Defense in Depth
On my arrival in summer 2012, I was immediately impressed with the breadth of missions assigned to 10th Fleet—long-haul/satellite radio-frequency communications, defensive cyber operations (DCO) and signals intelligence collection management, to name just a few—and with the professionalism of the warfighters who manned the cyber watch daily. All of these missions are critical in supporting our forward-deployed naval forces. Of course, the adversary also recognizes the operational necessity of these warfighting professionals. And like our carrier strike groups (CSGs) at sea, our networks are under constant surveillance and probing by adversaries whose objective is to enhance their ability to maneuver unrestricted in cyberspace. If left unchecked, this access can place the adversary in a position where it can deny, disrupt, degrade, or even destroy our ability to move information across the battle space. My experience having now served in both operational environments, first as a surface warfare officer and commodore Destroyer Squadron Twenty Two and then later in my role for the 10th Fleet, have led me to conclude that while the capabilities are different, defense in depth in cyberspace is planned and executed largely in the same manner as defense in depth at sea.
As the surface warfare commander for Carrier Strike Group Two, I coordinated with other warfare commanders to optimize an overall strike-group scheme of maneuver to maximize the capabilities of assigned ships, submarines, aircraft, and other inorganic assets against known threats. An effective scheme of maneuver facilitated the CSG’s ability to position the force as necessary to defend and/or project power in support of national objectives. These capabilities provided the commander with the necessary long-range sensing, intelligence and warning, and detection/tracking of contacts of interest to build an accurate common operational picture (COP). This COP would then be used to support operational decisions, force maneuvers, and other appropriate actions in support of the overall mission.
While observing cyberspace operations from the 10th Fleet Maritime Operations Center, it became clear that this same challenging strike group “defense in depth” construct is analogous to how we fight in cyberspace. Instead of using ships, submarines, and aircraft, however, the 10th Fleet employs an array of network sensors, firewalls, point-defense systems, and other capabilities to support their operations. The objective is the same—to develop a cyber COP that informs tactical decisions, permitting the freedom of maneuver necessary to defend our networks.
To manage the battle space around a CSG, search areas are defined to allocate the positioning of platforms. While distances vary depending on the threat, these areas are broken down into three broad zones to assist in sorting out the tactical picture. At the outer reaches of the CSG’s operating area, long-range sensors are employed to sort through the complex mix of commercial and military air, surface, and subsurface contacts that share the same water space. In this surveillance area, space and national assets, carrier-based aircraft, and other long-range intelligence, surveillance, and reconnaissance (ISR) platforms, both manned and unmanned, provide the CSG forward-looking, long-range “eyes.” These assets broadly discern friend from foe and provide cueing to other assets to gain additional information. The goal is to develop at as early and as great a range as possible an accurate, coherent surface, air, and subsurface COP. Given the finite number of search assets allocated to the strike group, the commander must optimize the positioning of these search platforms to maximize the probability of detection. Cueing and intelligence can narrow the search area along a specific threat axis, but ultimately risk assessments are required to optimize force employment.
Single-Axis vs. Omnidirectional Threats
Within cyberspace, the long-range search area around a CSG described here is synonymous to the Department of Defense information networks (DODIN) or “.mil” domain. While the terms are different, the goals of long-range search within the DODIN are the same. The difference in cyberspace, however, is that instead of long-range platforms and other ISR capabilities, the outer reaches of the DODIN are continuously being scanned by network sensors operated by our cyber partners, including USCC, the NSA, and the Defense Information Systems Agency (DISA). These sensors employ capabilities specifically designed to detect cyber activity including position (e.g., Internet Protocol addresses), identification, and in some instances, intent. The sensors, combined with other intelligence-collection capabilities, continuously scan the DODIN and pass tipper information both internally within USCC, NSA, or DISA, as well as to each of the military services’ computer-network defenders to permit deeper investigation.
The challenge in cyberspace, however, is that there is no single threat axis. The threat is omnidirectional with a wide range of threat actors. Because of this, sensors are positioned at strategic access points to the DODIN to detect in all directions as data traverses the outer DODIN network boundary. In addition, while the threat is arguably largely understood with respect to carrier operations, in cyberspace this distinction is far less clear. Threats vary from nation-states and criminals to hacktivists and terrorists. Often, specially trained operators must provide detailed cyber forensics to fully understand these threats, preferably before such activity can occur, but all too often well after an intrusion has been detected. Sensor-acquired signature data, combined with detailed forensics, allow network defenders to better understand who the adversary is, the locations he uses to direct his actions, and the specific tactics he employs. Given the rapid advances in cyber technology, these sensors must constantly be tuned to stay in front of an adaptive and evolving threat.
The closer unknown contacts come to the CSG, the more important it is to gather additional information. In this second search zone, greater fidelity is required with respect to contact identification, direction, speed, and most important, intent. As unknown contacts pass from the longer-range search area to this closer zone, additional sensors and assets are brought to bear. Task groups are detached to examine the unknown contact or perhaps a combat air patrol or surface action group is directed to visually identify the target. These combined sensors continue to build an even more accurate operational picture that allows the decision-maker to take timely and appropriate action.
In cyberspace, I propose that the area synonymous to the search area described here is the navy.mil domain, where the Navy operates and defends its own networks at the service level. “Tier two” sensors provide our service the organic search capability at the Navy’s outer network boundary. These sensors gather and share information with our joint cyber partners with the goal of building a more complete cyber COP. And like detaching a surface action group at sea, if a detection is made in the navy.mil domain, cyber teams with special forensic capabilities, called cyber-protection platoons, can be detached to a site where a possible network intrusion is noted. These teams investigate, identify, and attempt to understand the extent of the compromise so that appropriate defensive actions can be taken. Depending on the threat, these actions can range from blocking adversary access, to full isolation of network segments to potential offensive responses, as approved by higher authority, through still very immature rules of engagement.
Still closer to the CSG is the area that presents the most immediate danger. Again, an area of varying size depending on the threat, this is the water space that places the strike group at most risk should the adversary be able to maneuver undetected. Once “inside the fence line,” the adversary is then within weapon launch range and poses a direct threat to the ability of the CSG to conduct its mission. To counter this, the strike-group commander places certain assets in close proximity to provide necessary “point defense” for the carrier, such as a “shotgun” Aegis cruiser. Preplanned responses are in place, and weapon postures and equipment configurations are adjusted to permit the CSG to respond quickly. While the goal is to prevent the adversary from ever maneuvering into this area, ultimately the strike group is manned, trained, and equipped to employ the full aggregate power of the force to defeat the incoming threat. But should the adversary be able to execute a successful attack, the strike group, down to the individual platform, is trained to “fight hurt” to ensure the mission continues. Zebra is set, damage-control teams are deployed, and casualty-control procedures are executed. The strike group isolates the damage and reconstitutes its capabilities as best it can to continue the fight.
In cyberspace, the vital area is synonymous to an individual network at the platform level, such as a surface-ship system or command-and-control node. Once inside this area, the adversary has gained the upper hand. They are within cyber “weapons range” and are able to maneuver to gain additional intelligence, steal information, or worse, execute cyber attacks that can degrade or hard-kill a specific network, system, or platform. Lateral movement is possible, placing our ability to share information across the battlespace at risk. But like a strike group at sea, our 10th Fleet task-force commanders maneuver our networks, position assets, and tune our sensors to provide necessary detection and point defenses to counter adversary activity. Our host-based security system, designed to monitor, detect, and counter known cyberthreats, basic “block and tackling,” such as aggressive network hardware and software vulnerability patching, and, if necessary, setting zebra on our networks, allows our Navy to maneuver and defend our systems. And while these actions provide point defense against an adaptive adversary, our cyber warriors, like our sailors at sea, are trained to “fight through” an adversary attack by rerouting network data paths, executing reconstituted preplanned responses, or blocking adversary actions to prevent future compromise.
Create a Cyber Deterrent
So what can be done to improve our Navy’s ability to defend our networks in the future? First, under the leadership of Admiral Rogers (and Vice Admiral Barry McCullough before him) the 10th Fleet has come a long way in transitioning from a disparate, unintegrated group of network operators into a single maneuvering force that functions under the same planning principles used by our traditional warfighters at sea. As an operational staff, the 10th Fleet continues to evolve from the distribution of computer-tasking orders and other technical directives, largely not understood by the warfighter, to a construct that involves the development of operational plans synchronized through the promulgation of warning orders, execute orders, and fragmentary orders (with the latter issued to adjust plans as the tactical situation unfolds). This adjustment has allowed the 10th Fleet to transition from previous ad hoc planning processes to proven, deliberate, and/or crisis action planning that better coordinates cyber effects. As expected, this methodology was the driving force behind the Navy’s success in eradicating a persistent cyber adversary from the well-publicized Navy-Marine Corps Intranet intrusion back in 2013. We must continue to evolve and mature our cyber operational planning processes as we move forward and more deeply imbed these plans into our traditional warfighting domains.
We must also shift from what has previously been exclusively a defensive posture to one that opens the door wider to the employment of offensive cyber capabilities. In public testimony on 20 November 2014 to the House Intelligence Committee, Admiral Rogers opened the national dialogue on this issue when he stated that if the United States remains on the defensive alone, it would be a “losing strategy.” While the national debate continues, at the tactical level this effort should include a broadening of our cyber rules of engagement (ROE) to permit, at a minimum, the ability of network defenders to “shoot back” in self defense. Just as the commanding officers of our ships, under the authorities granted them in the standing ROE, have the power to defend their vessels against an imminent threat that demonstrates hostile intent, so too should the authority be granted to those in command of our networks under similar circumstances. Today, however, this authority remains held at the highest levels of government because of the potential for unintended network/cyber fratricide. As the sophistication and precision of cyber offensive weapons increase, however, permitting our commanders the ability to shoot back increases our network agility and resilience against an increasingly adaptive and skilled adversary.
In fact, this capability could potentially dissuade our adversaries from ever undertaking a cyber attack to begin with. The broader benefit would be to provide our operating forces a cyber deterrent on par with the umbrella of success we have enjoyed as the most powerful kinetic Navy in history, to include our nuclear deterrent. USCC and the services are already in the process of building out a more robust offensive cyber capability with some delegated authorities at the combatant command level. These cyber-mission forces consist of specially trained operators with the mission of defending our nation should a significant cyber attack occur. This build-out needs to continue unimpeded by budget cuts or sequestration, with capability, capacity, and authorities delegated even further down to the 10th Fleet commander as a first step, but ultimately down to individual cyber task-force commanders.
Taken one step further, our Navy is uniquely positioned to broaden the use of offensive cyber effects directly onto the battlespace, beyond just cyber self defense. Given the inherent ability of our Navy to operate forward, cyber operations can bring warfighting advantage to our forces and joint/coalition partners, particularly in denied and contested environments. As proposed by the Strategic Studies Group report to the Chief of Naval Operations on Electromagnetic Maneuver Warfare, a report to which I was a coauthor along with ten other CNO Fellows, the Navy’s proximity and persistence allow access to adversary networks and systems, placing our forces in position to discover vulnerabilities that would permit the delivery of follow-on cyber weapons. Preplanned and preloaded cyber missions could be launched to achieve precise effects synonymous to the way we plan and execute Tomahawk missile strikes today. In the future, every Navy ship, aircraft, submarine, or unmanned vehicle should possess an arsenal of cyber-enabled offensive capabilities, contributing to cyber deterrence, while concurrently providing our Navy a game-changing combat advantage.
‘Expect What You Inspect’
Finally, to improve our ability to defend ourselves in the cyberspace domain, we must change our cyber culture afloat. The old adage “expect what you inspect” applies more than ever within the cyberspace domain. When I left the 10th Fleet, the average cyber-compliance inspection score for our surface platforms hovered in the mid-50s out of a possible 100 points. Cyber compliance is hard, and there are a number of systemic contributors in our Navy that make it even harder, such as lack of sufficient funding, a software-vulnerability upgrade process that does not keep pace with the threat, or the current inability of our acquisition system to “bake in” cyber security up front in our most critical systems. Regardless, vulnerabilities are discovered every day, and our operating forces remain on the front line ill-equipped to eliminate or mitigate these vulnerabilities.
Some say these inspections are too hard, that the standards are too high. I disagree. In the end, the very ability of our forces to operate forward hinges on the cyber-security posture we can achieve as a service. And so, standards must remain high, and aggressive cyber inspections and certification must continue so that we can shine a spotlight on cyber vulnerabilities within our force. This will do more than just raise the bar on our afloat cyber-security posture, it will also permit us, as a service, to prioritize resources, adjust operational plans to mitigate risk, and most important, drive cultural change across our Navy.
Cyberspace security is a team sport. Just like passing an intrusive Board of Inspection and Survey, it takes all hands on deck to ensure our systems are configured, operated, and maintained in accordance with basic standards. We painstakingly take a steady strain when it comes to our engineering plant or combat systems, and we should expect no less attention to detail when it comes to our networks. But more important, we now operate in a world of focused and dedicated cyber opponents who are currently executing sustained and not episodic cyber operations. The time has come where network operations should no longer be left to just the specialists at the 10th Fleet. To win the future fight in cyberspace, every sailor must be a cyber warrior. Cyberspace awareness must be inculcated across our force. Just as we train our sailors in basic damage control—where every sailor is qualified to pick up a fire hose or to save the life of a shipmate—likewise, every sailor must be trained in the importance of maintaining a high personal cyber-security posture for the good of himself, his shipmate, the ship, and the strike group.