Navy Sets New Course for Information Technology
A recent reorganization will help, but specific challenges loom.
Long-discussed cybersecurity issues such as cultural attitudes, innovation and supply chain vulnerability are now at the top of the U.S. Navy’s information technology action list as it faces a multifaceted threat to information dominance. Current conditions present a sense of urgency in efforts to upgrade Navy and Marine Corps information assets, but the services also face a window of opportunity that they can exploit.
The sea service is literally undergoing a sea change in its organizational approach as it works to extend technology and capability upgrades across the breadth of Navy and Marine Corps operations. It is striving to modernize its information infrastructure in the face of increased capability demands along with foreign threats. Ultimately, it will work to find new ways of cooperating with military and commercial organizations that could offer potential solutions to its needs.
The reorganization can give the Navy an overarching vision, strategy, direction and strategic intent for information management that spans the Navy and Marine Corps, says Aaron Weis, special assistant to the secretary of the Navy for information management and its chief information officer (CIO). “It will fundamentally change the trajectory that the topic has been on, because we haven’t really had an overarching vision and strategy for information management here—it doesn’t exist.
“So, we’re going to come up with that, and in the process, we’re going to put the Department of the Navy on a different trajectory,” he continues. “The opportunity is to create capability across the two services that will change the overall outcome so that we’re leveraging information management for competitive advantage.”
His new role has a wider purview than previous Navy CIOs, Weis states. Those organizations largely were policy driven, but the new one has been empowered with critical responsibilities captured in its new directorates. These directorates feature a chief data officer, chief digital strategy officer, chief technology officer and chief information security officer. This helps move the organization far beyond a policy approach, he says.
Weis cites three challenges at the core of his new office’s mission. The first entails cyber modernization across the Navy and Marine Corps.
He notes that the Cybersecurity Readiness Review, prepared for the Secretary of the Navy, addressed the issue of the Navy’s status in cybersecurity. The report was “less than flattering” in its review of the service’s readiness and cybersecurity posture, Weis offers, and this formed the basis for the Navy’s cyber reorganization. Reestablishing the position of the Department of the Navy Chief Information Officer (DON CIO) was just one of the many recommendations the review provided, he adds.
“The Department of the Navy, from an information management and technology perspective, is probably 10 to 15 years behind industry,” Weis states. This comes from his perspective as an industry CIO with nearly three decades in the commercial sector, he emphasizes.
This cyber technology lag is a major contributor to the outcome of that review, he continues. Accordingly, one of the biggest challenges the office has mapped out is the need to modernize the Navy’s information infrastructure.
Weis notes that the Navy’s networks, 10 to 15 years behind modernity, are overly complicated with difficult topographies. They are not easy to defend, so the Navy must modernize by creating a flatter, more maneuverable network to enable better information defense.
Once the Navy achieves parity with industry, its second challenge is to leverage technology to create a competitive advantage for the Navy and Marine Corps so they can win in the battlespace, Weis says. That speaks to the charter from the National Defense Strategy to focus on lethality, he adds.
“This theme is called ‘innovate,’” he explains. “It’s what we’re doing to create competitive advantage.”
The third major challenge addresses the ability to defend information wherever it is—at rest or in transit, within Navy systems or those of the supply chain, and at the tactical edge, Weis allows. “It’s more than just putting more software on endpoints and more sensors in the network,” he maintains. “It’s more than just adding technology layers. In many ways, this is taking a hard look at how we go about the job of cybersecurity and looking at what we need to do to make that more effective.”
One of the biggest elements of that is culture, Weis continues. And that culture must change.
“Today, within the Department of the Navy, we’re largely a culture of ‘security by compliance,’” he charges. “We believe, broadly today, that we check the box and we say we’re compliant, and therefore we’re secure.” The Navy built processes around “checking the box,” such as the authority to operate (ATO). This is a compliance-driven process in which a new system owner goes through an ATO accreditation and then is declared secure, he says. “That was a point in time, and time marches on from the moment you fill out that checklist, and we’re likely no longer compliant,” he points out. “A change away from a security-by-compliance culture is going to be critical to that.”
He continues that the Navy must ensure that cybersecurity is built into everyone’s job. “It’s not just an [information technology] job or a cyber job—this is part of what everyone does,” he posits.
Yet another aspect of the defend challenge is the need to bring in the defense industrial base, Weis emphasizes. In many cases, serious losses of intellectual property have come from adversaries exfiltrating information from the supply chain, he points out. This plagues not only the tier-one suppliers but also the smaller sub-suppliers that are less sophisticated further down the supply chain.
“The Navy must work with those tier-one suppliers on how they can better secure their tier-two and tier-three [providers] to protect the information that we have from falling into adversary hands,” Weis declares.
One key to dealing with the cyber threat is for the Navy to be in a continuous state of self-assessment, Weis notes. “We may choose to actively assess ourselves more than have it just be an academic exercise,” he says.
The new organization is structured to empower activities such as those. Weis has two deputies in the new organization: one Navy officer and one Marine Corps officer. This dual-deputy approach represents a change in the overall relationship between the Navy and the Marine Corps rather than just in cyberspace, he allows. The Corps is returning to its maritime roots as the two services become more of a unified naval force, and information dominance will be a key part of their activities securing the cyber domain.
A unified naval force will require a unified communication and technology infrastructure, he continues, so the presence of these two different officers addresses that goal. In terms of defensive or offensive cyber operations, activities could come through Navy 10th Fleet cyber or the U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER), which are both warfighting organizations. Weis offers that understanding how they coordinate from a unified naval force perspective is still in its early days.
In terms of working on cyber issues with the other military services, Weis cites his past roles in the Defense Department CIO office as a basis for cooperation with non-Navy services. He describes a good working relationship with Army and Air Force CIOs that is helpful in dealing with cyber issues, which must be addressed across service lines. At a combatant command level, the Navy interacts with the U.S. Cyber Command (CYBERCOM), while at the civilian level it works across service lines through principal cyber advisor (PCA) in the Office of the Secretary of Defense.
While this cooperation is helpful, Weis describes it as an ongoing effort. “It’s more well understood within the uniformed community, between CYBERCOM and the service cyber mission forces,” he offers. “The civilian and PCA side of the equation is more of a work in progress.” He adds that Congress has ideas about how that should work, but the process is not formalized or substantiated through instructions. “Today it happens largely because people know each other and there’s a personal network.”
In some areas, the Navy lags behind the other services in cyber capabilities, Weis admits. In other areas, it is ahead. The Air Force already has crafted a strategy and vision for information in the entire service, he observes. With a new strategic vision, the Navy will be able to fully leverage what the Army and Air Force are undertaking in digital modernization.
One hurdle facing the Navy is that it is much more heterogeneous than the Air Force or the Army, Weis observes. Its organizational constructs challenge efforts at strategic cyber modernization, and the Navy must overcome these challenges. They include multiple networks within the service under fragmented management.
“The Navy has always been fiercely independent, and there’s a lot of pride in that—which is great,” Weis offers. “But we’re going to have to maintain that spirit while still being able to provide continuity across information management.”
The Navy can reap many benefits from industry’s experience, Weis says. In modernization, the service can leverage what the financial sector has done by harnessing the power of network and infrastructure securely. He notes that substantial parts of the U.S. economy flow over their networks daily, and security is paramount for these institutions in the face of multifaceted threats from around the globe. The Navy has similar needs and “has a lot to learn from [the financial sector],” he warrants.
Separate from that, the Navy must work in partnership with other elements of the commercial sector, such as the defense industrial base. “We have to recognize that we are all stewards of the information,” Weis states. “When anyone of us lets that down, we all suffer. That’s an area where they can help us as a defense industrial base by working together with us.”
Weis also calls for leveraging the relationships the Navy has with major technology companies. “Often, we don’t lay the same level of expectations on those technology providers that I would as a CIO in industry,” he asserts. “When things weren’t right in industry and it involved one of those technology providers, we picked up the phone and called them and put those suppliers on notice that they needed to be here and solve the problem—and that was not a billable event.” He continues that the Defense Department needs to be more demanding along these lines—“We have to help them help us by being good and demanding customers.”
Among key technologies and capabilities, the cloud is a major topic in the department. More work remains until the cloud is embedded in the Navy’s everyday business, he says. A common cloud across all security domains that multiple services can share and leverage will offer the most benefit, he says, but it also will require “a fair amount to get through” to fully leverage.
And now may be the best time to implement these advances. “We have a real moment in time and an alignment that we have a real opportunity right now to go do this,” Weis declares. “If we don’t do it, it’s hard to tell when that window of alignment is going to come back around.”
You may also enjoy: