Task Force Cyber Awakening Recommendations Due
The Navy task force is set to deliver its first report in November.
The U.S. Navy’s Task Force Cyber Awakening, which was established in July, is expected to deliver its first report to the service’s leadership this month, task force officials say. The report will include recommendations for improving the service’s cyber posture, both ashore and afloat.
The Cyber Awakening task force is designed to gain a holistic view of cybersecurity risks across the service and to address the fragmented and uneven efforts across the service’s platforms and systems, Navy officials say. It will look at all kinds of systems, including combat systems, command, control, communications, computers and intelligence (C4I) technologies, and the information technology (IT) used to run the service’s day-to-day business.
Ultimately, the task force should allow the service to develop a cyber resiliency plan and defense posture and to prioritize which systems are most critical to protect from cyber attack.
“We have a significant investment in those capabilities from the operating day-to-day business of the Navy to actually conducting a fight,” said Matthew Swartz, director, communications and networks for the deputy chief of naval operations for information dominance. Swartz and others discussed the task force during a media round table October 31. “We wanted to develop a cyber resiliency plan or a defensive posture to address some of the threats we’re seeing across the world today, and we said we need to start focusing on the critical IT warfighting capabilities. Where are the IT investments we have within the enterprise that are critical to winning the fight?”
The one-year task force has established four task groups: Capabilities, CYBERSAFE, Navy Cyber Security and Technical. The first, Task Group Capabilities, has been collecting data from across the service and will offer several recommendations, including materiel solutions to cyber issues, training and manpower. “We’re collecting all that information into one area and then we, as a task force with support from other organizations, are going to make our recommendations to our leadership on the most critical things we should do now and how to prioritize efforts for the enterprise. It is a full gamut of how to address cyber going forward as an enterprise,” Swartz reported
All systems, regardless of classification, are vulnerable to cyber attacks, said Troy Johnson, director of capability integration and leader of Task Group Navy Cyber Security. “The way that we classify systems—combat systems or C4I systems or business systems—is almost irrelevant in the cyber world. An adversary wouldn’t design an attack for a combat system verse a business system. They’re going to design a cyber attack and apply it to any system that has that vulnerability.”
The holistic view is vital, Swartz argued, because so many systems are interconnected. Because of the interconnections, “a risk to one is a risk to all,” Swartz said, adding that the interconnectedness has forced the Department of Defense, and particularly in the Navy, to “reassess our risk calculus for cyber.”
“Because of that interconnectedness and because of how cyber is such a critical enabler for other warfighter domains and a new domain itself, we had to make sure we understand the risk associated with cyber as we move forward as an enterprise,” Swartz stated.
The CYBERSAFE task group, also referred to as task group 2, will deliver a report in March focusing specifically on a limited subset of components and processes that will include “rigorous technical standards, certification and auditing,” according to Navy documentation. Swartz described CYBERSAFE as a “representation of how we want to move forward for the enterprise to protect the critical warfighting capabilities that we have that are cyber enabled or net-enabled.”
“The first deliverable for Task Group 2 is to identify that thin of warfighting capability and how to organize so that we have accountability around it and can maintain a readiness level for it,” Swartz offered.
The Cyber Awareness task force was created in part as a reaction to Operation Rolling Tide, during which someone—reportedly Iran—infiltrated the Navy Marine Corps Intranet. The Navy’s response was spearheaded by Adm. Michael Rogers, USN, who now commands U.S. Cyber Command and leads the National Security Agency. That response set the standard for the Navy going forward, Swartz indicated, adding that although Adm. Rogers probably doesn’t realize it, “his fingerprints are all over” the Cyber Awareness task force.
Additionally, Johnson adds, commanders and other warfighters have become more aware of the interconnectedness of their systems due to an increase in recent years in cybersecurity inspections, both ashore and afloat. Previously those inspections were only conducted ashore. The reports served as a rude awakening for non-information technology personnel. “These non-C4I, non-business network people would see themselves included in these results and up the chain it would go. And then there would be this realization that everything is connected. The people operating the systems always knew, but maybe the people operating the combat systems or the commanders weren’t realizing how connected their stuff was,” Johnson recalled.
The third task group, Task Group Navy Cyber Security, will evaluate current authorities, methods and resources to identify enhancements required to ensure the application of rigorous technical standards. It will report its findings in August. The technical task group, the fourth group, will support the others and will be comprised of senior engineers from the systems commands to ensure that robust, common technical standards and authorities are in place to drive cyber programs and systems, Navy documentation says.