Sea Power - April 2016

“Fixing the systems without addressing the people
as part of it is worthless, because the people operating
them is going to be the biggest vulnerability no matter
what you do with the system,” Norton said. “The users
will be able to circumvent things put in place if they
don’t understand the risks, so we start with things like
the workforce themselves: the Navy workforce and the
cyber workforce in particular.”
That involves plenty of training. The Navy is getting
ready to release an update to the Navy cyber workforce
management manual that will specify some of the training
and certification requirements for the workforce, which is
a big deal and applies to the entire Navy workforce.

In the past, Sailors got fairly basic training on networks and systems, while the system administrators got the in-depth training. Now, “we’ve expanded that middle ground to have some tiers of training,” Norton said.

“We have groups of training for users, leaders, en-
hanced users and the cyberspace workforce,” she said.
“It can’t just be left to a system administrator to worry
about it.”
Concerns about cyber security have changed the
way the Navy designs platforms from the ground up.

“It has to start with design,” Norton said. “Part of
that is understanding, really, what the connections are
to the outside world and what the flow of traffic is on
those systems, and what can be put on those. So in each
one of those connections, we focus on control points:
about having watertight doors and compartments so at
those control points we can reduce traffic flow volume
or shut it off to something malicious, or increase the
level of monitoring.”
Bryan Clark, a senior fellow at the Center for
Strategic and Budgetary Assessments, said that hackers
are changing their tactics these days. In the past, they
would seek a backdoor through which to enter a sys-
tem and wreak havoc. Now, they are focusing more on
getting a user’s password, presenting an entirely differ-
ent challenge to the Navy than in the past.

“What’s happened is it’s gotten harder to break into a computer network using a program or tool that just hacks through some security protocol,” Clark said.

“Now, because it became more difficult, [hackers] shifted
focus to getting user identification information and
entering the system as a trusted member of the network.”
They do this through a variety of methods: they
might guess a password, they might trick you into click-
ing on a link that allows them to pull the password you
have saved on your computer, or they might even figure
out some of your personal information — birthdate,
mother’s maiden name, etc. — to get a password reset.
So how can the Navy combat this? Through consol-
idation of networks and the cloud,
Clark said.
For example, the Navy used to
have a situation where each ship
basically had its own network. Now,
all of those networks are being
brought into one umbrella under the
Consolidated Afloat Networks and
Enterprise Services system. Although
a consolidated network may make it
seem like a hacker would have
broader access to networks than if he
or she had to hack into each individ-
ual networks, that is not the case
thanks to the fact that data is hosted
on a cloud network, Clark said.

“The cloud architecture protects individual pieces of information with different types of encryption, as opposed to protecting the network, because once you get into the network you can wreak all kinds of havoc,” he said. “In the cloud architecture, even if you get in the network, you can’t necessarily access information because all of the information is protected based on who you are or who they think you are.” ;

Information technology contractor Kevin Truitt, assigned to Space and Naval Warfare Systems (SPAWAR) Center Pacific, and Information Systems Technician 2nd Class Bennett Paylor verify the status of the unclassified e-mail exchange server aboard the amphibious assault ship USS Makin Island during a System of Systems Operability Test Oct. 21. SPAWAR’s Fleet Readiness Directorate routinely visits Navy vessels to provide crews with cyber security, information technology and combat systems training and technical assistance.