Navy Cyber lacks the specialization and focus necessary to progress in the ever-evolving field of cyber security. Several steps were skipped in the Navy’s attempt to train defensive cyber experts, including 1) establishing a clear vision and standard for subordinate commands and teams to develop a sustainable and repeatable training pipeline to promote a defensive posture that adapts with evolving technologies and adversarial tactics, techniques, and procedures (TTPs) and 2) endorsing specialization within Navy cybersecurity to promote subject matter expertise for various aspects of networking, host-based forensics, and infrastructure. Cyber security is dynamic in nature and the Navy’s reluctance to adopt a clear standard and specialization will continue to hinder its ability to grow in cyberspace.
The Cyber Mission
In May 2018, the DoD reported that U.S. Cyber Command’s cyber mission force achieved full operational capability. The cyber force mission is to “direct, synchronize, and coordinate cyberspace operations in defense of the nation’s interests;” cyber protection teams (CPTs) are intended to “defend DoD’s information network, protect priority missions and prepare cyber forces for combat.” Furthermore, national CPTs (N-CPTs) are designed to “plan, direct, and synchronize full-spectrum cyberspace operations to deter, disrupt, and if necessary, defeat adversary cyber actors to defend the nation.” As the Navy N-CPTs are currently postured, none of these mission statements are achievable. This is not due to a lack of effort by the individual teams or analysts, but rather a lack appropriate training.
If the Navy fails to develop a robust and flexible DCO capability, it invites national security, economic, and intelligence risk. Congress mandated that Naval forces must protect and defend U.S. maritime trade interests, which encompass a cyber aspect, but much of U.S. national security policy has gone no deeper than PowerPoint. It is not enough to say that Cyber Command has achieved operational readiness since no other service is charged to defend Navy networks, shipboard networks, or networks involved in U.S. maritime trade. On that front the Navy is alone, and ill prepared.
Navy Cyber must create specializations to maintain a well-balanced, flexible, and proficient DCO force tailored to conduct defensive operations on any customer network. CPTs would benefit from offensive technique as well as infrastructure training to better understand the vectors and attack surfaces which they are attempting to hunt or defend. DCO teams need to develop the skillsets to diagnose TTPs used in the cyber kill chain, identify key terrain as it pertains to specific advanced persistent threat (APT) targets, and familiarize themselves with computer and network architecture to effectively hunt for or defend against an adversary. Furthermore, cryptologic technicians networks and ITs need to be better integrated into the cyber threat intelligence training pipeline to pursue behavior-based rather than “whack-a-mole” style hunting based on single-factor indicators (i.e., IP address, malicious domain, bad hashes).
Due to the inherent ambiguity in cyberspace and prevalence of un-attributable actions, N-CPTs should be employed as APT-agnostic teams to enable them to focus on behavioral-based hunting. However, the lack of guidance inhibits teams from securing the training to build a dependable skillset focused on these behaviors.
Leveraging the Private Sector
Inadequate training is detrimental to the Navy’s ability to fight and compete in cyberspace on an international stage. While talented cybersecurity operators are coming to the military, the lack of investment in training is pushing them away—and furthering the divide between industry and DoD’. The idea that the public sector will never be able to compete with the private sector is a self-fulfilling prophecy. There are companies and organizations whose job it is to educate and train operators—such as the SANS Institute, Offensive Security (OffSec), Mandiant, and Dragos—but the Navy is not properly engaging them.
The argument has been made that the industry standard is too expensive and that the payback to the command will be minimal. However, analysts’ skillsets tend to atrophy without relevant, tailored training. Thus, Navy Cyber must invest in the training and upkeep of new and high priority skillsets. Additionally, with emerging technology and offensive TTPs comes the need for new defensive skillsets to defend that new technology and learn how to detect and protect from those new TTPs. This requires robust training and specialization. Without constant, high-quality training and development, these analysts are less valuable to the DoD cyber force.
Rather than reinventing any wheels, leveraging industry partnerships for training and education would allow Navy Cyber to grow quickly and efficiently. DCO teams and analysts must be trained to the standards set by industry rather than fighting against those standards. By trying to avoid endorsing one vendor over another, Navy cyber is choosing not to endorse any and thus taking away opportunities to better train sailors to be proficient DCO analysts. Relying on self-taught sailors to generate and conduct in-house training in addition to maintaining and improving their own skillsets is unrealistic. Not only is the Navy overtaxing self-motivated sailors, but this provides inadequate training to the rest of the force.
Proposal
Focusing too heavily on fairness regarding who gets sent to what paid training and the cost-benefit analysis of a sailor’s attendance results in no one receiving adequate training and therefore no successful CPT. To resolve this dilemma, senior Navy leaders must develop and disseminate a clear vision and standard for Navy Cyber and then revise the training for the cyber force. Commander, Naval Information Warfare Command, should discontinue the current pipeline training, and implement private sector training in specialized areas to promote specific areas of expertise tailored to threat hunting.
The recent establishment of the new Navy Cyber Warfare Technician enlisted rating and the Maritime Cyber Warfare Officer designator (NAVADMINs 134/23 and 137/23) are two great steps in the right direction towards specialization within the warfare area. However, manning the field is only a part of the battle; the guidance and training piece will need to develop and be promulgated in quick succession to set the new communities in the right direction.
If Navy wants to compete on the global stage, it must have technical subject matter experts who understand the needs, strengths, and weaknesses of the cybersecurity workforce. It must also create and endorse specialized skills within this new rate/designator and pursue training from the private sector to capitalize on successful industry standards, practices, and methodologies that have created reliable, repeatable, and efficient DCO capabilities.