The Navy in September stood up a new Cyber Security Division within its leadership structure, institutionalizing the capabilities of a year-old task force the service initiated in the summer of 2014 that conducted an enterprise-wide review of how the service organizes, resources and better positions itself for cyber security needs.
“We are now mainstream,” Troy Johnson, the acting director of the Cyber Security Division within the Information Dominance (N2/N6) directorate of the Chief of Naval Operations, told Defense Daily in an Oct. 26 interview. “What we discovered during the life of the task force was most of the work that was being done by the task force, be it advocating for resources…or evaluating how the Navy specs and credits, that work needed to continue.”
The new division is part the Warfare Integration group led by Rear Adm. Nancy Norton within N2/N6, which in turn is led by Deputy Chief of Naval Operations Vice Adm. Ted Branch. The N2/N6 office is the lead in the Navy for resourcing intelligence, cyber warfare, command and control, electronic warfare, battle management, oceanography and meteorology capabilities.
The Cyber Security Division is still gearing up and sorting out its structure. Staffing, manpower, stakeholder equities and the like are still being worked out and an organization chart hasn’t been finalized, Johnson said.
The division arose from work done by Task Force Cyber Awakening (TFCA) that was established by Branch. TFCA reviewed how the Navy organizes, resources, acquires and readies itself in the area of cyber security, to include traditional IT as well as combat systems, support, and other information systems.
While TFCA was in existence it developed a cyber resiliency plan that the Navy is using to help prioritize its investments and initiated the Cybersafe program, which works to ensure that the standards, specifications, training, procedures and in some cases materiel solutions are in place so that critical mission capabilities across the service are built in.
One of the tasks of the Cyber Security Division is to be “resource advocates…for who needs to be spending what” in terms of meeting the Navy’s cyber security needs, Johnson said. The Navy already “has been making a pretty good investment in hardening and refreshing” in the area of C4ISR and more recently its tactical platforms “so now our job is to hold onto that and to make any adjustments,” he said.
“So I’ve got a couple of guys that do nothing all day but defend the money that we’ve got in the program now and look for what we’re going to program for in [FY] ‘18 and out,” Johnson said.
Another function that the division that the Cyber Security Division is working on is trying to firm up requirements “that all systems would have to compare themselves against and that everybody would have to comply with if the particular aspect applies to their program of record,” Johnson said.
For programs of record, Johnson said, they are mandated or must do requirements and then there are things that everyone would like to do. But with the pressure of cost, schedule and performance, “over time those ‘like to dos’ get trimmed off and in many cases cyber security has kind of fit into that nice-to-do bin. Even though it’s always been mandated, it hasn’t always been adhered to nearly as closely as we would like.”
Johnson wants “firm” system requirements for all programs “and those become things that get checked all the way through” and are part of reviews at various states of the acquisition process. “So by the time a system gets fielded or a platform gets fielded, it’s got much better cyber security baked in,” he said.
Other key functions of the Cyber Security Division include making sure that relevant technical standards—such as those published by the National Institute of Standards and Technology, the Defense Information Systems Agency, the Defense Department and the Navy—are published with “Navy specific implementations,” Johnson said. The division is also tasked with workforce aspects so that the training is in place to ensure there is “enough cyber security expertise” across the enterprise.
Not everyone has to be an expert, Johnson said. “We want to make sure that people who are software engineers or systems engineers or anything like that, that they have had the right training.”