After several cyber breaches in recent years, the secretary of the Navy has commissioned a study to take a comprehensive look at the Department of the Navy’s cybersecurity posture.
In the wake of these events, the Navy also stood up task forces to improve its cybersecurity. However, the new study, released publicly March 12, asserts that “despite these initiatives, the progress made to date in changing [Department of the Navy’s] information resilience and cybersecurity culture has been insufficient to bring about meaningful change."
Rear Adm. Danelle Barrett, director of the Navy Cyber Security Division, told Fifth Domain that this study differs from past efforts is its strategic-level take of cybersecurity vulnerabilities.
This review in particular is naval in nature, meaning it encompasses the Navy and the Marine Corps. Previous projects, such as Task Force Cyber Awakening — an effort undertaken after Iranians allegedly compromised Navy networks — focused solely on the Navy and specifically those responsible for the architecture and technical aspect, Barrett said March 21 following her appearance at an industry event.
“Task Force Cyber Awakening was awesome to take a look at a response to a specific attack on our network. We did a lot of things to establish standards, technical standards, defense in depth, using the [National Institute of Standards and Technology] framework, for example,” she said. “Then programming money to buy technology, capability and training that would help get after that.”
The new review also addresses personnel problems in terms of governance and accountability, Barrett said.
“To fully understand the current cybersecurity posture, this review examined the shift of national defense strategy, to include past and present information strategies, cyber strategies, cyber policies, and guidance across all elements of the government that has occurred since the 2017 National Security Strategy and 2018 National Defense Strategy’s acknowledged return to global peer rivalry,” the study said.
Barrett equated the approach to cybersecurity to damage control on a ship, noting it’s not the job of one person or one small unit to do damage control.
“I think where we get a lot of benefit in this study is it broadens it out to say: ‘Hey, this is like damage control. This is everybody,’ ” she said, adding that like damage control, cybersecurity is everyone’s business.
“Where do we have issues with maybe alignment that could be better that if we get those fixed, then we can get better accountability or better responsiveness or better resource allocation? Even things like if there have been good changes over the years recently to some other studies we’ve done where people who have owned some of those operational technology systems have realized: ‘Hey, holy cow, I didn’t really think about cybersecurity before, but now I do.’ ”
Barrett told the audience of mostly industry participants that the study did not reveal any real aha! moments for the Navy, but that it highlighted problems with which the service has struggled, and it encapsulated them into a document to help the service going forward.
“Let’s make sure we identify all those things we know we struggle with that maybe we don’t have enough resources or we don’t have enough momentum or our people don’t realize the importance of that. Let’s get that out there and air it out so we get that kind of attention and spotlight on it that we need,” she said. “The importance of this study for us is it’s really helping us hone in on what we can put our resources against both people, human capital, people, process and technology.”
Since the study’s conclusion, the Department of the Navy has put forth a joint Navy-Marine Corps team to address some of the concerns.
“The action group that we have that’s working the items out of that study is actually combined Navy and Marine Corps. There’s a general on that side, and me. We kind of lead up those efforts for the Navy,” she told Fifth Domain’s sister publication C4ISRNET.