Interoperability Key in Navy Fight Against Cyber Adversaries
The mix of ships adds to the need for workable security tools.
Effective cybersecurity for the U.S. Navy will hinge on interoperable tools suitable for the fleet’s diverse number of ships. As different as the ships and their systems may be, their cybersecurity must be based on common standards and interoperate across the sea service.
The greater involvement by the commercial sector in bringing new information technologies to the Navy mandates increased cooperation with industry on cybersecurity. That includes working with companies in the earliest stages of system development to ensure that cybersecurity is embedded from the start. However, another part is to incorporate approaches such as zero trust in Navy systems, which will require extensive adjustments for Navy personnel. And all this must be accomplished against the backdrop of adversaries improving their predatory cyber skills at a rapidly increasing pace.
Rear Adm. Susan BryerJoyner, USN, director of Enterprise Networks and Cyber Security Division, Office of the Chief of Naval Operations, explains that the Navy is partnering strongly with industry because it already has gone through the adoption of modern technologies such as cloud and DevSecOps. The Navy is tapping industry’s lessons learned in those processes as it adopts new technologies from developers. This work includes engineering Navy-unique solutions, she adds.
One vital area of focus is security for the cloud. The Navy is working closely with the vendors “in an iterative way” to ensure appropriate licensing and configurations, she says. The Navy also uses government organizations to test its co-developed products.
When it comes to industry, interoperability and data sharing are essential, she declares, adding, “We cannot afford proprietary solutions that impede the flow of cybersecurity information between the applications that we are leveraging for security.”
Neither can the Navy afford a single solution that has only one use, she elaborates. “We have to be able to reuse, where applicable. We have to be able to share information between cybersecurity applications. And, we have to be able to do it at speed,” she states.
“It’s incredibly important that all vendors—even if they’re protecting the ‘secret sauce’ that makes them competitive—really need to focus as a group on defining those interoperability and data standards that allow their products to be easily integrated with others so we can have effective solutions,” the admiral warrants. “The proprietary standalone applications that require significant engineering in order to integrate them—we can’t afford the money and the time it takes to deliver a suboptimal product. We need those products to be interoperable from the get-go.
“It’s not only a matter of public safety; it’s a matter of national security,” she continues. “It’s extremely important for all companies that are developing those cybersecurity solutions to take that approach.”
The admiral admits that zero trust has shown to be challenging in some ways. She notes that it is a shift in focus from assuming that users inside an environment are trusted toward challenging users every time they try to access a resource, whether data or a service. The change from defense in depth to internal protection represents a different approach, and the Navy is learning as it goes forward. The admiral describes it as a methodical approach in step with the Defense Department to “make sure that we get it right.”
The Navy also must have a good understanding of the risk as it adopts commercial solutions. This will enable security from the start. “Security has to be baked in,” she maintains.
One service-unique challenge the Navy must confront is the longevity of the fleet. Roughly 70 percent of today’s ships will still be in service in 2030, and these legacy vessels pose severe implications for cybersecurity. “It’s not just the fleet; it’s the systems on the ships and our ability to modernize those systems in a way that keeps pace with threats,” she points out.
To achieve this, the Navy must balance the agility of patching with the ability to certify its weapon systems. The biggest hurdle in that path is that these weapon systems are not built in a DevSecOps approach or with zero-trust principles in mind—and they probably won’t be anytime soon, the admiral offers. This reinforces the importance of the Navy’s defense-in-depth architecture and its understanding of the different attack vectors adversaries could use, the admiral adds.
The admiral cites cyber hygiene as a basic concern for the Navy. “Every adversary is going to go for the lowest cost mechanism, the lowest cost of entry,” she allows. “If we cannot make their job hard, then we have not done our job.”
The cyber hygiene effort takes several forms. First comes applying necessary patches. Next comes the cultural aspect of ensuring that each individual person understands daily cybersecurity obligations. The admiral reports that, in one recent case, sailors thought a valid bulk email they received from the Navy was a phishing expedition, and they reported it according to the rules. Even though it proved to be a false alarm, it showed the cyber vigilance that sailors are observing, she notes.
Cybersecurity is one of the issues that will be discussed at West 2021, running virtually June 29-30. A longer version of Adm. BryerJoyner’s remarks on Navy cybersecurity will run in the July 2021 print issue of SIGNAL Magazine.