U.S. Navy Programs Shore Up Cybersecurity
Infocentric ships require diverse solutions, but they are at hand.
Multifaceted efforts that will work in concert with each other are at the heart of U.S. Navy cybersecurity programs. The sea service faces the dual challenge of incorporating new architectures and technologies such as the cloud, light-based communications, artificial intelligence and machine learning amid increasingly sophisticated adversaries. It is implementing new approaches that promise operational efficiency and better cybersecurity, but these approaches are complementary and must function together to realize their full potential.
While industry has some technologies ready for adoption, it is still working on others. The Navy’s role is to lay the groundwork for rapid implementation of new capabilities and their upgrades as they emerge.
Rear Adm. Danelle Barrett, USN, director of Navy cybersecurity, lists two projects that are key to successful Navy cybersecurity. One is the Compile to Combat in 24 Hours effort. Describing it as “completely changing, transforming our information environment,” she explains that it includes four pillars: data standardization, shared infrastructure, automated risk management and the commercial cloud.
Data standardization is important for security, the admiral points out. The Navy wants to standardize around Extensible Markup Language (XML), the open standard for tagging data that industry has used for some time. The switch to XML also permits providing data security down to the data element layer, she offers. The Navy can secure data “more defense in-depth” than currently possible, she adds, and the standard can be used to leverage cross-domain devices securely through National Security Agency (NSA)-approved XML guards.
Use of shared infrastructure will reduce the surface-attack footprint, Adm. Barrett observes. Adding more devices to a ship increases its cyber vulnerability, but consolidating the infrastructure both reduces vulnerability and increases information movement efficiency. She notes that developers can work on a configuration of a ship in the commercial cloud environment, where they can test software and then move it to the fleet safely and securely.
The Navy is automating its risk management framework process, along with the ability to test target software, to ensure that it won’t have an adverse effect on board a ship. Accrediting a system for a Navy ship requires extensive processes and testing, with accompanying paperwork, the admiral allows. As monolithic legacy applications are broken down into shorter bits of code—similar to smartphone updates—testing is done on a small piece of code, which reduces complexity. Using a standardized development environment with guidance and specific parameters, the Navy can determine that an application is as secure as possible before it is deployed.
Adm. Barrett offers that use of the commercial cloud is important because its tools and capabilities can be leveraged much more rapidly than on a dot-mil cloud. For example, the commercial cloud might be able to field the capability to monitor or detect an anomaly, even a nuanced one, she suggests. With artificial intelligence (AI), this capability could enable detection that a human otherwise would not be able to provide. Even if the Navy could field similar tools, it probably could not do it across its enterprise as fast as a commercial cloud vendor. Having this cloud capability also would help improve the Navy’s defense in-depth, she points out.
The other project crucial to Navy cybersecurity that Adm. Barrett names is called CYBERSAFE. The 3-year-old effort aims to protect operational technologies by adopting a holistic approach to cybersecurity. The service is addressing user behaviors, force operations, cybersecurity requirements and National Institute of Standards and Technology controls, among other issues.
For these two projects, the Navy seeks top cybersecurity technologies. Adm. Barrett cites “anything that helps us detect the anomalies,” and is not proprietary, as high on her wish list. These tools must comply with open standard data formats so the data can be interoperable, reusable and interchangeable. Also vital are tools that both increase situational awareness and improve with machine-based learning as it matures. These advanced tools would provide automated countermeasures as well. “Anything that we can do to automate the cybersecurity protection of our network at Internet speed—lightning speed—is what we’re interested in,” she declares. “Humans will never be able to keep up with manual patching. … We need things to be automated in sensing, monitoring and in the react and restore elements of network cybersecurity.”
The admiral describes the complementary nature of many of these technological goals. “If you get the transport and data layers right, then you can apply the higher-level AI and machine learning tools. But if you don’t have your data and your transport in the right format, the right framework and the right architecture, you’re not going to be able to leverage those AI tools that industry has.
“If we can get our data in the commercial cloud and leverage the tools at the speed with which [industry] puts those out and makes them available to those in the cloud, that’s exactly what we want for improved decision making and speed and confidence in our ability to execute our mission more effectively,” she declares.
Adm. Barrett notes that although every cyber expert in the services wants better situational awareness of networks, the Navy faces a different challenge on its Navy-unique platforms—specifically, its ships and aircraft. The sea service spends a lot of time on cybersecurity for operational technology such as propulsion, navigation and industrial control systems as it strives to advance sensing and monitoring of those networks. These are not traditional information technology networks, she emphasizes, but instead other networked activities. This effort includes improving responses if and when incidents occur on those networks.
The admiral continues that this challenge is complicated by the diversity of similar Navy assets. Each ship may differ slightly in terms of its networked operations, in spite of efforts to standardize configurations. Yet within each ship, systems are connected for activities such as maintenance and monitoring, and the Navy must protect these systems with boundary defenses and internal measures. “As systems are upgraded, cybersecurity must be baked in and not sprinkled on later,” she states.
And this work is going to be more difficult in the near future. “With the Internet of Things, that’s only going to get more complicated,” Adm. Barrett declares. “We’re putting in place a framework that allows us to identify, detect, react and restore when we have incidents in those areas.”
The Navy’s information warfare platform cybersecurity is agnostic, whether at sea or ashore, Adm. Barrett relates. But with adversaries striving to improve their effects on the electromagnetic spectrum, the Navy must plan for communications failure. The service might rely on space-based reachback if it suffers interference with command, control and communications. If that fallback is disrupted, then other processes must be in place to replace those activities—potentially for a long period of time.
Radio-frequency spectrum limitations also pose a problem. Saying that the Navy is often squeezed out of spectrum use, the admiral calls for examining alternatives such as laser communications and light as a transport medium. Lasers can connect with satellites or a joint aerial layer if adversarial actions or spectrum fratricide deny normal frequency use. Wireless optical networking, such as Li-Fi, can serve internal networking requirements.
Adm. Barrett lauds the technology relationships the Navy has with industry, academia and coalition partners. All play a role in helping the service solve cybersecurity challenges, but she would like a greater focus on innovation. These partners could help the Navy better if they were to quickly inform the service of a new capability with a potential military application, whether for cybersecurity or improved operations. A vital aspect is to identify the game-changers as technologies converge, she adds.
Coupled with these external challenges is an internal one. The Navy must move faster on cybersecurity efforts, including implementing technology and incorporating commercial best practices, the admiral states. She emphasizes open standards and compliant nonproprietary solutions: “We are in an age of exponentially accelerating and converging technology. Our adversaries don’t operate on our POM [program objective memorandum] cycle and don’t operate on the industrial-level processes that we do to field capability.” She adds that many in the Navy are working to expedite and streamline those processes.
Once it is developed, Compile to Combat in 24 Hours will deliver a capability within that window, and the admiral says it will be delivered “deliberately and safely” to avoid posing a risk to operations. This flies in the face of traditional processes developed over many years of doing business, and they cannot be replaced easily. “We can’t just take those old processes and pave over a cow path,” she says. “We need the new technology completely. Don’t even look at the old process, and do the process re-engineering so that technology can quickly integrate. It’s getting to speed of relevancy.”
The Navy’s biggest challenges are more institutional than technological, but the service can overcome those, Adm. Barrett asserts. “We’ve overcome them in the past,” she says. “We just need to move faster. People who are uncomfortable with change—if they are in the military, they are in the wrong line of work.”