All posts by Travis Howard

I am an active duty Navy Information Professional Officer. I hold advanced degrees and certifications in cybersecurity policy and business administration, and have over 18 years of enlisted and commissioned experience in surface and information warfare, information systems, and cybersecurity. Find me on LinkedIn: www.linkedin.com/in/cyberswo

Navy Culture Must Be Adapted to Fit the Information Age

By Lieutenant Commander Travis D. Howard, USN

A recent independent review of the Navy’s cybersecurity posture, completed in March 2019, was predictably harsh on our Navy’s current culture, people, structure, processes, and resourcing to address cybersecurity.1 For many of us within the Information Warfare discipline, much of this report does not come as a shock, but it does lay bare our cultural, structural, and procedural problems that the Navy has been struggling with since the turn of the century.

The 76th Secretary of the Navy, Richard V. Spencer, should be applauded for enabling open and honest dialogue on the key issues of this report by releasing it for public comment and professional discourse. The review found that the Navy was not “optimally focused, organized, [nor] resourced” for cyberwar.2 Such transparency has been the hallmark of the naval service for centuries, and is largely the reason why such robust professional forums such as the United States Naval Institute (USNI) and the Center for International Maritime Security (CIMSEC) continue to thrive.

The report was particularly critical of the Navy’s culture, stating that the Navy is “preparing to win some future kinetic battle, while it is losing the current global, counter-force, counter-value, cyberwar.”3 The report goes on to recommend that the highest levels of Navy leadership adjust the service’s cultural landscape to become more information-centric, rather than platform-centric. This excerpt is particularly vexing:

“Navies must become information enterprises who happen to operate on, over, under, and from the sea; a vast difference from a 355 ship mindset.”4

In truth, the Navy that acts as an information enterprise and the Navy that pursues the tenants of traditional naval warfare as laid out by naval doctrine are not mutually exclusive. Our drive toward a bigger, better, and more ready Navy, aligned to the National Defense Strategy, requires a naval culture ready for high-end conflict but active and engaged in all levels of conflict below lethal combat. The adoption of information enterprise core principles certainly has a place in our doctrine; in fact, it’s already there but lacks proper execution and widespread cultural adoption as a core competency across all warfare communities. Navy culture can be adapted to better fit the information age, but it will take the entire Navy to do it and not just a single community of effort.

Information is Already in our Doctrine, but Prioritization Must Improve

The 31st Chief of Naval Operations (CNO), Admiral John Richardson, released a Design for Maintaining Maritime Superiority shortly after assuming his role, and recently released an update (Design 2.0) to compliment the 2018 National Defense Strategy. The CNO put information warfare at the center of his strategic thinking, and challenged the Navy’s operational and resourcing arms to “adapt to this reality and respond with urgency.”5 But this change in the security environment wasn’t new to this CNO, in fact, it was foreseen decades ago by thinkers like CAPT (ret.) Wayne P. Hughes, a venerated naval tactician and professor emeritus at the Graduate School of Operations and Information Sciences of the Naval Postgraduate School. Early versions of Hughes’ Fleet Tactics and Coastal Combat, required reading in graduate-level naval officer training, placed information, rapid adoption of technology, and intelligence at the forefront of effective maritime operations in the modern age.6

If we’ve valued information in warfighting all along, then why are we failing to adapt our naval culture to the Information Age? The Cybersecurity Readiness Review cuts straight to the point: “… cybersecurity continues to be seen largely as an ‘IT issue’ or ‘someone else’s problem.’”7 In our haste to stand up a community of practice to do all the cyber things we, as a Navy, failed to make the necessary cultural changes that should have accompanied it.

Why hasn’t the growth of the Information Warfare Community focused the Navy’s culture appropriately? After all, creating such specialized warfare communities has always worked well in the past, as any aviator can attest to. Truthfully, the problem is bigger than just one community; the subsequent decades saw the rise of global information technology as central to nearly everything we do, and every Sailor now uses the network as a primary on-the-job resource. The loss of email, web browsing, and support systems that handle tasks from personnel to logistics can and does result in work stoppage; any assertions to the contrary, that workarounds or manual methods still exist, do not accept the reality of the situation.

Cultural change is long overdue, and just like a Marine or Soldier learns how to handle their weapon safely and effectively from day one, we must now train and mentor our Sailors to use the network in the same vein. No more can we flippantly say “we have people for that” when faced with information management and cybersecurity problems, putting effort into modernizing complex systems and enhancing Information Warfare’s lethality, while ignoring the power a single negligent user could wield to bring it all down. It’s all hands on deck now, or the Navy faces the very real possibility of fumbling the opening stages of the next kinetic fight.

Security is Already an Inherent Part of Navy Culture

The good news is that information security is already an intrinsic part of being a member of the armed forces, uniformed or civil service. Security clearances, safe handling procedures for classified information, and cryptography practices like two-person integrity have been trained into the workforce for decades. Protecting information is as much a part of our culture as operating weapons systems or driving warships.

The Navy’s training machine should find ways to leverage this existing culture of compliance to incorporate dynamic and repetitive ways to reach all Sailors at all stages of development – from boot camp to C school, from initial officer training to graduate school, focused on making each Sailor a harder target for information exploitation. Each engagement should be tailored to fit the environment and to complement subject matter: initial user training should teach how to report spear-phishing, practice OPSEC on social media (and how to spot adversarial attempts to collect against them), and recognizing unusual activity on a network workstation. A more senior Sailor in C-school might learn how to look at cybersecurity from a supervisory perspective, managing a work center and a group of network assets, and how to spot and report insider threats both malicious and negligent. An officer in a naval graduate program, such as at NPS or the Naval War College, would take advanced threat briefings on adversarial activity targeting rank-and-file users on the network, and how to incorporate such threat information into wargaming to inform the strategic and operational levels of war.

Some of these actions are already in the works, but the emphasis should be on how to engage Sailors in multi-faceted, multi-media ways, and repetition is critical. Seeing the same concept in different ways, in different case studies, reinforces better behavior. The Navy is no stranger to this training method: we are masters at repetitive drills to train crews to accomplish complex actions in combat. Reinforcement of this behavior cannot come fast enough. Incidents attributed to negligent network users are on the rise, and cost organizations millions of dollars a year.8 The Navy is no exception: category-4 incidents (improper usage) are too common.

Ultimately, the objective should be a Sailor who understands cyber hygiene and proper use of the network as a primary on-the-job tool, just as well as any Soldier or Marine knows his or her rifle. Sailors go to sea aboard complex warships with integrated networked systems that run everything from Hull, Mechanical, and Electrical (HM&E) systems to combat systems and weapons employment. The computer is our rifle, why shouldn’t we learn how to use it more safely and effectively?

Keys to Success

Cultural change is hard, but lessons learned from our past, best practices from the private sector, and good old fashioned invasive leadership (the kind the Navy does very well) can adjust the ship’s rudder and speed before we find ourselves much further in shoal water.

Top level leadership must set the conditions for success, but they have to believe in it themselves. Our Sailors can easily tell when a leader doesn’t fully commit to action, paying lip service but nothing beyond it. They are also hungry to follow a leader who has a passion for what they do. To effect change, passionate leaders need to take center stage with the authority and resources necessary to translate change into action at the deckplate level. When a Sailor sees a top-level message about a desired change, then sees that change actually happening in their workspace, it becomes real for them. Let’s also trust them to understand the threats, rather than keeping the “scary” threat briefs at the senior levels.

Successes must be celebrated, but failures must have real consequences. It’s time to get serious about stopping insider threats, specifically negligent insiders. Too often the conversation about insider threats goes to the criminal and malicious insiders, ignoring the most common root of user-based attack vectors. Our Sailors must be better informed through regular threat briefings, training on how to spot abnormal activity on the network, and clear, standardized reporting procedures when faced with phishing and other types of user-targeted attacks. Those who report suspicious activity resulting in corrective action should be rewarded. Likewise, those who blatantly ignore established cyber hygiene practices and procedures must face real consequences on a scale similar to cryptographic incidents or unattended secure spaces. This will be painful, but necessary to set our user culture right.

Effective training begets cultural change. We must take advantage of new and innovative training methods to enrich our schoolhouses with multimedia experiences that will reshape the force and resonate with our new generation of Sailors. The annual Cybersecurity Challenge should be retired, its effectiveness has been questionable at best, and replaced with the same level of rigor that we used to attack no-fail topics like sexual assault prevention. With the stand-up of a Director of Warfighting Development (N7), and the lines of effort within the CNO’s Design 2.0 rife with high-velocity learning concepts, the near-future landscape to make this sea change looks promising.9

Conclusion

The Navy has spent the better part of 30 years struggling to adopt an information-centric mindset, and the good news is that operational forces have come a long way in embracing the importance of information in warfare, and how it permeates all other warfare areas. Yet our culture still has a long way to go to break the now dangerously misguided notion that information management and cybersecurity are something that “we have people for” and doesn’t concern every non-IW Sailor. The IW Community has come a long way and can do a lot to further the Navy’s lethality in space, cyberspace, and the electromagnetic spectrum, but it can’t fix an entire Navy’s cultural resistance to change without strong assistance.

Secretary Spencer, in his letter introducing the public release of the 2019 Cybersecurity Readiness Review, noted that “the report highlights the value of data and the need to modify our business and data hygiene processes in order to protect data as a resource.”10 He highlighted that cross-functional groups were already underway to address the findings in the report, and surely the machinations of the Navy Headquarters are more than capable of making the necessary changes to the Navy’s “policy, processes, and resources needed to enhance cyber defense and increase resiliency.”11 But culture, that’s all of us, and we must be biased toward change and improvement. We are the generation of naval professionals who must adapt to this reality and respond with urgency.

Lieutenant Commander Howard is an Information Warfare Officer, information professional, assigned to the staff of the Chief of Naval Operations in Washington DC. A prior enlisted IT and Surface Warfare Officer, his last operational assignment was as the Combat Systems Information Officer aboard USS ESSEX (LHD 2) in San Diego, CA.

References

[1] The Hon. Michael J. Bayer, Mr. John M. B. O’Connor, Mr. Ronald S. Moultrie, Mr. William H. Swanson. Secretary of the Navy Cybersecurity Readiness Review (CSRR), March 2019. https://www.navy.mil/strategic/CyberSecurityReview.pdf

[2] Ibid

[3] Ibid

[4] Ibid

[5] Chief of Naval Operations, December 2018. Design for Maintaining Maritime Superiority, Version 2.0. https://www.navy.mil/navydata/people/cno/Richardson/Resource/Design_2.0.pdf. p. 3

[6] Wayne P. Hughes, 2000. Fleet Tactics and Coastal Combat. Annapolis, MD: Naval Institute Press.

[7] Bayer, et al., CSRR 2019, p. 12

[8] Security Magazine, Apr 24, 2019. “What’s the Average Cost of an Insider Threat?” https://www.businesswire.com/news/home/20180424005342/en/Research-Ponemon-Institute-ObserveITReveals-Insider-Threat

[9] CNO, Design 2.0, p. 13

[10] Secretary of the Navy, 12 Mar 2019. Letter accompanying public release of the CSRR 2019. https://www.navy.mil/strategic/SECNAVCybersecurityLetter.pdf.

[11] Ibid.

Featured Image: U.S. 7TH FLEET AREA OF OPERATIONS (Oct. 16, 2015) Operations Specialist 1st Class Keith Tatum, from Americus, Georgia, stands watch in the Combat Information Center (CIC) aboard the guided-missile cruiser USS Normandy (CG 60) during an air-defense exercise as a part of the joint exercise Malabar 2015. Malabar is a continuing series of complex, high-end warfighting exercises conducted to advance multi-national maritime relationships and mutual security. Normandy is deployed to the U.S. 7th Fleet area of operations as part of a worldwide deployment. (U.S. Navy photo by Mass Communication Specialist 3rd Class Justin R. DiNiro/Released)

Hyper-Converged Networks and Artificial Intelligence: Fighting at Machine Speed

By Travis Howard

Lieutenant Stacey Alto sits in the Joint Intelligence Center aboard the Wasp-class Amphibious Assault ship USS ESSEX (LHD 2). As the Force Intelligence Watch Officer (FIWO), her job is to absorb relevant information related to current and future operations of the Essex Amphibious Ready Group, as well as the general intelligence within the operating theater. Her zero-client, virtual desktop environment (VDE) 6-panel display at her watch station allows her a single-pane-of-glass into Unclassified, Secret, Top Secret, and Coalition enclaves through the Consolidated Afloat Networking and Enterprise Services (CANES) network.

One of her watch standers, an Intelligence Specialist Second Class, approaches her desk with new information from the Joint Operations Center (JOC), the nerve center of ARG operations, announcing new orders from the fleet commander to enter the Gulf of Oman, which represents a shift in operating theater from their current position in the Arabian Sea.

Stacey goes to work immediately, enlisting the help of two Intelligence Specialists and one of the Information Systems Technicians standing watch in the Ship’s Signal Exploitation Space (SSES). She queries the onboard widget carousel on her CANES SECRET terminal. Using a combination of mouse, keyboard, and touchscreen, she pulls together several ready-made widgets and snaps them into place, each taking advantage of a pool of “big data” information stored on the ship’s carry-on Distributed Common Ground System-Navy (DCGS-N) and off-ship sources from the intelligence cloud. Her development work gets passed to the next watch team, as they set the application’s variables for data parsing, consolidating inputs, and terrain mapping to put together a relevant, real-time intelligence picture.

By the time Stacey returns to her watch station almost 24 hours later, the IT personnel in SSES have put the new application through the automated cybersecurity testing process and have released it to the onboard “app store,” which Stacey can now install on her virtualized, thin-client desktop within seconds. She calls the JOC, the Marine Landing Force Operations Center (LFOC), and the ship’s Combat Information Center (CIC) announcing the system’s readiness with separate logins at the appropriate classification level for each watch station. By the time ESSEX enters the Gulf of Oman, the application has mapped adversarial positions and capabilities, pulled from several disparate databases afloat and ashore, all at varying levels of classification necessary for operational planning throughout the ship.

Building a More Maneuverable Network Afloat

The above scenario is almost a reality, representing several emergent advances in network technology and application portability (the “mobility” factor) that the Navy will soon capitalize on: a hardware and network-layer software architecture known as hyper converged infrastructure (HCI). The performance and cost efficiencies realized by this architecture will pave the way for disruptive changes to how we maneuver the network across the entire spectrum of operations: as a business system, as a decision support system, and as a warfighting platform.

Hyper-convergence is the integration of several hardware devices through a hypervisor, which acts as an intermediary and resource broker between software and hardware. Independent IT components are no longer siloed but combined, simplifying the entire infrastructure and improving speed and agility of the virtual network.1 The advantages of HCI seem obvious, but the real disruptive effect is how we can build upon it. The opening scenario describes on-demand application development at the tactical edge. This is achievable through HCI efficiency and another emerging network process known as Agile Core Services (ACS), a joint software development initiative being built into several programs throughout the Navy and Air Force, and one that CANES (as the afloat and maritime operations center network provider) is leveraging.

Hyper-Convergence in Network Hardware combines storage and processing power into a single appliance for simplified management, faster deployment, and could even lower acquisition costs ( Helixstorm.com)

ACS allows applications to use a common mix of services at the platform level, reducing cost and time of development but also forcing all applications to “speak the same language.” All that is needed to make on-demand, tactical application delivery a reality is a framework for plug-ins that takes advantage of big data we already have aboard ships and available at both the operational and tactical levels of war.

Previous articles in the United States Naval Institute’s magazine Proceedings have argued for thin-client solutions aboard warships,2 leveraging the CANES network program to ultimately achieve network efficiency that can remove “fat clients” (standard computer desktops) from the architecture to be replaced by thin or zero-clients (user workstation nodes with virtualized desktops and no onboard storage or input devices beyond keyboard and mouse). Removing clients from the equation eases the burden on shipboard technicians, consolidates the information security posture, and overall presents a more efficient network management picture through smart automation that makes better use of available manpower. HCI is the architecture solution that will eventually enable a full-scale, afloat, thin-client solution.

Hyperconverged.org is a website dedicated to delivering the message of advantages that HCI can bring,3 and lists ten compelling advantages that HCI brings to any IT infrastructure, to include:

  • Focus on software-defined data centers to allow faster software modernization and more agile vulnerability patching
  • Use of commercial off the shelf (COTS) commodity hardware that provides failure avoidance without the additional costs
  • Centralized systems and management
  • Enhanced agility in network management, automation, virtualization of operating systems, and shared resources across a common resource manager (such as hypervisor)
  • Improved scalability and efficiency
  • Potentially lower costs (caveat: in the commercial sector this may be truer than in the government sector, but smart contract competitions and vendor choices can drive down costs for the government as well)
  • Consolidated data protection through improved backup and recovery options, more efficient resource utilization, and faster network management tools

The advantages of HCI are numerous, and represent the true next step in IT architecture that will enable future software capabilities. How can we, as warfighters, take advantage of this emerging technology? It cannot be overstated that our current processes for procuring and delivering software-based services and capabilities must be revamped to keep pace with industry and take advantage of the speed and agility that HCI brings.

Faster, More Efficient Application Development is the Next Step

In our current hardware development methodology, programs of record within the Department of Defense (DoD) have little difficulty determining a clear modernization path that fits within the cost, schedule, and performance constraints outlined by the DoD acquisition framework. However, software development is an entirely different story, and is no longer agile enough to suit our needs. If we can iterate hardware infrastructure at near the speed of industry, then software and application development becomes the pacing function that we must address before we can realize the opening scenario of this essay.

The key term when discussing the speed of system development is agility, defined by the Massachusetts Institute of Technology (MIT) as “the speed of operations within an organization and speed in responding to customers…or reduced cycle times.”4 The federal government, DoD in particular, has been struggling with acquisition reform for some time, and with the signing of the National Defense Authorization Act in fiscal year 2010, Congress placed renewed emphasis on the need to transform the acquisition process for information technology. Several programmatic changes to acquisition helped (such as the approval of the “IT Box” programmatic framework in the joint requirements process), but the agility of software development and modernization remains challenged. Ensuring proper testing and evaluation (T&E) methodology, bureaucratic approval processes to ensure affordability, joint interoperability testing, and lengthy proof-in testing are just some of the processes facing software applications prior to gaining approval for full-rate production and fielding to the warfighter.

Matthew Kennedy and Lieutenant Colonel Dan Ward (U.S. Air Force), in a 2012 article for Defense Acquisition University, argued for agility in system development by discussing flaws in the current “agile software development” model.5 Developed in the early 2000s, this model is not as agile as the name would imply, and still defines requirements to be developed in advance, which doesn’t leave room for innovation or rapid, iterative changes to keep pace with the speed of industry. Exciting initiatives are being fielded in the commercial sector, such as cloud-based development and learning models, and mobility technology that many of the services would use to great effect. Innovative prototyping of disruptive technology at the service or component level of DoD, such as the now-disbanded Chief of Naval Operation’s Rapid Innovation Cell (CRIC), proved that there are operational advantages to emerging tech such as wearable mobile devices, if only we could “turn a tighter circle” within our acquisition framework and work with agility to field newer and better versions to the force.

Thankfully, we don’t have to reinvent the wheel when implementing a more agile software development framework; we must take lessons from industry and apply them to the unique needs of each of the DoD components. This may be easier said than done, but Kennedy and Ward, and indeed likely many other acquisition professionals and scholars, would agree that it is entirely possible if leadership demanded it, and the policies, procedures, and resourcing followed suit to support it. Kennedy and Ward offered a common set of software and business aspect practices to support agile practices that would allow a predictable, faster software refresh cycle (not just patches, but cumulative updates) to ensure software remains agile and relevant to the warfighter. Using small teams for incremental development, lean initiatives to shorten timelines, and continuous user involvement with co-located teams are just some of the practices offered.6

Improving our software development and modernization framework to be even more agile than it is now is necessary considering the recent industry shift to software-as-a-service and cloud-based business models. No longer will software versions be deliberate releases, but rather iterative updates such as Microsoft’s “current branch for business” (CBB) model. With this model, Microsoft envisions that Windows 10 could be the last “version” of Windows to be released, which will then be built upon in future “service pack-like” updates every 12-18 months. Organizations that do not update their operating systems to the latest CBB will be left behind with unsupported versions. Not only does such a change demand a rapid speed-to-force update solution for DoD, but it represents a disruptive process change that will ultimately allow us to reach the opening scenario’s on-demand tactical application process, leveraging big data in a way that units at the tactical edge have never done before – and in a way that may never have been imagined by the system’s original developers.

Hyper-convergence infrastructure, together with agility-based application development and modernization, represents a near-term possibility that will enable true innovation at the tactical level of war and put the power of information superiority into the hands of the warfighter. While re-developing the acquisition framework to achieve this may be difficult, it is entirely possible and, many would say, necessary if DoD is to keep pace with emerging threats, take advantage of emerging technology and innovation, and ultimately retain its status as the best equipped and trained force the world has ever known.

Artificial Intelligence: The Next AEGIS Combat System

Now let’s imagine another scenario. USS LYNDON B. JOHNSON (DDG 1002), last of the Zumwalt-class destroyer line and used primarily to test emergent technology prototypes in real-world scenarios, slips silently through the South China Sea in the dead of night. She is the first ship in the U.S. Navy to possess Nelson, a recursively-improving artificial intelligence (RIAI). Utilizing an HCI supercomputer core, Nelson acts as an integrator for the various shipboard combat systems in a similar concept to today’s AEGIS Combat System, except much faster and with machine-speed environmental adaption.

American relations with China have broken down, resulting in a shooting war in the South China Sea that threatens to spill into the Pacific proper, and eventually reach Hawaii. In an effort to change the dynamic, DDG-1002 forward deploys in stealth to collect intelligence on enemy force disposition and, if the opportunity presents itself, offer a first-strike capability to the U.S. Pacific Command. JOHNSON is spotted by a surface action group of three Chinese destroyers, who take immediate action by firing a salvo of anti-ship cruise missiles followed by surface gunnery fire once in range.

At the voice command of the Tactical Action Officer, Nelson goes to work, taking control of the ship’s self-defense system and prioritizing targets in a similar fashion to Aegis, only much faster, while constantly providing voice feedback on system readiness, target status, and battle damage assessments through the internal battle circuit, essentially acting as a member of the CIC team. Nelson’s adaptability as an AI allows it to evolve its tactical recommendations based on the environment and the sensory input from the ship’s 3D and 2D radars, intelligence feeds, and even the voice reports over the battle circuit. Compiling the tactical picture on a large display in CIC, Nelson simultaneously responds to threats against the ship while providing a fused battle management display to the Captain and Tactical Action Officer. The RIAI does much to lift the fog of war, and automates enough of the ship’s defensive and information-gathering functions to allow the humans to focus on tactically employing the ship to stop the threat rather than reacting to it.

While hyper-convergence, coupled with agile and rapidly-developed software innovation, is the emerging technology, recursively-improving artificial intelligence is the ultimate disruptive technology in the near to medium-term and represents the giant leap forward that many research and development efforts are striving towards. AI has often been relegated to the work of science fiction, and while many futurists see it as the inevitable “singularity” to happen as soon as the mid-21st century, it has not quite gained acceptance in the mainstream technical community. What must be focused on from a warfighter’s perspective is the near-term (within the next 30-50 years) prospects of advances in quantum computing, neural networks, robotics, nanotechnology, and hyper-convergence. These advances could put us on a path towards artificial intelligence within the lifetime of generations currently serving or about to serve in the armed forces.

The debate over whether recursively self-improving artificial intelligence is possible continues,5 with some theorists stating that such an AI cannot be achieved because intelligence could be “upper bounded” in a way that transcends processor speed, available memory, and sensor resolution improvements. Others suggest that intelligence “is the ability to find patterns in data”7 and that, regardless of the more fringe theories surrounding AI, transhumanism, and the ontological discussions of the singularity, “a sub-human level system capable of self-improvement can’t be excluded.”8  It is the sub-human AI, capable of adapting to changing data patterns, that makes a combat system AI an exciting near-future prospect. 

Conclusion

This article presented two hypothetical scenarios. In the near-term, a Navy watchstander takes advantage of a hyper-converged infrastructure network environment onboard a U.S. Navy warship to rapidly develop a tactical application to take advantage of disparate databases and cloud data resources, ultimately producing a battle management aid for the ship’s next mission. This scenario took advantage of two emerging technological concepts: hyper-convergence in hardware infrastructure, a reality some major defense acquisition programs such as the Navy’s CANES has already resourced and on-track to field in the coming years, and agile software development in defense acquisition, which is a conceptual framework that must be developed to ensure more rapid and innovative software capabilities are delivered to the force.

The funding for these technological advances must remain stable to deliver HCI to our operating forces as a hardware baseline for future development, and policy makers must continue to find efficiencies in IT acquisition that lead to agile software development to really take advantage of the efficiencies HCI brings. Additionally, DoD IT leaders must think critically and dynamically about how future software updates will be tested and fielded rapidly; our current lengthy testing and evaluation cycle is no longer compatible with either the speed of industry’s vulnerability patching, a fluid content upgrade schedule, or the pace of adversarial threats.

The second scenario describes a near-future incorporation of recursively-improving artificial intelligence within a combat system, which builds upon hyper converged hardware and recursively improving software to deliver a warfighting platform that can defend itself more rapidly and learn from its tactical situation. The simple fact is that technology is changing at a pace no one dared dream as early as 20 years ago, and if we don’t build it, our adversaries will. A recent (2016) article in Reuters, and reported in other media outlets, showcases the People Republic of China’s (PRC) desire to build AI-integrated weapons,9 citing Wang Changqing of China Aerospace and Industry Corp with saying “our future cruise missiles will have a very high level of artificial intelligence and automation.” DoD must adapt its processes to keep pace and remain the world’s leader in incorporating emerging and disruptive technology into its warfighting systems.

Travis Howard is an active duty U.S. Naval Officer assigned to the staff of the Chief of Naval Operations in Washington D.C. He holds advanced degrees and certifications in cybersecurity policy and business administration, and has over 16 years of enlisted and commissioned experience in surface warfare and Navy information systems. The views expressed here are solely those of the author and do not necessarily reflect those of the Department of the Navy, Department of Defense, or the United States Government.

References

1. Scott Morris. “Putting The ‘Hyper’ Into Convergence.” NetworkWorld Asia 12.2 (2015): 44. 28 Jan 2017.

2. Travis Howard, LT, USN. “’The Next Generation’ of Afloat Networking.” Proceedings Magazine, Mar 2015, Vol. 141/3/1,345

3. Hyperconverged.org. “Ten Things Hyperconverged Can Do For You: Leveraging the Benefits of Hyperconverged Infrastructure.” Retrieved Feb 2 2017, http://www.hyperconverged.org/10-things-hyperconvergence-can-do/

4. Matthew Kennedy & Lt Col Dan Ward. “Inserting Agility In System Development.” Defense Acquisition Research Journal: A Publication Of The Defense Acquisition University 19.3 (2012): 249-264. 4 Feb 2017.

5. Ibid

6. Ibid

7. Roman Yampolskiy. “From Seed AI to Technological Singularity via Recursively Self-Improving Software.” Cornell University Library. arXiv:1502.06512 [cs.AI]. 23 Feb 2015.

8. Ibid

9. Ben Blanchard. “China eyes artificial intelligence for new cruise missiles.” Reuters, World News. 19 Aug 2016, http://www.reuters.com/article/us-china-defence-missiles-idUSKCN10U0EM

Featured Image: Electronic Warfare Specialist 2nd Class Sarah Lanoo from South Bend, Ind., operates a Naval Tactical Data System (NTDS) console in the Combat Direction Center (CDC) aboard the USS Abraham Lincoln as it conducts combat operations in support of Operation Southern Watch. (U.S. Navy photo by Photographer’s Mate 3rd Class Patricia Totemeier)

A Cyber Vulnerability Assessment of the U.S. Navy in the 21st Century

By Travis Howard and José de Arimatéia da Cruz

Introduction

The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.

Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.

This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.

Navy Network Threats and Vulnerabilities

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.

Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.

Figure 1. Navy depiction of the “cyber kill chain

One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).

The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.

Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”  Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.

The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.

As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.

Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.

Technical Security Measures and Controls

The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.

The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.

Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.

The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.

Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.

Information Security Policy Needed to Address Threats and Vulnerabilities

The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).

Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.

Figure 2. NIST Risk Management Framework

This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.

Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.

Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.

Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities

It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.

Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.

Figure 3. Threats and Motivations, Strategic Focus of Navy Cybersecurity 

Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.

A recent  article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.

Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.

Conclusions

This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.

The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.

In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.

Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.

Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.

The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.

Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)