Navy, Marines Bolster Cybersecurity Defenses
“We’ve already mentally accepted the fact that … [cyber is] the fifth domain of the battle space,” he said during a February industry conference hosted by the U.S. Naval Institute and AFCEA International. “There’s cyber fighting going on right now. … Our networks are under attack.”
There needs to be an increased focus on cybersecurity and protecting essential systems that connect warfighters around the globe, he said.
“Because of our adversaries, our potential adversaries’ capabilities, what is [today] our critical capability and our center of gravity could … very quickly become our critical vulnerability,” he said. “How do we protect the network? How do we protect what we’ve got and enable ourselves to leverage the communication and the weapons systems that we have?”
The military can no longer assume that the network will always be accessible or safe, he said. “We’re going to do everything we can to protect it and make sure it is, but I don’t think we can count on it,” he said.
The Navy and Marine Corps have subsequently boosted cybersecurity spending in their recent budget request for fiscal year 2017, said Rear Adm. William Lescher, deputy assistant secretary of the Navy for budget.
“The department continues to prioritize funding of cyber capabilities, including continued emphasis on cyberspace operations, training and equipping cyber mission forces, investments in cyber science and technology, and information assurance activities that strengthen [the] defense of our networks,” Lescher said.
The Navy established a cybersecurity division that will guide the service’s strategy in the domain and manage investments, he noted during a February media briefing at the Pentagon. The budget includes $370 million over the future years defense program “across the spectrum of cyber programs leading to significant improvements in the department’s cyber posture,” he said.
Budget documents also indicated that funding was added toward increased cyber situational awareness.
The Navy allotted $212 million toward its consolidated afloat networks and enterprise services. CANES merges five of the sea service’s legacy networks into one for increased operational effectiveness.
“The FY ‘17 budget request … provides substantial investments in modernized currently fielded systems in order to continue to overmatch adversaries,” Lescher said. “CANES replaces and provides critical improvements to all afloat information networks, including in cybersecurity.”
CANES has been installed on 25 ships to date with 12 in progress, he said. The fiscal year 2017 budget funds an additional 10 ships, he added.
Bryan Clark, a senior fellow at the Center for Strategic and Budgetary Assessments, a Washington, D.C.-based think tank, said CANES is “designed to consolidate a lot of the little networks that we have out in the fleet today into a smaller number of networks.
“A lot of the network investment that’s being made by the different services is an attempt to reduce the amount of surface area that their networks have to the outside environment,” he said.
Smaller networks can often be more vulnerable because they don’t have the same level of protection that many of the bigger systems have, he said. Moving to larger networks also allows the services to adopt new forms of information protection, he added.
“In a bigger network I can start using cloud computing. I can start putting information into places where it’s going to be harder to find it,” he said. “If you go to the cloud … you can actually hide your valuable information among millions of bytes of non-important information.”
Going forward, Clark said the Navy and Marine Corps would begin investing in automated systems that could immediately detect when an intruder penetrates a network.
“They want automated features in their software that detect an intrusion and then can immediately isolate that intrusion from other parts of the network and then use the access point that has been gained as a way to respond to the threat and in some ways go and hack the threat immediately,” he said. By gaining access to a network, the hacker also makes himself vulnerable because he opened a portal into his own network.
While the government has made significant investments in cybersecurity, more can be done, Clark said.
“The government could spend even more on cybersecurity if you look at it from an infrastructure perspective,” he said. “There’s been a lot of aspirations in the government to shift to cloud computing to a greater degree and improve security … by protecting … [information] at the data level but it’s going to be expensive for the government to do that with its military network just because of the cost of transitioning from all these legacy systems to new systems.”
However, there is a limit to how many network improvements the military can make at any one time because such transitions are disruptive to ongoing operations, he said.
Rob Carey, vice president of Navy and Marine Corps programs at Vencore Inc. and the former principal deputy chief information officer at the Defense Department, said legacy networks were never designed to be secure. That means they will require complete security overhauls.
“The networks were built up over time. They were not built to be secure, they were built to … exchange information,” he said. The Navy and Marine Corps still need to get their arms around all of their data and begin to assess and consolidate it.
While work still needs to be done, Carey said contracts for cybersecurity services and tools that were budgeted years ago are now coming to fruition.
“Slowly the investments are being made to remedy the vulnerabilities and the networks and the systems that are out there,” he said. “The challenge is trying to keep up.”
Steven Bucci, a visiting fellow at the Heritage Foundation, a Washington, D.C. think tank, said that while the military has fairly strong cyber defenses, other government agencies do not, and that puts everyone at risk. The Office of Personnel Management breach in 2015, which exposed millions of government workers’ personal information, is one example, he said.
“We’ve got some big gaps between certain organizations and other organizations and that means that bad guys understand now that it’s kind of stupid to attack the White House and DoD, but boy, if we could get into some of these other organizations maybe we could slip behind those defenses,” he said. “While I think our military and our intelligence agencies and certain other parts of the government do have fairly robust and healthy defense systems — not perfect, but pretty good — there are others that are just abysmal.
“That puts us at risk,” he added.
While investments are being made in hardware, more resources are also needed for cyber training, Neller said.
The Marine Corps has been making a push to reach out to computer-savvy Marines who could work in its cyber division, he said. The service is looking for recruits with “the skills and the intellect and the resiliency and the discipline” to work in the cyber field.
The service’s cyber division is “under invested” Neller said. Leaders are currently working on formulating what an optimal number of cyber warriors would be.
“There’s a group at Quantico right now looking at the entire organization of the Marine Corps to determine what capabilities and in what number we’re going to need in 2025,” he said. “We know we need more cyber Marines.”
Presently, the Marine Corps has enough cyber professionals in its ranks. However, retaining such forces is another matter, Neller said.
“Right now we we’re able to find them. The harder part is keeping them,” he said. They “are very smart young men and women and they’ve got a skill set that’s available out there that’s very marketable in the civilian world.” Military leaders have often lamented that they are unable to retain a talented and skilled cyber workforce because private sector companies poach them using high salaries as bait.
Brig. Gen. Dennis Crall, Marine Corps director of command, control, communications and computers and chief information officer said the service needs to work harder at having a more robust cybersecurity force.
While it is important to increase capability and ensure that security software is baked into weapon systems from the start, there is nothing more important than having the right personnel, he said. Over the past six to eight months, the Marine Corps has focused on what it means to build a cyber warrior, not only today, but in the future, he said.
“It’s not clear to me, in looking at our own enterprise that we are investing in the right people and the right places at the right time,” Crall said. “We have to be very careful to make sure that it’s not always about squeezing down dollars … but ensuring that our investment strategy matches the direction that we … [have] as operational warfighters. And it’s lacking in some of those areas.”
Increasing the Navy’s cyber workforce is also important for the service, said Chief of Naval Operations Adm. John Richardson.
The sea service has already begun recruiting sailors and setting them up with cyber mission teams that have a variety of focus areas, he said. “We’re starting to deploy those.
“At the end of the day, that force may or may not look like the folks that are manning other parts of the Navy but we have to be open to all these possibilities because it’s absolutely vital that we have … an effective force there,” he said.