As the Navy begins to look at buying technologies to protect its networks, in particular those aboard ships, officials face a number of challenges ranging from the pace of acquisition to ensuring interoperability and compatibility.
In July, the Navy’s Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I) at Space and Naval warfare Command (SPAWAR), San Diego, stood up its newest effort to tackle cyber defense–PMW 130, the Information Assurance and Cyber Security Program Office, the cyber security acquisition arm.
“Our mission is to provide the tools and capabilities to the cyber warfighters that they need to protect our data and networks from all the various cyber threats,” Kevin McNally, information assurance and cyber security program manager, told sister publication Defense Daily recently.
“What we are trying to do, in a nutshell, we are securing the Navy’s cyber domain. That’s our bottom line,” he said.
In January the Navy stood up its Fleet Cyber Command and re-established the 10th Fleet at Fort Meade, Md. Both entities are headed up by Vice Adm. Barry McCullough.
While trying to protect the service’s information networks from outside attacks, intrusions and hackers is challenging enough, defending afloat systems can be an even greater task, McNally said.
“It’s a unique environment. I think that the Navy has become, over the last 10 to 20 years, increasingly dependent on C4I and that connectivity, and we do that in all aspects of executing our mission whether it’s navigation, engineering, communications, or weapons. Everything relies on our computers, our networks and our transfer of data and information,” he explained. “While that has increased our warfighting capability and our speed with which we execute warfighting, it’s also introduced vulnerabilities.”
There are several challenges with doing network security afloat, McNally noted. Chief among them is the limited number of personnel onboard a ship, he said.
“You don’t necessarily have all the assets on hand as you would in a shore-based facility. That becomes critical in nature. How do you rapidly deal with threats or incidents or configuration management issues,” McNally said.
Configuration management is another big issue, he added.
“Configuration management is probably one of the key tenets in information assurance. That is certainly one of the things that impacts your security–how well you do configuration management,” McNally said. “When you are in a network environment, the ships have to have the ability to operate and to manage their own networks. That becomes a big challenge to us.”
At shore-based sites the service has its Navy and Marine Corps Intranet (NMCI) environment and NMCI contractors who can help run these networks.
“We lock down a lot of the configuration,” McNally said. “You can’t do that in a tactical environment and you can’t shut down and reboot any time you want to when the ship is trying to execute its mission.”
Another issue is having access to ships to do software and hardware installs and upgrades.
“We don’t always have access. We are subject to the ship’s availability. We are trying to be rapid in our response to cyber threats in patching and introducing capabilities. We only have access to these ships in CNO (Chief of Naval Operations) availabilities,” McNally added. “That becomes a big issue. Patching is something you have to keep up.”
For the first six months of 2010, Symantec [SYMC] reported that there were 1.4 million malware code signatures, which is up from the previous six months, McNally noted.
“So how do we keep up with all of the patching and securing of vulnerabilities in an environment where we don’t have constant access to that ship? It’s a much different environment,” he added.
For the most part, the ship’s network personnel is responsible for managing and keeping those networks operational, McNally said. “We can’t call in a support contractor and bring them out to the ship, so the ship has to do that, they have to have that flexibility.
“And we have to build our systems such that their baseline is secure and we automate as much we can to simplify the job for them,” he added.
Another big challenge is rapid acquisition, McNally said.
In 2009 the Defense Science Board released a report that said the Defense Department was struggling to keep pace with new information technology (IT) capabilities, he said.
“They presented a new model by which we can look at doing IT acquisition. In one theory, that is one of our biggest challenges–how are we going to keep pace with technology and ahead of the threat,” McNally said. “I think we are right now looking at various models including that report that came from the Defense Science Board, but we are looking at lots of models for rapid IT acquisition.”
Rapid IT acquisition is a significant issue because so much hardware and software today relies on commercial-off-the-shelf (COTS) technologies.
“There is a tremendous amount of COTS software and hardware that we put on these ships. It’s the IT we put on the ships and that does create an issue for us,” McNally said. “When I talk about trying to keep the configuration managed and up to date and patched, etc., and products go end of life and new products are introduced, how do we keep the baselines up to speed?”
The traditional defense acquisition meant for ships, aircraft, and weapons systems takes a long time to develop and field capabilities, he added. “That model doesn’t work as well in cyber defense, where we are trying to protect our IT capabilities afloat and we need to stay ahead of the threat.
“That’s one of the challenges we are going to face–how do we do rapid IT acquisition, how do we introduce new products to defend networks in line with how they are being developed in industry as well as how quick are we to counter emerging threats,” McNally said.