A team effort involving the private and public sectors could be the answer to integrating the “best of the best” to provide a balanced risk-management approach to cyber defense, according to Navy Chief Information Officer Robert Carey.
“As I step closer to the operational component of the cyber world with my move to U.S. Fleet Cyber Command/U.S. 10th Fleet, the concept of team, as it relates to cybersecurity, becomes even more important to me,” Carey wrote on the Department of Navy CIO Blog. “This means industry, academia, military, civilians and contractors working together toward a singular purpose: to operate and defend the department’s networks against attack, while enabling access to information for those who require it.”
One approach that comes to mind, Carey wrote, includes training the defenders as attackers.
“While I know this is done in small pockets, it has yet to become doctrine throughout the department,” Carey wrote. “We need to ensure that our network defenders possess the same skills and knowledge as our attackers. Our goal should be to break down the barriers between the defenders and the red teams. After all, we are all on the same team.”
To fill the exploitable gabs in cybersecurity, the department’s tools must be smartly integrated into a defensive suite, using automation where appropriate to provide real-time defense, Carey wrote.
He also added how there is a great need for a cybersecurity investment management tool. While the Navy has plenty of tools at its disposal, there is the question of “where will we spend our next ‘$10,’ what will we get for it, and how can we demonstrate the value of the expenditure to our bosses sitting in the E Ring?” Carey wrote.
“A dire need exists for the department, and every federal agency, to be able to plan its next investment and understand (based on what is already deployed) what we will get in return for our next investment and what the metrics-based payoff will be,” he wrote. “The ultimate outcome is to reduce the number of successful attacks on the network.”
According to Carey, Robert M. Gates’ direction to consolidate the IT infrastructure wherever possible is “spot on.” Across the department’s four major domains (afloat, ashore (garrison), ashore (OCONUS) and tactical), the basic network architecture is the same–IP-based communications. While there may be radio frequency links or fiber optics involved, the majority of TCP/IP packets must be able to move freely around the world, Carey added.
“That being said, our infrastructure stovepipes must be opened and secured appropriately,” he wrote. “Many lower echelon commands are operating independently from mainstream networks; however, future budgets will no longer support this model, again suggesting that teamwork is needed for success.”