Navy Fights to Keep Ahead of Cyber Adversaries
The fleet seeks interoperable security tools to add to the mix of ships.
The U.S. Navy is moving ahead at full speed to equip its assets with effective cybersecurity. However, the diverse nature of those assets—some are city-size ships while others are small but vital systems—confound planners seeking to ensure interoperable security measures.
The greater involvement by the commercial sector in bringing new information technologies to the Navy also mandates increased cooperation with industry on cybersecurity. Part of that entails working with companies in the earliest stages of system development to ensure that cybersecurity is embedded from the start. However, another part is to incorporate approaches such as zero trust in Navy systems, which will require extensive adjustments for Navy personnel. And, all this must be accomplished against the backdrop of adversaries improving their predatory cyber skills at a rapidly increasing pace.
“We have these persistent and increasingly sophisticated malicious cyber actors,” says Rear Adm. Susan BryerJoyner, USN, director of Enterprise Networks and Cyber Security Division, Office of the Chief of Naval Operations. “Whether they are criminal, nation-state, non-nation-state, it doesn’t matter. All the tools are the same, but we are seeing an uptick in activity, especially associated with ransomware and supply chain attacks.” She notes that the challenge is increasing, but it has always been there. “It shouldn’t be a surprise, but it certainly is a challenge because trying to keep pace with it is a challenge.”
Adm. BryerJoyner allows that adversaries are keeping their best cyber capabilities close hold. However, the degree of activities is growing, and a variety of adversaries are using cyber to advance their national interest. She notes that these foes are more comfortable taking action short of war in the cyber domain, and they “are trying to figure out where the line is.” International standards of behavior remain to be defined, she notes.
This increased cyber activity could be analogous to the maritime and air activity seen in the South China Sea, she continues. It is relatively low-level and has not caused significant impacts—outside of espionage—other than inconveniences. Now, the Navy is starting to see the domain and activity in it mature in the military realm, and the discussion of international standards of behavior may need to ramp up quickly.
For non-nation-state actors, cyber levels the playing field, she points out. Some of them can be just as advanced as nation-state adversaries in cyberspace. The same tools are available to all malefactors, and they don’t hesitate to use them if it suits their agenda.
“You cannot discern intent from the tool that’s used,” she says. “They all start with the same toolkit. It’s readily available, and if we do not address our basic cyber hygiene in the Defense Department and in the Navy, then that toolset is good enough.” She continues that nation-states and more advanced non-nation-states can innovate an enhanced toolset that would challenge Navy cybersecurity. “At the end of the day, we face similar threats regardless of the source. It’s just how much extra oomph they can put in the attempt should they really desire to exploit us.”
The admiral notes that specific interest groups have their own agendas they want to pursue, and these might include gains they would achieve by exploiting the Navy. Foremost among these is the exfiltration of intelligence that they then could sell to eager customers, including nation-states. This intelligence could take the form of either sensitive information or infrastructure data, she points out. Russia, for example, is known for partnerships between criminal cybermarauders and the government.
“There is relatively little distinction among the various groups,” Adm. BryerJoyner states. “They’re all after information. Whether they’re going to sell it, whether they’re going to exploit it or whether they’re going to figure out how to modify it in a future fight, at the end of the day, it is about the data—whether they can access it and what they can do about it.”
One service-unique challenge the Navy must confront is the longevity of the fleet. Roughly 70 percent of today’s ships will still be in service in 2030, and these legacy vessels pose severe implications for cybersecurity. “It’s not just the fleet; it’s the systems on the ships and our ability to modernize those systems in a way that keeps pace with threats,” she points out.
To achieve this, the Navy must balance the agility of patching with the ability to certify its weapon systems. The biggest hurdle in that path is that these weapon systems are not built in a DevSecOps approach or with zero-trust principles in mind—and they probably won’t be anytime soon, the admiral offers. This reinforces the importance of the Navy’s defense-in-depth architecture and its understanding of the different attack vectors adversaries could use, the admiral adds.
The admiral cites cyber hygiene as a basic concern for the Navy. “Every adversary is going to go for the lowest cost mechanism, the lowest cost of entry,” she allows. “If we cannot make their job hard, then we have not done our job.”
The cyber hygiene effort takes several forms. First comes applying necessary patches. Next comes the cultural aspect of ensuring that each individual person understands daily cybersecurity obligations. The admiral reports that, in one recent case, sailors thought a valid bulk email they received from the Navy was a phishing expedition, and they reported it according to the rules. Even though it proved to be a false alarm, it showed the cyber vigilance that sailors are observing, she notes.
Adm. BryerJoyner offers that the biggest difference in cybersecurity between the Navy and the other services is the size of the Navy’s platforms and the number of individuals in their crew. Some ships are moving cities with weapon systems and business systems that must be protected. This complex dynamic is not present in other services’ platforms. Communications, logistics and other elements necessary to keep that floating city secure and ready to fight must be protected against cyber threats of all types.
The Navy is working on a host of new information technology systems, notably those in Project Overmatch. Adm. BryerJoyner observes that this acquisition takes cybersecurity into account during development. This includes ensuring that appropriate protections are in place for legacy systems. As new capabilities are accepted, the Navy will make sure it understands their risks and how to mitigate them.
Among the new technologies the Navy is incorporating into the fleet are unmanned systems. The admiral explains that the effort to incorporate cybersecurity into new technologies during development includes implementing zero-trust principles, where it is assumed there is a breach. Cybersecurity for the data being transmitted or received by a vehicle will be inherent to that vehicle. This deliberate approach should ensure that autonomous systems are deployed with the appropriate level of cybersecurity, she says.
The admiral admits that zero trust has shown to be challenging in some ways. She notes that it is a shift in focus from assuming that users inside an environment are trusted toward challenging users every time they try to access a resource, whether data or a service. The change from defense in depth to internal protection represents a different approach, and the Navy is learning as it goes forward. The admiral describes it as a methodical approach in step with the Defense Department to “make sure that we get it right.”
Adm. BryerJoyner explains that the Navy is partnering strongly with industry because it has gone through the adoption of modern technologies such as cloud and DevSecOps. The Navy is tapping industry’s lessons learned in those processes as it adopts new technologies from developers. This work includes engineering Navy-unique solutions, she adds.
One vital area of focus is security for the cloud. The Navy is working closely with the vendors “in an iterative way” to ensure appropriate licensing and configurations, she says. The Navy also uses government organizations to test its co-developed products.
When it comes to industry, interoperability and data sharing are essential, she declares, adding, “We cannot afford proprietary solutions that impede the flow of cybersecurity information between the applications that we are leveraging for security.”
Neither can the Navy afford a single solution that has only one use, she elaborates. “We have to be able to reuse, where applicable. We have to be able to share information between cybersecurity applications. And, we have to be able to do it at speed,” she states.
“It’s incredibly important that all vendors—even if they’re protecting the ‘secret sauce’ that makes them competitive—really need to focus as a group on defining those interoperability and data standards that allow their products to be easily integrated with others so we can have effective solutions,” the admiral warrants. “The proprietary standalone applications that require significant engineering in order to integrate them—we can’t afford the money and the time it takes to deliver a suboptimal product. We need those products to be interoperable from the get-go.
“It’s not only a matter of public safety; it’s a matter of national security,” she continues. “It’s extremely important for all companies that are developing those cybersecurity solutions to take that approach.”
The Navy also must have a good understanding of the risk as it adopts commercial solutions. This will enable security from the start. “Security has to be baked in,” she maintains.
She describes President Joe Biden’s May executive order on improving cybersecurity as “audacious in its intent and goals.” However, it will be challenging to accomplish all of its goals—which are necessary steps that must be taken—in the timelines given, she allows.
“[Cybersecurity] is similar to the way we treat public safety,” she says. “Cybersecurity is now at the level where people can see the potential public safety implications if something goes wrong.”