Friday, August 12, 2022

‘Chink In The Armor’ – Why World’s Most Powerful US Navy Remains Highly Susceptible To Cyber Attacks

Amid an avalanche of cyber-attacks in Ukraine and troubled China-US relations, the US Navy, compared to its sister services, is increasingly being perceived as highly vulnerable to hackers for access and information.

So much so that while the House Armed Services Committee (HASC) is pushing the Navy to create a singular and special work role dedicated to cyberspace matters, the Senate Armed Services Committee (SASC) would like the Navy to entirely get out of cyber operations for U.S. Cyber Command.

These recommendations from the two committees of the two Houses in their respective versions of the fiscal 2023 National Defense Authorization Act, which are now for legislative approval from the two chambers of the US Congress – the House of Representatives and the Senate –  and their eventual adjustments or reconciliation.

The SASC had passed its version of the National Defense Authorization Act for fiscal 2023 on June 16, but the full text of the bill and its provisions were released publicly only on July 18. The House Committee completed its consideration on June 23.

Both HASC and SASC seem to have shared concerns that the US Navy does not have a dedicated military occupational specialty for cyber, affecting its overall combat readiness.

As it is, the US Navy is currently the only service that does not have a dedicated specialty “designator,” the term used in naval parlance for cyber.

Its cyber personnel are primarily resourced from its cryptologic warfare community — which is also responsible for signals intelligence, electronic warfare and information operations, among several mission sets — with additional roles resourced from information specialists and cyber warfare engineers, who, otherwise, are not operators.

These engineers only deal with technical skills and the development of tools.

Of course, there is an overall US Cyber Command that was created in 2010, with each service (Army, Navy, Air Force, and Marines) contributing to the joint Cyber Mission Force.

And when it was created, the Navy, ironically,  was supposed to be the leading branch of the military for the cyber arena as it was said to have a rich heritage in what was then known as “tailored access operations” at the National Security Agency (NSA).

The NSA has been responsible for breaking into adversary computers for intelligence gathering purposes. It is to be noted that Cyber Command and NSA share the same Director and are closely aligned).

Accordingly,  U.S. Fleet Cyber Command (FCC)/U.S. TENTH Fleet (C10F) was created in 2010 as the Navy component command to the U.S. Cyber Command (it also became the Navy space component to U.S. Strategic Command and the Navy’s Service Cryptologic Component Commander under the National Security Agency/Central Security Service.

It now has an operational force composed of more than 14,000 Active and Reserve Sailors and civilians organized into 28 active commands, 40 Cyber Mission Force units, and 27 reserve commands around the globe. U.S. Fleet Cyber Command reports directly to the Chief of Naval Operations as an Echelon II command and is responsible for Navy information network operations, offensive and defensive cyberspace operations, space operations and signals intelligence.

RIMPAC
File Image: RIMPAC Drills

However, now there is a growing realization that this system or structure has not proved to be good enough for the Navy. Because in the meantime, other services have created their respective specific military roles for cyber operations. This meant that in other services, a service member would focus on cyber for the duration of his or her career.

In the Navy, on the other hand, personnel have to constantly cycle in and out to gain experience and expertise in the other aspects in order to get promotions.

In the process, the critics say, the Navy does not have institutional expertise both in the operations community and at the top echelons of leadership to deal with cyber issues. Incidentally, most current admirals in the Navy cyber community are career aviators.

The need of the hour, therefore, the critics argue, is to establish a cyber field within the Navy that ensures that personnel in the cyber roles remain in those roles for the duration of their career and the service isn’t constantly training new personnel to serve in these highly technical fields.

In other words, unlike other services which have developed their respective cyber war-fighting perspective, the US Navy has preferred to move its cyber force closer to the NSA and intelligence community rather than the fleet. It is said to have prioritized signals intelligence and electronic warfare.

However, this line of thinking has now been challenged by many within the Navy itself.  Lieutenant Commander Derek S. Bernsen, U.S. Navy Reserve, has written that it is time for the Navy to “consolidate responsibility for cyber, invest in the cyber warfare engineer community, and require deep technical experience for all cyber roles.”

In fact, none other than the Navy’s Chief Information Officer Aaron Weis has admitted that the US Navy had cybersecurity wrong. “I have made the assertion now, publicly, multiple times. You may have heard me say it.

But I believe that the way that we view cybersecurity in the Department of Navy is wrong,” he said at a conference in March. “We have 15 years of track record that proves that the current approach to cybersecurity, driven by a checklist mentality, is wrong,” Weis added.  “It doesn’t work.”

Weis explained that cybersecurity should be treated like the broader concept of military readiness. “A more holistic lens would emphasize active cyber management — considering a range of factors — and could inch away from red tape, audits and boxes that need checking. Essentially, traditional assessments of equipment, logistics, training and personnel, among other things, could find their equal in the digital domain,” he said.

Wies’ admission followed his boss, Deputy Chief of Naval Operations for Information Warfare and Vice Adm. Jeffrey Trussler’s warning through an unclassified memo that “Cyberattacks against businesses and U.S. infrastructure are increasing in frequency and complexity.

DoD (Department of Defense) and federal law enforcement report adversary interest in our remote work infrastructure. This means that you are a target — for your access and your information.”

Pointing out that “hackers have exploited mistakes on Navy and private, at-home networks by stealing or guessing weak passwords and other credentials, furtively installing malware, and posing as service members or veterans to pry information out of people,” Trussler said, “With heightened tensions throughout the world, ensure your team understands how the actions of a single user can impact our global force.”

Submarine-US-Navy
File Image: US Submarine appearing in Guam

This being the case, the Naval leadership may not mind the direction of the House Committee (in the fiscal 2023 NDAA policy bill) to the Secretary of the Navy to establish and use “a cyber warfare operations designator for officers and warrant officers” — which will be distinct from the cryptologic warfare officer (CWO) designator — and a cyber warfare rating for enlisted personnel separate from the cryptologic technician enlisted rating.

In fact, as a means of forcing the Navy’s hand, the HASC would like a provision that prevents the service from assigning a member of the Navy to a billet within the core work roles at teams or components of the Cyber Mission Force if he or she has cryptologic warfare, intelligence, or information professional designator in the officer corps or a cryptologic technician, intelligence specialist, or information systems technician rating among the enlisted ranks after June 1, 2024.

According to the House bill’s language, following the establishment of a cyber designator, the Navy must submit a report certifying certain actions have taken place, to include the creation of cyberspace operations as a military discipline, a training pipeline for it, and funding.

Following that report, the commander of Cyber Command must also submit a report determining if the issues addressed in the Navy’s report satisfy the requirements of the command.

However, one is not sure if the Naval leadership will like the Senate’s version of the annual defense policy bill, which raises the specter that the Navy should entirely get out of cyber operations for U.S. Cyber Command.

The SASC bill requires the establishment of a new or revised model by the secretary of Defense by December 31, 2024, which, among other aspects, determines whether the Navy should no longer be responsible for developing and presenting forces to Cyber Command as part of the cyber mission force.

In a report accompanying the Senate bill, the committee notes that it is “concerned about continued readiness challenges with cyberspace operations forces, particularly with the Navy contributions to the Cyber Mission Force.”

  • Author and veteran journalist Prakash Nanda has been commenting on politics, foreign policy on strategic affairs for nearly three decades. A former National Fellow of the Indian Council for Historical Research and recipient of the Seoul Peace Prize Scholarship, he is also a Distinguished Fellow at the Institute of Peace and Conflict Studies. CONTACT: [email protected]
  • Follow EurAsian Times on Google News 

Featured News