During the 2016 presidential election, then-candidate Donald Trump made the size and strength of America’s naval force a key aspect of his defense platform, arguing that the fleet should be increased in order to give policy-makers a diverse array of options to deal with threats and emergencies.1 Others stress that the size of the Navy is completely sufficient to deal with any and all potentialities, particularly given the fact that the United States currently possesses the only 10 nuclear-powered supercarriers in the world; this advantage precludes any serious challenge from the likes of near-peer competitors and ensures American dominance of the seas for the foreseeable future.2 However, these extremes fail to recognize the realities of a constrained and competitive national budgetary environment and the growing inadequacies of the current fleet to deal with limited-scope challenges from rising near-peer states. The United States Navy should adopt an intermediate approach to growing the fleet in order to maintain a favorable balance of power while also making efficient use of limited budgetary resources.
Critics of a proposed buildup in naval forces often focus on the current advantage that the United States enjoys over every other nation, particularly the fact that all supercarriers are currently American. They note that America possesses an overwhelming dominance in terms of “carriers, nuclear submarines, naval aviation, surface firepower, assault ships, missiles and logistics.”3 However, they fail to take into account what the most likely conflicts with China and other near-peers like Russia would look like. Carl von Clausewitz distinguished between warfare waged in order to obtain the complete annihilation of the enemy’s military capability and warfare waged in order to shift and renegotiate the balance of power between two sides.4
An engagement with China, for example, would likely be limited in scope and not involve either side seeking the total or even significant destruction of the other’s military force, let alone the use of nuclear weapons.5 During such an engagement, there would be a focus from the enemy on the deployment of anti-access, area-denial weaponry to push American carriers out of aircraft range of the mainland and immediate coastal waters, as well as potential sea lanes; this would deny America the ability to rapidly retaliate, leaving U.S. allies without key air defenses and vulnerable to a blockade by Chinese forces.6
Those who wish to maintain the current status quo in naval forces or even implement a reduction also fail to realize the dangers of the current operational tempo to the long-term health of the fleet. In order to ensure three supercarriers are on deployment continuously throughout the world, it is necessary to maintain a fleet of twelve, as for each carrier on assignment, three are heading to replace it or are training, returning home from deployment, and undergoing maintenance, yet the Navy has been deferring maintenance and lengthening deployments in order to accomplish the same mission with only 10 carriers.7
Conversely, some argue that the United States must engage in a drastic naval build-up. President Trump’s current proposal includes an increase in the number of carriers to 12 and of the total ships to 350.8 Such a force, he maintains, is necessary for the United States to be able to meet any rising security threats across the globe and to continue to ensure the freedom of the seas. Rear Admiral Thomas Moore stated that the Navy is “an 11 carrier Navy in a 15 carrier world.”9 While aircraft carriers, as outlined previously, are rightfully integral to America’s vision for its navy, there is a danger in building such an expansively large force.
The first is the danger of spreading resources too thin and exacerbating current budgetary instability. The Ford-class aircraft carries costs upwards of $10 billion per ship, while the Virginia-class attack submarine and littoral combat ships have price tags of $3 billion and $500 million respectively.10 The Defense Department must already compete for funding and such a large increase in the naval force would result in even greater budget deficits or cuts to domestic spending, neither of which are tenable in the long-term. These unpopular solutions may reduce political support for the continuance of such a large force in the future and the additional maintenance of non-vital vessels will prevent investment in technologies that will ultimately allow the United States to counter measures such as anti-access, area denial.11
Second, growing the fleet more than necessary to maintain America’s ability to field three carriers and project power across the world would be seen by near-peers as a sign of aggression, likely to cause an escalation of tensions. While maintenance of naval capability may be seen as the United States holding ground and taking a primarily defensive posture in relation to its role in world affairs, a large build-up of naval forces will be depicted as aggressive because it would enable the United States to, in their view, become more involved in world affairs.12 Naval forces are difficult to classify as either offensive or defensive in nature because of their mobility and the differing nature of naval warfare regarding territorial possession, but an increase beyond the current strategy of three deployed carriers would exacerbate tensions because of the perception that the United States was seeking to further tip the balance of power in its favor, rather than maintain its current advantage.13 Much like those who would maintain or shrink the force, proponents of such a large growth ignore the reality that an engagement would have a “limited aim” which would not be the total defeat of opposing forces, but to maintain the balance of power for America and, for our enemies, to encourage a retreat of American forces.14 We should therefor prepare our forces to be able to dominate in this “trial of strength” with our competitors so that they conclude challenging the status quo the United States maintains is too costly for them.15
Riley Jones is a junior at Indiana University from Marion, Indiana. He is studying Political Science and Anthropology with a minor in German. After graduation, he hopes to serve his nation as a United States Marine Corps Officer.
Donnelly, Thomas. “You Say You Want a Revolution?” American Enterprise Institute, March 15, 2017. https://www.aei.org/publication/you-say-you-want-a-revolution/.
Easterbrook, Gregg., “Our Navy is Big Enough,” New York Times, March 9, 2015, https://www.nytimes.com/2015/03/09/opinion/our-navy-is-big-enough.html?_r=0.
Friedberg, Aaron L., Ross, Robert S., “Here Be Dragons: Is China a Military Threat?” The National Interest, 103. September/October 2009.
Kraig, Michael R., “Military Planning for East Asia: A Clausewitzian Approach,” Strategic Studies Quarterly, Spring 2017.
Larter, David B., “Donald Trump wants to start the biggest Navy build-up in decades,” Navy Times, November 15, 2016, https://www.navytimes.com/articles/donald-trumps-navy-bigger-fleet-more-sailors-350-ships.
Levy, Jack S., “The Offensive/Defensive Balance of Military Technology,” in Conflict After the Cold War. ed. Richard K. Betts (Columbia University, Pearson Press. 2012). p. 444
McGrath, Bryan., Eaglen, Mackenzie., “America’s Navy needs 12 carriers and 3 hubs,” American Enterprise Institute, March 11, 2014, https://www.aei.org/publication/americas-navy-needs-12-carriers-and-3-hubs/.
Shear, Michael D., “Touring Warship, Trump Pushes Plan to Expand Military,” New York Times, March 2, 2017, https://www.nytimes.com/2017/03/02/us/politics/trump-navy-warship-military-spending.html.
1. David B. Larter, “Donald Trump wants to start the biggest Navy build-up in decades,” Navy Times, November 15, 2016, https://www.navytimes.com/articles/donald-trumps-navy-bigger-fleet-more-sailors-350-ships.
2. Gregg Easterbrook, “Our Navy is Big Enough,” New York Times, March 9, 2015, https://www.nytimes.com/2015/03/09/opinion/our-navy-is-big-enough.html?_r=0.
3. Gregg Easterbrook, “Our Navy is Big Enough,” New York Times, March 9, 2015, https://www.nytimes.com/2015/03/09/opinion/our-navy-is-big-enough.html?_r=0.
4. Michael R. Kraig, “Military Planning for East Asia: A Clausewitzian Approach,” Strategic Studies Quarterly, Spring 2017. p. 102.
5. Aaron L. Friedberg, Robert S. Ross, “Here Be Dragons: Is China a Military Threat?” The National Interest, 103. September/October 2009. p. 22
6. Ibid. p. 23
7. Bryan McGrath, Mackenzie Eaglen, “America’s Navy needs 12 carriers and 3 hubs,” American Enterprise Institute, March 11, 2014, https://www.aei.org/publication/americas-navy-needs-12-carriers-and-3-hubs/.
8. Michael D. Shear, “Touring Warship, Trump Pushes Plan to Expand Military,” New York Times, March 2, 2017, https://www.nytimes.com/2017/03/02/us/politics/trump-navy-warship-military-spending.html.
9. David B. Larter, “Donald Trump wants to start the biggest Navy build-up in decades,” Navy Times, November 15, 2016, https://www.navytimes.com/articles/donald-trumps-navy-bigger-fleet-more-sailors-350-ships.
11. Thomas Donnelly. “You Say You Want a Revolution?” American Enterprise Institute, March 15, 2017. https://www.aei.org/publication/you-say-you-want-a-revolution/.
12. Jack S. Levy, “The Offensive/Defensive Balance of Military Technology,” in Conflict After the Cold War. ed. Richard K. Betts (Columbia University, Pearson Press. 2012). p. 444
13. Ibid., 446
14. Michael R. Kraig, “Military Planning for East Asia: A Clausewitzian Approach,” Strategic Studies Quarterly, Spring 2017. p. 102
15. Ibid. 120
Featured Image: ARABIAN GULF: Sailors on the flight deck of the aircraft carrier USS Dwight D. Eisenhower (CVN 69) (Ike) participate in the Out of the Darkness Community Walk to increase awareness for suicide prevention. (U.S. Navy photo by Mass Communication Specialist 3rd Class Casey J. Hopkins)
The Leader’s Bookshelf by Admiral James Stavridis and R. Manning Ancell. U.S. Naval Institute Press. 288pp. $29.95.
“Reading has the power not only to demolish time and span the ages, but also the capacity to make one feel more human — human meaning at one with humanity — and possibly less savage.”
– JAMES SALTER
“After owning books, almost the next best thing is talking about them.”
– CHARLES NODIER
Some years ago I met Admiral Jim Stavridis. The conversation, while short, turned to books. If I recall, it was in Stuttgart, Germany, sometime around 2010 or 2011. Because he was the Supreme Allied Commander Europe and the U.S. European Commander (EUCOM), he had to divide his time between two locations: his NATO headquarters located near Mons, Belgium and his EUCOM headquarters in Stuttgart, Germany. At the time, I worked in the intelligence directorate at EUCOM when we heard he was coming by to meet the staff.
It was a gray, overcast afternoon when he arrived. He promptly made his way down a long line of officers and enlisted, each of them posed to shake his hand and say a few words. I had only a few seconds to make a connection—to say something interesting or ask him a question. But this I knew: I loved books; he loved books; and while standing there, I thought of something he wrote that might prove that I, like him, believed that books are essential to our profession, if not our lives.
Months prior, he had written one of his regular blog posts. In it, he said that his wife noticed that his love of books and his growing library had evolved into a “gentle madness.” That phrase—a “gentle madness”—refers to a wonderful book by author Nicholas Basbanes. Basbanes’ book—A Gentle Madness: Bibliophiles, Bibliomanes, and the Eternal Passion for Books— is a long, discursive work: one part discussion of historic book culture in America and Britain, the other full of profiles of quirky and dedicated book lovers and collectors.
When the admiral finally reached me, I mentioned the blog post and the book. His eyes lit up and he said something about few people knowing the reference. He then told me he owned 4,000 books. Surprised, I said something about wanting a library that large. He then simply said, “You’ll get there.” The conviction in his voice floored me. I believed him. And he was right. I’m getting there (the featured image of this post is a picture of my library; today I have around 2,000 titles, give or take).
Fast forward a few years and, no surprise, the admiral’s library has grown. Stavridis, in the introduction to the entertaining The Leader’s Bookshelf, says that he has in his “house today… more than four thousand books.” His wife, Laura, “has spent far too much of her life packing and unpacking them in postings all around the world.”
Stavridis and his co-author, R. Manning Ancell, have written a book that is somewhat similar to Richard Puryear’s fine book—now unfortunately out of print—American Admiralship: The Moral Imperatives of Command. Puryear interviewed 150 four star admirals on a variety of topics. One of those topics was the importance of reading. And like Puryear, Stavridis and Ancell take a similar path. In The Leader’s Bookshelf, they interviewed 200 four-star generals and flag officers, and from those discussions, they determined the 50 books that “stood out most…with top military readers.”
Using no particular scientific method, they rank ordered the books in descending order by the number of mentions. Thus, the first book on the list, Michael Shaara’s The Killer Angels (1974), was mentioned most often. While the last on the list, How: Why HOW We Do Anything Means Everythingby Dov Seidman, was mentioned least frequently.
For each title, there is a short essay by a senior officer as to why they choose the book, followed by a quote from the book, a biography of the author, then a summary of the book by either Stavridis or Ancell, concluding with a few sentences about why the book is important for leaders today.
For folks that regularly follow the reading lists that are published by the Chief of Naval Operations or the other services, there are, unfortunately, few surprises. The regularly cited titles appear: Anton Myer’s Once an Eagle, Sun Tzu’s The Art of War, Clausewitz’s On War, John Keegan’s The Face of Battle, E.B. Potter’s Nimitz, and the always popular Steven Pressfield with his Gates of Fire. They all made the cut.
While there is nothing wrong with the oldies but goodies, it was refreshing to see some unusual—or rather, some outliers—find a place in the top 50. Mark Twain’s A Connecticut Yankee in King Arthur’sCourt makes a showing as does Norman Mclean’s A River Runs Through It. In fact, General Stan McChrystal is the senior officer that recommended Twain’s satirical novel about a man from the 19th century, Hank Morgan, traveling back in time to King Arthur’s court.
The Leader’s Bookshelf, I confess, would be ho-hum if not for the additional essays that Stavridis and Ancell add to the book. It is these essays on publishing, reading lists, and building a personal library, that raise this book from mediocrity to must have. And here, Robert Ancell pulls his weight, adding a nice cherry on top with an interview with General Mattis.
Mattis beats Stavridis in the book department. With some 7,000 titles on his shelves, he probably is the best read military leader—retired or active—out there. In the interview, Mattis mentions books that apply to each level of war. Of note, he recommends Lucas Phillips’ book The Greatest Raid of All. A book about a British raid that shattered the Nazi’s dry docks at Saint-Nazaire, France during World War II, preventing the Germans from using the docks for large battleships for the duration of the war. The raid resulted in no less than five Victoria Crosses. I had never heard of the book nor the raid. It is these little-known reading recommendations that make books like this exciting. You simply do not know what you might find.
Ironically, the only criticism—or rather, observation—I have about the book is that senior officers still do not carve out enough time to read. And this in a book in which one of the early essays is about “Making Time for Reading.”
In one essay, a senior officer admits that while working in the Joint Staff that he only read one book in a year. One book! While another, in her recommendation, wrote only two sentences to praise the work—and even then those two sentences were footnoted. Sigh.
Nonetheless, The Leader’s Bookshelf will appeal to all types: The newbie looking for a good book to read and the bibliomaniac who may have read all 49 on the list and owns each first edition, but unaware, or didn’t realize there was just one more interesting title out there.
But alas, there always is.
Lieutenant Commander Christopher Nelson, USN, is an intelligence officer stationed at the U.S. Pacific Fleet Headquarters in Pearl Harbor, Hawaii. The views here are his own.
Featured Image: A picture of the author’s personal library. Courtesy of Christopher Nelson.
Anyone who has followed the development of the Air-Sea Battle Concept (ASBC) turned Joint Access for Maneuver in the Global Commons (JAMGC) and the closely associated term, A2/AD, knows this amalgamation of terminologies, ideas, and concepts has generated a significant amount of confusion and discontent across the defense establishment. On October 3, while participating in a Maritime Security Dialogue at the Center for Strategic and International Studies, Chief of Naval Operations, Admiral John Richardson continued this trend when he voiced his displeasure with the term A2/AD. “To some, A2/AD is a code-word, suggesting an impenetrable ‘keep-out zone’ that forces can enter only at extreme peril to themselves. To others, A2/AD refers to a family of technologies. To still others, a strategy. In sum, A2/AD is a term bandied about freely, with no precise definition, that sends a variety of vague or conflicting signals, depending on the context in which it is either transmitted or received.”1 Admiral Richardson went on to say, “To ensure clarity in our thinking and precision in our communications, the Navy will avoid using the term A2/AD as a stand-alone acronym that can mean many things to different people or almost anything to anyone.”2 The author personally doesn’t agree with the decision to eliminate A2/AD from the Navy’s lexicon, and stated opposition in a CIMSEC debate post in November.
However, what was striking about CNO’s address were the four reasons he offered for banning A2/AD, three of those are particularly germane and will set the initial course for this column. In his remarks, Admiral Richardson stated the following:
“First, ‘A2AD’ is not a new phenomenon. The history of military contests is all about adversaries seeking to one-up each other by identifying their foes at longer ranges and attacking them with ever more destructive weapons. As technologies change, tactics change to react to and leverage them. It is only relatively recently in our conversation about warfighting that we have discussed these trends as something new. But history has much to teach us about maintaining perspective on these developments and on charting the path forward to address them. Think Nelson at the Nile and at Copenhagen, Farragut at Mobile Bay, Nimitz, and Lockwood in the Pacific…this is nothing new. Indeed, controlling the seas and projecting power – even in contested areas – is why our nation invests in and relies upon a naval force in the first place.”
The second reason is that the term ‘denial,’ as in ‘anti-access/area denial’ is too often taken as a fait accompli, when it is, more accurately, an aspiration. Often, I get into A2AD discussions accompanied by maps with red arcs extending off the coastlines of countries like China or Iran. The images imply that any military force that enters the red area faces certain defeat – it’s a ‘no-go’ zone! But the reality is much more complex. Achieving a successful engagement requires completion of a complex chain of events, each link of which is vulnerable and can be interrupted. Those arcs represent danger, to be sure, and the Navy is going to be very thoughtful and well prepared as we address them, but the threats are not insurmountable.
Third and related, A2/AD is inherently oriented to the defense. It can contribute to a mindset that starts with how to operate from beyond the red arcs – an ‘outside-in’ approach. The reality is that we can fight from within these defended areas and if needed, we will. Inside-out, as well as outside-in, from above and from below – we will fight from every direction. The examples above show that this has been done before.”3
Admiral Richardson’s remarks are poignant and zero in on the complexities associated with this topic and are worthy of further analysis.
First, CNO recognizes that history has much to teach the Navy about the A2/AD conundrum. However, Admiral Richardson assumes that those studying contemporary A2/AD issues are well-grounded in history. Nelson, Farragut, Nimitz and Lockwood all had to contend with A2/AD problems, but these references are perhaps not the best ones. The study of history doesn’t always yield viable solutions to contemporary problems, especially when the wrong examples are pulled from history. Moreover, it seems likely that only consummate navalists would truly appreciate CNO’s references to Nelson, Farragut, and Admiral Lockwood. There are better examples in history that are relevant to the study of A2/AD and this column will bring those to light.
The sophistication and capabilities of A2/AD networks, at times, appear to intimidate those studying this topic, hence the fait accompli CNO mentioned. There is some legitimacy to this fait accompli mentality as the U.S. Navy hasn’t faced anything that looks likes these A2/AD networks since World War II. For instance, the Solomon Islands Campaign is a perfect example of the complexities CNO refers to in his second and third points. The Imperial Japanese Navy (IJN) employed a wide array of capabilities against the U.S. Navy, and at times, were very effective at restricting or reducing the Navy’s freedom of maneuver and access. In fact, within the first 24 hours of landing on Guadalcanal, the Navy faced IJN fighter aircraft, bombers, and ships, all of which were superior in some way to the aircraft and ships the USN brought to the fight. The U.S. Navy suffered one of its worst defeats at sea, where four cruisers were lost, one Australian and three U.S., in the early morning hours following the landing. In the end, the U.S. Navy would take Guadalcanal after six months of heavy fighting and use the island as a base of operations for counterattacks on the IJN. Well within the range of the IJN’s ships and aircraft, the counterattacks staged from Guadalcanal offer several examples of how to conduct a successful campaign from within the defensive arcs of an adversary.
In the articles that follow in this column, these complexities will be explored as well the means developed to counter them. For the most part, the column will focus on historical cases that are relevant to the points raised by CNO. The column will also examine emerging issues and occasionally look towards the future. While there is no clear-cut solution to countering the proliferation of A2/AD capabilities, there is no shortage of historical examples that will be examined which are connected to this topic.
Bob Poling is a retired Surface Warfare Officer who spent 24 years on active duty including tours in cruisers, destroyers, and as commanding officer of Maritime Expeditionary Security Squadron TWO and Mission Commander of Southern Partnership Station 2013. From May 2011 to May 2015 Bob served on the faculty of the Air War College teaching in the Departments of Strategy and Warfighting. He was the Naval History and Heritage Command 2014-2015 Samuel Eliot Morison scholar and is pursuing his Ph.D. with the Department of Defence Studies, King’s College London where he is researching Air-Sea Battle concepts used to combat A2/AD challenges encountered during the Solomon Islands Campaign.
1. John Richardson, “Chief of Naval Operations Adm. John Richardson: Deconstructing A2AD,” Text, The National Interest, accessed December 23, 2016, http://nationalinterest.org/feature/chief-naval-operations-adm-john-richardson-deconstructing-17918.
3. Richardson, Deconstructing A2/AD.
Featured Image: MEDITERRANEAN SEA (June 28, 2016) – An E2-C Hawkeye assigned to the Screwtops of Airborne Early Warning Squadron (VAW) 123 undergoes pre-flight checks on the flight deck of the aircraft carrier USS Dwight D. Eisenhower (CVN 69) (Ike). (U.S. Navy photo by Mass Communication Specialist 3rd Class Bobby Baldock/Released)
The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.
Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.
This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.
Navy Network Threats and Vulnerabilities
There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.
Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.
One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).
The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.
Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.” Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.
The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.
As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.
Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.
Technical Security Measures and Controls
The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.
The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.
Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.
The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.
Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.
Information Security Policy Needed to Address Threats and Vulnerabilities
The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).
Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.
This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.
Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.
Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.
Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities
It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.
Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.
Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.
A recent article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.
Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.“
This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.
The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.
In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.
Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.
Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.
The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.
Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)