Former Navy IT and Acquisition Leaders Weigh-in on Challenges Ahead

Published: June 01, 2016

CybersecurityNAVY

What can a panel of former Department of the Navy (DON) technology and acquisition leaders tell us about what is working and what could improve? Plenty.

As the Navy and other defense components look for ways to secure and modernize their information technology (IT) and weapons systems, they face a range of obstacles from technical to cultural. In a previous entry, I noted how the Navy’s Chief Information Officer (CIO), Rob Foster, gave insights into some of his current priorities and challenges after being in the job for nearly a year. This week, I thought I would relay some of the salient points made by members of a Retired Senior Leaders Panel at the same AFCEA NOVA’s Naval IT Day.

The panel was moderated by Major General George Allen, USMC (Ret.), who is a former Director of Plans and Policy (J5) at the U.S. Cyber Command (USCYBERCOM) and is now an independent consultant. The three panelist gave remarks and answered questions around the theme: where are we today, where are we headed in the right direction, and what are areas for improvement.

RADM Janice Hamby, USN (Ret.), Chancellor, Information Resources Management College (IRMC), National Defense University

  • Where we are getting it right is understanding what is required and have begun the culture change that recognizes need for computer users to be aware of their impacts when they use IT. E.g. Defense cyber cultural change initiative. A missed opportunity is that we have not put enough investment into education piece to help the cultural change to thrive and grow faster.

  • Extra layers of defense – Things like JRSS, JIE and defense in depth is not enough. You can never make the shell hard enough to repel every attack. Next culture change needs to be a focus on resilience, and the first step needs to be an understanding of our network – what networks are there and how they operate, and what are the behaviors are normal on the NW. Then we need to have a plan/process in place to how to quickly identify and deal with bad behavior and restore data that has been corrupted.

  • Industry partners have helped the Navy get a deeper understanding of their networks. Industry can help by developing a standard of due diligence for third-party assessment so government can trust what they’re getting.

Mr. David Weddel, USN (Ret.), Strategic Development Director, Lockheed Martin, Former Assistant Deputy Chief of Naval Operations for Information Dominance (OPNAV N2N6B)

  • We need to keep moving toward integrated warfighting across all platforms, including the network. This includes looking at how we communicate in terms of warfighting.

  • The network platform needs to be secure, resilient, and reliable, beyond 99% reliability, which is not high enough in a warfighting context. We must increase resilience and learn to fight through a cyber-attack and move away from the traditional first response of shutting down the system under attack.

  • Develop better TTP (tactics, techniques, and procedures) and rehearse those often so that our people are well trained.

  • Look at how we employ the Cyber Kill Chain – reconnaissance, weaponization, delivery of weapon, exploitation, installation of the weapon into the OS, C2 of the weapon, and then any action an adversary takes and how we respond.

  • Resilience – the farther an adversary gets down the cyber kill chain, the less resilient we are. We need to develop the MOE and MOPs to show through how we manage the cyber kill chain from a cyber warfare/defense perspective: detect, deny, disrupt, degrade, and deceive. And we need to be able to explain how we do this in terms of warfighting.

  • We need to look at the surface portfolio we have to defend – the networks and applications that define the attack surface. We have done a good job of reducing the number of networks, but we have to be more aggressive in the area of application rationalization, and that takes money.

RADM Anthony Lengerich, USN (Ret.), Vice President and Client Executive, CACI

  • Acquisition perspective – Lengerich was on the warfighting side for 12-14 years before moving to acquisitions, so all the requirements that come through the process land on his plate to manage and make happen.

  • Acquisition is not broken. It is exactly how we in industry have forced Congress to write the rules and regulations and put the institutions in place to make it work the way it does. So if anyone can fix it, industry can. Still, Lengerich suggested that we stop trying to reform the FAR. Rather, we should use the flexibility that we have to get things done in other ways.

  • Cyber-warfare: We have a war on our hands (cyber) that is not visible to the public. We cannot see it or show pictures of it, so we in industry need to put our heads together to develop the solutions together.

  • What’s right: The government is trying to find money to try new things in the cyber business and worry less about avoiding failure of those efforts. He likes USECDEF for AT&L Kendall’s thought process on the willingness to take on risk and potentially fail, and to resist the fear of failure as an obstacle to moving forward. Traditionally, efforts to prevent repeating past failures have resulted in new acquisition rules that coalesce to bog down the entire process.

The panelists viewed favorably the re-designation of the Navy’s Information Dominance Corps to the Information Warfare Community on par with surface, subsurface, and aviation warfare communities because we have needed a warfare mentality within IT that is on-par with the other areas for some time. In a warfighting situation you cannot always assume that an information disruption is the result of an equipment problem. That said, they noted that even though the new community has “warfare” in the name it does not mean that it’s all about using IT as a weapon. Rather, it underscores our need to ensure that critical information is always able to flow in every warfare situation.