This is part five of a series exploring the differences between military cyber forces, capabilities, mission sets and needs. For previous installments, see part onepart twopart three and part four.

In addition to being the direct service link for U.S. Cyber Command, 10th Fleet, or Fleet Cyber Command, has a mission set in cyberspace for the Navy that is much more expansive than just the man, train and equip cyber mission force CYBERCOM contribution.

In written testimony to Congress, Vice Adm. Mike Gilday, commander of 10th Fleet, said his command is “responsible for operating and securing Navy Enterprise networks, defending all Navy networks, operating our global telecommunications architecture, and providing Cryptology, Signals Intelligence [SIGINT], Information Operations, Electronic Warfare, Cyber, and Space war-fighting capabilities to support Fleet Commanders and Combatant Commanders.”

“We’ve always been the central point of managing the day-to-day events that happened on the networks, whether that’s an adversary coming at you, whether that’s some other failure of the networks by design or some other capability,” Capt. James Mills, chief of staff at Fleet Cyber, told C4ISRNET on the sidelines of the Defensive Cyber Operations symposium in June 2017.

From an operational perspective, how does the Navy run network defense? While Fleet Cyber Command/10th Fleet has a role to play in coordinating network defense, there are many other players on a day-to-day cybersecurity level.

Fleet Cyber, as the Navy’s lead for the cyber mission and cyber defense, is to “touch base with all the Navy Echelon II commands to include all the systems commands. We have a working relationship with SPAWAR, NAVAIR, NAVSEA,” Mills told C4ISRNET. “As they procure or design systems, they’re taking into account information we’ve provided to make sure they do the right thing.”

Fleet Cyber has a tiered approach to cyber defense that encompasses several different organizations. Mills said Fleet Cyber is at the top, while in the middle they have a range of commands such as Naval Network Warfare Command (NETWARCOM) and Navy Cyber Defense Operations Command (NCDOC) — both of which are not part of the cyber mission force.

NETWARCOM, he said, is focused on the operate and secure portion of the network to include managing patches to maintain the network. NCDOC serves as the Cybersecurity Service Provider, acting essentially as the “sentinel looking out across the networks looking for where is the adversary coming from what are they trying to — where are they approaching our networks from and if there is an incident they also manage the ability to react to that incident and mitigate whatever is required and then learn from that incident.”

If an incident occurs on the network, there are a variety of different scenarios that can unfold, Mills explained. Some could be so low level that NCDOC remotely handles it without the affected command even knowing it happened. Local site administrators might call NCDOC remotely for help, in which case NCDOC will provide guidance on how to handle the issue.

If it can’t be handled that way, a Navy blue team could be deployed, which could be onboard the ship and, while they have expertise, are connected back to NCDOC.

However, if it’s some adversary or action out of the control of those layered levels of support, then they would call a service-retained cyber protection team, which is a cyber “quick reaction force” that are part of the cyber mission force, but would be assigned to the task force commander to respond.

More broadly speaking, the Navy’s approach to cyber for the last few years has been tracking toward a cyber resiliency as opposed to a cyber protection approach. The Navy must understand its cyber platforms as it understands other war-fighting platforms, Rear Adm. Nancy Norton, who most recently served as director of warfare integration for information warfare and deputy director for Navy cybersecurity, has said.

“How do we really think of cyber and what is the Navy’s cyber platform? So, we very much understand what a ship platform looks like [be it] a submarine or an aircraft, what those platforms do and how we manage them, but we’ve not thought of the cyber platform in that same way as one of our war-fighting systems that we have to have an understanding of and how we control that,” Norton, who now serves as vice director of the Defense Information Systems Agency, said.

She explained that the Navy is taking a different approach to all of its platforms — not just standard IT systems — but control systems, security systems and ensuring better understanding of the network and its vulnerabilities. Additionally, the Navy is really thinking about cyber resiliency much more than cyber protection.

“It’s about how do we maintain mission assurance, what is the risk to the mission and what is the risk to the force?” she said. It’s “not just understanding our networks, which is the baseline we have to do that, not just protecting our networks … but then also being able to detect any issues that come in through our networks and a much more robust ability to do that across the networks and on all parts of the networks.”

How Navy forces react is the most important part, she said. How does it fight through any network events, can it maintain the ability to conduct its mission, and what does it need to do this as quickly as possible?

The Space and Naval Warfare Systems Command also plays a major role in ensuring that communications and IT equipment is modernized, updated, installed and secure across the fleet.

“We focus very heavily on the ‘protect’ piece of it. We tend to be a little less robust in the other areas,” Rear Adm. Dave Lewis, who most recently commanded SPAWAR, said in December 2016 of SPAWAR’s cybersecurity focus, referencing other aspects of cybersecurity that include identifying, protecting, detecting, responding and recovering against threats. “So, one thing I’m emphasizing ... are those other areas. What’s normal in your network?”

In addition to trying to streamline modernization and installation of IT systems, making systems more secure given the limited availability of ships, Lewis also described initiatives such as data center closures and helping to take the Navy to the Cloud.