies, ideas, and concepts has generated a significant amount of confusion and discontent across the defense establishment. On October 3, while participating in a Maritime Security Dialogue at the Center for Strategic and International Studies, Chief of Naval Operations, Admiral John Richardson continued this trend when he voiced his displeasure with the term A2/AD. “To some, A2/AD is a code-word, suggesting an impenetrable ‘keep-out zone’ that forces can enter only at extreme peril to themselves. To others, A2/AD refers to a family of technologies. To still others, a strategy.  In sum, A2/AD is a term bandied about freely, with no precise definition, that sends a variety of vague or conflicting signals, depending on the context in which it is either transmitted or received.”1 Admiral Richardson went on to say, “To ensure clarity in our thinking and precision in our communications, the Navy will avoid using the term A2/AD as a stand-alone acronym that can mean many things to different people or almost anything to anyone.”2 The author personally doesn’t agree with the decision to eliminate A2/AD from the Navy’s lexicon, and stated opposition in a CIMSEC debate post in November.

However, what was striking about CNO’s address were the four reasons he offered for banning A2/AD, three of those are particularly germane and will set the initial course for this column. In his remarks, Admiral Richardson stated the following:

“First, ‘A2AD’ is not a new phenomenon. The history of military contests is all about adversaries seeking to one-up each other by identifying their foes at longer ranges and attacking them with ever more destructive weapons. As technologies change, tactics change to react to and leverage them. It is only relatively recently in our conversation about warfighting that we have discussed these trends as something new.  But history has much to teach us about maintaining perspective on these developments and on charting the path forward to address them. Think Nelson at the Nile and at Copenhagen, Farragut at Mobile Bay, Nimitz, and Lockwood in the Pacific…this is nothing new. Indeed, controlling the seas and projecting power – even in contested areas – is why our nation invests in and relies upon a naval force in the first place.”

The second reason is that the term ‘denial,’ as in ‘anti-access/area denial’ is too often taken as a fait accompli, when it is, more accurately, an aspiration. Often, I get into A2AD discussions accompanied by maps with red arcs extending off the coastlines of countries like China or Iran. The images imply that any military force that enters the red area faces certain defeat – it’s a ‘no-go’ zone! But the reality is much more complex. Achieving a successful engagement requires completion of a complex chain of events, each link of which is vulnerable and can be interrupted. Those arcs represent danger, to be sure, and the Navy is going to be very thoughtful and well prepared as we address them, but the threats are not insurmountable.

Third and related, A2/AD is inherently oriented to the defense. It can contribute to a mindset that starts with how to operate from beyond the red arcs – an ‘outside-in’ approach. The reality is that we can fight from within these defended areas and if needed, we will. Inside-out, as well as outside-in, from above and from below – we will fight from every direction. The examples above show that this has been done before.”3

Admiral Richardson’s remarks are poignant and zero in on the complexities associated with this topic and are worthy of further analysis. 

First, CNO recognizes that history has much to teach the Navy about the A2/AD conundrum. However, Admiral Richardson assumes that those studying contemporary A2/AD issues are well-grounded in history. Nelson, Farragut, Nimitz and Lockwood all had to contend with A2/AD problems, but these references are perhaps not the best ones. The study of history doesn’t always yield viable solutions to contemporary problems, especially when the wrong examples are pulled from history. Moreover, it seems likely that only consummate navalists would truly appreciate CNO’s references to Nelson, Farragut, and Admiral Lockwood. There are better examples in history that are relevant to the study of A2/AD and this column will bring those to light. 

The sophistication and capabilities of A2/AD networks, at times, appear to intimidate those studying this topic, hence the fait accompli CNO mentioned. There is some legitimacy to this fait accompli mentality as the U.S. Navy hasn’t faced anything that looks likes these A2/AD networks since World War II. For instance, the Solomon Islands Campaign is a perfect example of the complexities CNO refers to in his second and third points. The Imperial Japanese Navy (IJN) employed a wide array of capabilities against the U.S. Navy, and at times, were very effective at restricting or reducing the Navy’s freedom of maneuver and access. In fact, within the first 24 hours of landing on Guadalcanal, the Navy faced IJN fighter aircraft, bombers, and ships, all of which were superior in some way to the aircraft and ships the USN brought to the fight. The U.S. Navy suffered one of its worst defeats at sea, where four cruisers were lost, one Australian and three U.S., in the early morning hours following the landing.  In the end, the U.S. Navy would take Guadalcanal after six months of heavy fighting and use the island as a base of operations for counterattacks on the IJN. Well within the range of the IJN’s ships and aircraft, the counterattacks staged from Guadalcanal offer several examples of how to conduct a successful campaign from within the defensive arcs of an adversary.

In the articles that follow in this column, these complexities will be explored as well the means developed to counter them. For the most part, the column will focus on historical cases that are relevant to the points raised by CNO. The column will also examine emerging issues and occasionally look towards the future. While there is no clear-cut solution to countering the proliferation of A2/AD capabilities, there is no shortage of historical examples that will be examined which are connected to this topic.

Bob Poling is a retired Surface Warfare Officer who spent 24 years on active duty including tours in cruisers, destroyers, and as commanding officer of Maritime Expeditionary Security Squadron TWO and Mission Commander of Southern Partnership Station 2013. From May 2011 to May 2015 Bob served on the faculty of the Air War College teaching in the Departments of Strategy and Warfighting. He was the Naval History and Heritage Command 2014-2015 Samuel Eliot Morison scholar and is pursuing his Ph.D. with the Department of Defence Studies, King’s College London where he is researching Air-Sea Battle concepts used to combat A2/AD challenges encountered during the Solomon Islands Campaign.

1. John Richardson, “Chief of Naval Operations Adm. John Richardson: Deconstructing A2AD,” Text, The National Interest, accessed December 23, 2016, http://nationalinterest.org/feature/chief-naval-operations-adm-john-richardson-deconstructing-17918.

2. Ibid.

3. Richardson, Deconstructing A2/AD.

Featured Image: MEDITERRANEAN SEA (June 28, 2016) – An E2-C Hawkeye assigned to the Screwtops of Airborne Early Warning Squadron (VAW) 123 undergoes pre-flight checks on the flight deck of the aircraft carrier USS Dwight D. Eisenhower (CVN 69) (Ike). (U.S. Navy photo by Mass Communication Specialist 3rd Class Bobby Baldock/Released)

Sea Control 127 – Dr. Tom Fedyszyn on Russian Navy Ops, Acquisition, and Doctrine

By Ashley O’Keefe

If you’ve turned on the news recently, you probably noticed that Russia has been dominating it. From their intervention in Syria, to the increasing range and scope of their naval deployments, and the release last year of their new Maritime Strategy, Russia – and the Russian Navy – have turned our focus back to our Cold War foe. In this episode of Sea Control, we explore the Russian Navy’s modernization plans and recent newsworthy stories with U.S. Naval War College Professor (and retired Navy Captain) Tom Fedyszyn.

Read on below or listen to the audio below. This interview has been edited for clarity and length.

AO: Hello, and welcome to the Center for International Maritime Security’s Sea Control podcast. I’m Ashley O’Keefe, the CIMSEC Secretary, and I’m here today with Dr. Tom Fedyszyn, of the U.S. Naval War College. He’s been a member of the faculty here since 2000, and he serves as the senior advisor to the College’s Russian Maritime Studies Institute. He received a PhD from the Johns Hopkins University in Political Science while he was on active duty. His 31-year naval career included military assignments as the U.S. Naval Attaché to Russia, and two tours at NATO headquarters in Brussels. He commanded the USS Normandy and the USS William V. Pratt, and deployed to the Mediterranean, Baltic, and Norwegian Seas. He was a principal contributor to both the Lehman-era 1980s maritime strategy, and NATO’s strategic concept following the Cold War. He’s a nationally recognized expert and publishes regularly on maritime strategy, NATO strategy, and the Russian Navy, which is our topic today.

Let’s start off with a very basic question: why is it that we should still be interested in the Russian Navy? I thought that we were interested in China’s rise these days.

TF: Most people in the U.S. Navy seem to care more about China’s navy than the Russian navy. I can attest to that because I’ve been a Russian navy guy for a long time, and I was the rough equivalent of the Maytag repair man for about twenty years. My phone never rang! I’m sure my China counterpart’s phone was ringing regularly.

But the world has changed. Let’s quickly take it to a couple of years ago, when you’re looking around the world, and see Russia, which for about 20 years had been that big former enemy who looked like it was going to be the next big cooperator – a nation aligned with and becoming more and more like the West. And then we were shocked in 2014 when all of a sudden Russia annexes the Crimea, starts a hybrid war in eastern Ukraine, and gets everyone’s attention. And so that same country that was cooperating with everyone back in 1998, even 2005, is now listed in NATO documents, for example, as some combination of adversary and aggressor. So, all of those military forces that they had that looked like they were going to do nothing but exercises with us now are potentially aggressive forces that we, especially those in the intel world, need to look at a lot harder.

AO: So where does the Russian Navy operate today? Are they in the same places that they used to be? Are they really a meaningful threat?

TF: Those old enough in the audience remember the old Soviet Navy. For 15-20 years, they were effectively our equivalent, less carrier battle groups. In other words, they outnumbered us in terms of submarines, they were equivalent to us in major surface combatants, and every theater we operated in, they did too. Then they had a 20-year period where they went to sleep, were in a coma. So that’s why we didn’t hear about the Russian Navy for a long time. I’ll make the case that starting around 2008, the Russian Navy began to get money, they began to get smart, they began to get joint, and they began to operate again. So today, pretty much anywhere, you can find ships of the Russian Navy. In some parts of the world, you can see a militarily significant force, and others just in ones and twos. But noting that 15 years ago they were nowhere, there were none in the Atlantic, there were none in the Mediterranean…whereas today they’re almost everywhere. However, they’re not necessarily a military force to be reckoned with at the high level.

AO: Admiral Sir Philip Jones (the British First Sea Lord) said a few days ago that they were seeing the highest level of Russian submarine activity in 25 years. That’s a sentiment we’ve heard not just from the Brits, but also from the NATO commander last year. If that’s true, what is so significant about that fact?

TF: Going back to that turnaround, it was sometime around the year 2000. Speaking only from unclassified sources, from what’s been in the open press, I’ll summarize for you. Between 2001-2003, our best guess is that there were virtually no Russian submarines in the Atlantic. Realizing, of course, that was going to be where a good portion of WWIII was to have been fought, for them to have no submarines in the Atlantic is a very low standard against which to compare the First Sea Lord’s number. But what we’ve been seeing is almost every year since 2008, there’s been an increase in submarine activity of between 5-15 percent. So right now, we’re getting roughly 1,500 at-sea days for Russian submarines all around the world, but an increasingly higher percentage in the Atlantic. So, again, we did start from around zero, but we’re looking at meaningful numbers again. Certainly not the level that we saw during the Cold War, but the trend is very clearly upward.

AO: Specifically when we hear about submarines, we often hear about the “GIUK gap.” For a generation that didn’t grow up during the Cold War, we don’t know what that means. Can you tell me its significance, and do we care about it today?

TF: We lived and died by the GIUK gap back during the Lehman days. This is the “Greenland-Iceland-UK gap.” Just look at a map of the North Atlantic and you can see that it’s the rough equivalent of a choke point for any Russian submarine to get out into the Atlantic – it’s got to run that gauntlet. We did set up a veritable gauntlet there. We had all kinds of sonar and SOSUS activities, we had our own submarines up there, and we had probably the biggest maritime patrol aircraft base in the world up in Iceland, with P-3s flying everywhere. The likelihood that some of our forces would find you, if you were a Russian submarine running that gauntlet, was very, very good. This is essentially what we’re up against now. We had about 20 years of nobody trying to run that gap, and now they’re running that gap again and we’re seeing – or hearing them – again.

A map depicting the GIUK Gap (Heritage Foundation)

AO: Another thing that we didn’t used to hear about was Russian aircraft carriers. We thought the Admiral Kuznetsov was going into an extended maintenance period, and instead, she shows up off the coast of Syria. How did she perform, and what did we learn from that deployment?

TF: First, let me make a little editorial about Russian aircraft carriers. Russians have been talking about building aircraft carriers for a long, long time. It has effectively been talk. What we’ve seen, loosely, is that the Russians’ ability to build very large ships is not very good. With the possible exception of submarines, their performance in building large things that float has been at the “D”/ “D-” level. And of course aircraft carriers are part of that category.

So, when you get what we might call a “sea control” admiral in charge of the Russian Navy, invariably, he will talk about building aircraft carriers. I don’t think there’s been a time when there wasn’t someone in the Russian Navy talking about building aircraft carriers. But what they deliver – well, for their operations right now, they delivered one ski-jump carrier with a very limited air wing.

Do understand that it’s a very high-prestige ship in their navy. It’s unique, and it does give a special capability to their navy that no other ship brings. So, Russian people are very proud of it. Much as in American politics, domestic politics matters to them, too. And the fact of the matter is that the Russian press, which used to be reasonably free when I lived there 20 years ago, is no longer free. It’s very much controlled by the government, and it’s a propaganda tool. What you have now is an opportunity for the government to put a spin on aircraft carrier deployments, which obviously make them look good, and that’s what we saw.

Two stories: when Kuznetsov deployed to the Syrian coast, if you had only read the Russian press, you’d be convinced it was the most successful deployment in the world. Note, of course, that the air wing was only about half of what it might have been, and only a quarter of what we would consider a real air wing.

So, if you read the British press, all you’d see is a ship belching black smoke (and on some days, it even looked like white smoke, for all you surface warfare officers, not good). You’d also have seen the four British destroyers that were tailing it and having it in their sights the whole way.

So, was it successful? To the Russian people, absolutely, A+. To the western world, not so much. The air wing that they took was miniscule. Second, they don’t have much opportunity to exercise their air wing. While I’m not an aviator, I know that this is very difficult. So, I wasn’t at all surprised when within their first week they lost two airplanes due to an inability to operate a flight deck and an air wing properly. So when you only take over 20-25 airplanes, and lose two in the first week, we shouldn’t be surprised that effectively the entire air wing went ashore. That probably wasn’t anywhere in the Russian press, but it certainly was in the western sources. So, did Russia end up with more airplanes in their Syrian operation? Yes. Did the Russian aircraft carrier carry them down there? Yes. Was it a successful aircraft carrier operation? I would say no.

AO: Given that lens, my next question may seem a little silly, but what about the Shtorm 23000E, the next generation aircraft carrier? Defense News was reporting about it earlier this month, citing possible Indian Navy interest. Does this seem likely to be built? Will they keep trying?

TF: The Russian economy is built on exporting minerals (mostly oil and gas). Below that, it’s arms exports. They export almost as much as we do! But they have such a small economy that their arms sales really matter. So, when you look at Russian military capability, sometimes that’s just a small part of why they deploy. A larger part of why they deploy is to show off what type of technology they have and to try to sell it. You mentioned the Indian Navy. When I was in Moscow, there were more Indian officers there than from any other nation. U.S. was second. Why? Because the Russians, by the default of politics, ended up selling India its navy. Still today, about 70 percent of the Indian Navy is Russian. I’ve spoken to lots of Indian Navy officers about this. The sense is that they don’t like the Russian ships, they don’t work too well, they’re suboptimal, but they can afford them. The U.S. has this double-whammy where we’re not that good at selling high technology, and when we sell it, it costs a lot of money. And the Indian budget makes them buy Russian – and they continue to buy Russian. So, should the Russians be able to continue to build the Shtorm, India would be the most likely nation that would buy it.

But remember, of course, Russia just sold and delivered to them the Vikramaditiya, a ski-jump carrier which was 4 years overdue, 300 percent over budget, and every Indian naval officer I’ve spoken to has said, “Well, it’s not a good ship, but we needed an aircraft carrier and we could afford it, so we got what we got.” If this Shtorm really does turn out to be good, the Indians may well want it, but the Indians are also in the process of building their own nuclear-powered aircraft carrier, which would be their first choice, and if they can build it (they’re not very good at building ships either, unfortunately), they’ll stick with their domestic product.

Now, will the Russians actually build it? I would be very pessimistic. When they talk about Shtorm, they talk about building between 3 and 6. That’s how definitive they are – they can be off by a factor of two. It seems that they’re leaning in the direction of nuclear power, but sometimes you can read press articles that suggest maybe not. So they’re so unsure of where this is going, and their track record of having a yard that can build a 65,000 ton ship…it’s unlikely. In fact, if they ever get around to it, they’ll probably have to build it in two sections and then weld it together. I’m no shipbuilder, but I know this can’t be easy.

AO: Let’s switch gears and talk about their new Maritime Doctrine, which was released in 2015. What’s changed since the last version?

TF: Their last one was in 2001, and I’m nerdy about this but I read these documents. It’s important because you need to know what changes there are from one document from the next. If you read American naval strategy, you’ll note that there are significant differences between the one that just came out on the street and the one in 2007 – those differences will affect how we operate and what ships we build. Same for the Russians. In 2001, they wrote what they called a Maritime Doctrine, and it was almost as if there wasn’t a Navy admiral present at the drafting. It was like the Secretary of Commerce, the Secretary of Tourism, and the Secretary of Energy sat down and, at the last minute, invited an admiral in to come in and write a couple of words. It clearly was a maritime doctrine, not a naval doctrine.

In 2015, the new maritime doctrine was signed by President Putin in a formal scene built for television, aboard a brand-new frigate, named for Admiral Gorshkov, as you’ll recall, the founder of the great Soviet Navy, in Kaliningrad harbor. The only other people there were the admiral who ran Kaliningrad harbor, the chief of the navy, the chief of Russian defense, and Russia’s national security advisor. The Secretaries of commerce, tourism, etc. weren’t invited because this new document is significantly different. The tone is just wildly different. You will read phrases like, “The Russian Navy’s mission is to ensure non-Russian naval ships are not allowed to operate freely in the Arctic.” Things like, “NATO is the principal threat to Russia therefore the Russian navy must deploy to the Atlantic because the NATO Navy must be engaged before it gets to Russian shores” and “The Russian Navy will have a permanent flotilla in the Mediterranean.”

Remember, for a lot of years, there were virtually no Russian ships. When I deployed William V. Pratt there in 1989, we watched the 5th Eskadra leave the Med. We were fully expecting that we would be doing the usual tricks with our Soviet counterparts, cat and mouse games with their submarines, etc. They all left! And so the admiral called in all the skippers and said, “We have nothing to do. Any ideas?” I said, “15 port visits?” And he had nothing better, so we were able to have a loveboat cruise. But obviously the world has changed. The Russians are back in the Med. They’ve got a flotilla there, between 7-10 big serious warships, and the reason that they’re there, according to their maritime doctrine, is because of the NATO threat. You read “NATO threat” all over this document. When you read it in the Pacific, it’s clear that they are all about establishing better relations with the Chinese and Indian navies. And so they call a spade a spade. They’re not afraid to talk about which fleets are growing.

And by the way, every fleet is growing according to this document. You wouldn’t think it, but the Black Sea fleet, which was supposed to go away, now because of Ukraine and Crimea is now getting bolstered more than almost any other fleet. They’re talking about expanding each of their fleets – qualitatively and quantitatively. Finally, there’s a huge chapter on shipbuilding this time. They have a huge shipbuilding organization, and it is tasked with building navy ships in response to the demands of the navy – the missions that the navy intends to do. So, in tone and in tenor and in content analysis, the words in the 2015 document are significantly different. The picture of Putin and chief of defense sitting there in the wardroom of the frigate Gorshkov, I think is worth 10,000 words by itself.

From let to right: Victor Chirkov, Dmitri Rogozin, Vladimir Putin, Sergei Shoigu and Anatolii Sidorov onboard the frigate Admiral Gorshkov (Kremlin.ru)

AO: Let’s pick apart this modernization plan. There’s a strategy, then there’s a modernization plan inside of that strategy. Let’s talk about the surface navy, first. How do they expect to evolve and modernize?

TF: They’ve got a plan, and I’ll give you another editorial, too. Whatever they say, decrease it by about 50 percent. They lie, cheat, and steal when they talk about how many ships they intend to operate this year. When I look back on what they say and what they actually do, they get about half. Once again, it’s one of these “how tall are the Russians?” questions. During the Cold War, the debate always used to be, “are they 8 feet tall? 10 feet tall?” We ended up saying maybe 5’6.” Today, we’re having that debate again. No one is saying that they’re 10 feet tall. We’ll get to that later. But, for about 20 years, they were about 0 feet tall. They built virtually nothing. The ships that they had – which was the second-biggest navy in the world back in 1989 – they pulled the plug on it. The ships were just tied at the pier, they began to rot. Though quantitatively it was still huge, qualitatively it was a mess. I can attest to that because I was at the embassy in Moscow in the mid-90s and probably a lot of the reports that I wrote on the Russian Navy at the time, when they were read in Washington, were laughed at. They were so horrifically bad. Now when you talk about modernization, they went from nothing to the point where they’re building a few ships now. The few ships that they did build were aimed at arms exports. So yes, they sold submarines to Indonesia, Vietnam, India, the Chinese Navy; they kept very little. Just ones and two of everything they built.

That started to change around 2008. They continued to build ships, but increasingly to build it for themselves. In the year 2000, it wasn’t uncommon when they started to build, say, a frigate, to take 14 years from the time they laid the keel to the time that they delivered it. Laughable, yes. But that was the way life was back then. Understand, of course, Russia. Russia is a small economy. They lost the Cold war because their economy couldn’t keep up with our economy. We outspent them to death. They’re very aware of that. But what we had was that if we forced them to build a lot of ships, they would run out of money fast. They knew that, therefore they didn’t build a lot of ships. Starting around 2005-2007, economists can help us here, but the economy started to go up. I don’t mean to say this with scorn, but to a great extent, Russia is a large Nigeria. They’re dependent on the price of oil. And if the price of oil goes up, their wallets are very thick. Price of oil goes down, they’re threadbare. Price of oil went up – it was over $100/barrel, and they had more money than they knew what to do with. They had a brand-new secretary of defense back in 2008, Serdyukov. Maybe we don’t know him in the west, but in Russia, they really appreciate what this guy did. He demanded that a lot of money be spent on all the services, and the navy got more than their fair share – 40 percent – of this building budget.

He did that, one, and two, he also kicked a lot of butt and took a lot of names with respect to the operational readiness of the fleet. He saw, full well, that the Russian Navy couldn’t operate with the Russian air force, or the Russian Army. Remember that, back in the 70s and 80s in the U.S.? That’s what they started to grow out of. Under Serdyukov, he understood that they had a conscription-based military, many sailors were almost illiterate, and they, of course, were not the type of sailors that you and I would like on our ships. He started a policy that said, “if it goes to sea, and certainly if it’s new construction…no conscripts.” Conscripts were left to be mess cooks at navy bases. And the real sailors, the contract sailors, went to ships. Remember before I told you ships didn’t go to sea too much in 2000-2002. But they started to go to sea more, without the conscript sailors, and so you got a qualitatively improved force. And at the same time, you were building ships that weren’t just for arms export. They were for your navy. I’m bragging here – get over this – but it used to take them 14 years to build a frigate and now they can build one in five or six. OK, that’s not very fast, but they’re getting better at it. They’ve consolidated their shipbuilding, and they’re building a couple of ships per year. They announce they’re putting out eight warships a year. I’ve yet to see a year where eight ships came out. But, three and four, yes. And of course, they’re not big ships, they’re smaller, they might even be enhanced patrol boats, but at least they are putting out ships. But there are meaningfully, a few classes of ships and submarines that they’re putting out that do appear to be successes.

AO: So speaking of submarines, perhaps you can give a brief overview of today’s submarines, especially how they stack up against U.S. submarines. Are they as good as they once were?

TF: The answer is yes, remembering of course that they were never as good as our submarines. But they got close, and they’re getting close again. Two general areas. First of all, boomers, SSBNs. We have the luxury of having a blue water sea control navy. They don’t. We can talk about that later. But first and foremost, their navy is there for strategic deterrence. So when they get a dollar, they spend it on strategic deterrence, first. Their most successful building program is what they call their Borei class – the 955 class SSBN. They’ve got three in the water already and five more coming, and most western analysts look at it as a successful building program. The bigger problem that they have is with the solid-fuel missile that they’re trying to mate to it, the Bulava. That’s had a very checkered past, in which at times virtually every shot was a failure. Now they’re getting about a 50 percent success rate. They’re happy with that. They’re mating the Bulava to the SSBN, and they claim they’re ready to operate. Their deployments have been short. They tend to be in the old Bastion areas that we got used to looking at during the Cold War. But the point is that their SSBNs are going to sea again with an SLBM. And even though they did have a few other Delta IIIs, Delta IVs, Typhoons, these were unreliable, it was rare for them to deploy. The Russians were proud to say that if necessary they could fire a ballistic salvo from pier side. That’s true. But I’m not sure that’s anything to brag about. So yes, they did have a submarine force with ballistic missiles. But now they’ll have a force, with more to follow, that I expect will be delivered on time. So now they’ll have a force of about eight SSBNs that can deploy and shoot missiles from sea.

Russian Navy Borei-class submarine (RIA Novosti)

Now, SSNs, they’ve got a very impressive new submarine. It’s large, has got a lot of new weapons systems, and is reputedly very quiet. At least in the unclass world, it looks to be close to, but not quite, an LA and Virginia class. It’s got a lot of things, but the problem is that it’s so sophisticated by Russian standards that they’re having a hard time following it with what they claim to be seven more of the Severomorsk class warships. I think it’ll happen, but it’ll happen very slowly, and it’ll be almost like custom-made cars. They’ll happen, but it won’t be like an assembly line. It’s a little too difficult for them to put them on an assembly line yet. But they will be very good, once they do come out, and they’re now talking about a follow-on class of SSN with hypersonic cruise missiles and more sophisticated gadgetry. But if I can summarize, their submarine building is way better than their big surface ship building program. That’s where they’ve concentrated, where they’ve put their talent, their money, where they’ve had most of their successes, and that was true back during the Cold War much as it is today.

AO: Continuing our scope through “things the Russians might build…” missiles. What does it mean that Russian corvettes were able to successfully launch missiles out of the Caspian Sea last year?

TF: Well first of all, cynics say, ‘boy won’t a lot of people want to buy that missile?’ We’re sure that the Russians are wanting to sell it, and they’ll probably sell it a lot cheaper than the U.S. will. But the Russians couldn’t get over how great this was because they were able to shoot this Kalibr-class missile from two different directions, from two different, small platforms. The Buyan patrol boat, which is a 1000 ton patrol boat, can carry 8 of these missiles, with a range of 1500 miles, which is a lot, and, depending on what you read, only three of them were misfires. 23 out of 26 hit something, presumably a target. You know, when we were shooting our first cruise missiles 25 years ago, we had a worse failure rate than that. And they not only shot from Buyans in the Caspian flotilla, but then they also shot from diesel submarines, the brand-new improved Kilo-class submarines, which are delivering to the Black Sea fleet. They shot a series of them from the Med. So they had cruise missiles coming from both directions, from unsophisticated small-ish ships. Very sophisticated weapon, and the world took note of that.

AO: Changing gears a bit, let’s go a bit bigger picture and talk about maritime power. Is it fair to call Russia a maritime nation? Most people would call it a land power. How does that figure into Russia’s national security posture?

TF: That’s right. It’s mostly a land power. But it’s a land power that knows how to use maritime power in selective and judicious ways. I’m going to inject a bit of personality into this too. I think Vladimir Putin prides himself on his navy. I think he identifies with his navy. The navy is sleek, it looks cool, it packs a quick punch. He is a judo master after all. He has used his navy in a number of ways – Syria is the classic example – not only does he have a force off of the Syrian coast, but he is protecting the logistics with his flotilla. 99 percent of all the Russian logistics that goes to Syria comes from the Black Sea, through their port in Tartus. It’s defended by his naval forces, they’ve delivered air power also, and there’s air defense that they’ve set up there. What he has is an opportunity to play a weak hand and to play it forcefully. To a great extent, he played his navy in the 2013 red line on Syria chemical weapons – that’s when he deployed his force. And he was quick to point out that he had a naval force in the Med, when we really did not. His naval force would watch and ensure that the Syrian chemical weapons were delivered to the right place for destruction. It’s a small hand, but he plays it and isn’t afraid to over play it.

He sends his ships, when we were discussing reestablishing relations with Cuba – he sent a cruiser into Havana harbor, and it was sitting there while our diplomats were discussing relations with the Cubans. So, he does a lot with a little. And he’s more than happy to identify with his navy. There’s really no navy celebration that he doesn’t put on his navy hat. With the exception of going barechested, he is most likely seen in Google wearing navy hats. He just seems to like his navy. And he’s been funding his navy very well for quite some time.

Russian President Vladimir Putin in naval attire (AP)

So, I’m not going to go so far as to say that it’s a maritime nation, because it’s not a sea control navy. He has admirals that have been telling him to build a sea control navy. But our 6th fleet commander did take a look at what he would be up against, and he was not afraid to admit that while it isn’t a sea control navy, it’s not just an A2AD navy, either. It can do more than bloody our nose if we decide to get into a fight with them in the Black Sea, in the Baltic, and certainly in the Arctic. It can do a number of things that can hurt us. They just don’t have the sailors, the seamanship, the tradition, the Admiral Gorshkov, to go after us again in the middle of the Atlantic or the middle of the Pacific. But near their shores, they’re extremely potent.

AO:  Is there anything else you think our listeners need to know, that you think we’ve missed, to wrap up our discussion?

TF: Sleep well at night. If it were a fair fight, our navy still can so wildly outperform their navy that they would never seek a fight like that. As you see Russian doctrine talking about things like hybrid warfare – they’re always interested in an unfair fight. So, they may very well want to take their hybrid warfare, their little green men equivalent, to sea, and they may be interested in provoking us in other ways that we have yet to predict, and we should be ready for that. This would not be existential. But it could certainly hurt us, and it could hurt our pride, and it could certainly surprise us. So I would say let’s be ready for that.

But on the positive side (assuming you look at Russia as an adversary or as an aggressor), their military, much as the Soviet leaders, is dependent on their economy. Their economy has performed very poorly over the past couple of years. Partly price of oil, partly western sanctions, but the bottom line is they’ve had a negative GDP for a couple of years. What’s happened under Mr. Putin is that his budgets have had to shrink in every area. If you were a provincial governor, your budget shrunk by 50 percent last year. If you were a pensioner, your pension was cut 50 percent last year. If you were the chief of navy, your budget wasn’t cut, and you were about the only guy whose budget wasn’t cut. If their economy continues its bad performance, I would argue that the chief of navy is going to get his budget cut next year. All of the grand plans for the new aircraft carriers, destroyers, will be put on hold, and it will be again, sometime in the future. Don’t expect to see it in the near term.

AO: Professor, this has been a super interesting Sea Control podcast, and I want to thank you for joining us. We really appreciate your time, insights, and hope to talk to you again soon.

TF: Ashley, thank you very much. Time did fly and I had a great time.

Ashley O’Keefe is the CIMSEC Secretary for 2016-2017. Her views and those of Professor Fedyszyn are theirs alone and do not represent the stance of any U.S. government department or agency.

A Cyber Vulnerability Assessment of the U.S. Navy in the 21st Century

By Travis Howard and José de Arimatéia da Cruz

Introduction

The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.

Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.

This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.

Navy Network Threats and Vulnerabilities

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.

Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.

Figure 1. Navy depiction of the “cyber kill chain

One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).

The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.

Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”  Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.

The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.

As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.

Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.

Technical Security Measures and Controls

The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.

The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.

Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.

The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.

Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.

Information Security Policy Needed to Address Threats and Vulnerabilities

The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).

Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.

Figure 2. NIST Risk Management Framework

This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.

Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.

Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.

Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities

It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.

Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.

Figure 3. Threats and Motivations, Strategic Focus of Navy Cybersecurity 

Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.

A recent  article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.

Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.

Conclusions

This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.

The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.

In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.

Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.

Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.

The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.

Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)