Navy Stresses Readiness Over Compliance in First Cyber Strategy

By Josh Luckenbaugh

iStock illustration

The Navy recently released its first-ever cyber strategy as the service looks to beef up its defenses against non-kinetic threats in the information environment.

In the “Department of the Navy Cyber Strategy” — published in November 2023 — the service noted “the next fight against our major adversary will be like no other in prior conflicts,” with non-kinetic effects, and the ability to defend against those effects, likely playing a decisive role.

“We must ensure our capabilities to project power and defend in cyberspace take top priority to ensure the success of the traditional power projection capabilities of our naval forces,” the strategy stated. “While the foundational concepts of maritime warfare have not changed, we must fully account for new realities presented by cyberspace and the information environment,” and expertise in those domains is now a “core” competency for the Navy.

The strategy outlined seven primary lines of effort: improve and support the cyber workforce; shift from compliance to cyber readiness; defend enterprise information technology, data and networks; secure defense critical infrastructure and weapon systems; conduct and facilitate cyber operations partner to secure the defense industrial base; and foster cooperation and collaboration.

Joel Krooswyk, federal chief technology officer at GitLab, said the transition from cyber compliance to cyber readiness is a “cultural change” for the Navy.

“For the longest time, when we talk compliance, what we’re talking about is trying to get to the point where all the boxes are checked,” Krooswyk said in an interview. “Are my boxes checked, [and] if they’re not checked, why aren’t they checked? And when you focus there … by the time we get compliant with something, that standard needs to change because of some environmental threat.

“And so the more I look at what cyber readiness is, it’s like, OK, we can be compliance-based. But can we automate all that?” he continued. “Can we automate the compliance side so we can focus on the cyber readiness side, which is the innovation? It’s the proactive security, it’s the faster reactive security for cyber threats that are now occurring. … So, if we’re still focused on ticking boxes and all these new emergent threats are coming in that aren’t in the boxes, we’ve got a huge problem that’s going to form.”

Troy Batterberry, CEO and co-founder of EchoMark, said: “It’s easy to treat security as important but not necessarily urgent until the problem is at your front door and you’re suffering from an ongoing breach. And what you want to do is change your operational structure so that you’re prioritizing proactive cybersecurity defense over solely reacting to it.”

The Navy faces several cybersecurity challenges, such as protecting the vast amount of systems it operates and training the cyber workforce as people enter and leave the service, Batterberry said in an interview. “So, updating all of those systems and keeping people trained on the evolving nature of those systems is obviously a Herculean effort. But I think as the report calls out, this is strategic to the Navy, being able to [perform this] mission, and so prioritizing it … literally at the leadership level will be necessary for those changes to happen.”

As part of the shift from compliance to readiness, the Navy will conduct regular adversarial assessments, the service stated in the strategy. “Without frequent realistic assessments of its cybersecurity defenses, the [Department of the Navy] risks operating with a false sense of security while overlooked weaknesses go unaddressed and missing valuable input that can assist with prioritizing mitigations and cybersecurity investments,” the strategy stated.

Snehal Antani, CEO and founder of, said the Navy embracing “this concept of ‘Show me we’re secure, don’t tell me we’re secure’ and using the attacker’s perspective as part of that narrative” is a positive development.

The Navy’s challenge will be the ability to perform tests and attack itself “at scale,” and that’s where innovative technologies such as artificial intelligence can play a key role, Antani said.

“You’ve got hundreds of millions of IP addresses … scattered across the entire Navy, all the various fleets. You’ve got [operational technology] systems, [information technology] systems, ships in port versus ships at sea, satellite infrastructure. All of that is just massive amounts of scale,” he said. And without AI, “humans were the bottleneck in testing the Navy at scale.

“The big technological leap from … five years ago to today is the role AI plays in enabling that attacker’s perspective at scale for the Navy,” he said. “That is what’s going to be the true force multiplier, so that humans — these very talented humans — are scalpels working on very specific, very hard and bespoke exploits, and letting algorithms attack at scale.”

Former Navy chief information officer Rob Carey, now president of Cloudera Government Solutions, said while the strategy does a good job outlining what the Navy needs to do in cyberspace, it lacks information on the service’s investment in cyber and how the Navy will measure progress.

“This is a whole bunch of what I want to do, not what I’m going to afford,” Carey said. “And then metrics of success … what does goodness look like?”

“If you don’t define what goodness looks like, it’s pretty hard to get there,” he said. “This is a great strategic plan, but it doesn’t say, ‘We’re going to measure this every quarter, we’re going to invest … accordingly.’ Those are the kinds of things you have to decide.” ND

Topics: Cyber

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.