NATIONAL HARBOR, Md.—When a Navy task force late in the summer of 2015 finished a year-long enterprise-wide review of the service’s organization, resourcing and positioning for its cyber security needs, a key finding was that it would take too long and cost too much to fix all the shortcomings and gaps so cyber resiliency would be necessary, a Navy official said on May 17.
At the start of Task Force Cyber Awakening (TFCA) the expectation was that “it would confirm that accountability and rigor [were] key” and that “some things need to be fixed and we would prioritize them and then fix them,” Troy Johnson, director of the Navy Cyber Security Division within the Information Warfare directorate of the Chief of Naval Operations, said at the annual Sea Air Space conference.
Command and control, accountability and rigor are “key,” TFCA found, but another finding was that “it would take forever and would probably be unaffordable to fix everything,” Johnson said at a briefing for attendees. He also said that “there were parts of our cyber platform that didn’t exist in some cases that we needed to add in order for the apparatus to be defendable.”
Johnson’s division was stood up September 2015 to turn TFCA into an enduring organizational capability that continues to advocate for resources, training, organizing, and other cyber-related needs.
The focus has been on “mission prioritization” and ensuring that processes are in place “to be able to fight through,” Johnson said. “Cyber resilience as our strategy as opposed to cyber security.”
Cyber resilient and fighting through events means more than just protecting systems, networks and platforms, Johnson said. Cyber security is connected to operations in part through strengthening assets against threats and trying to prevent attacks but also by detecting, identifying and assessing and adversary’s actions, fighting through with reactive or preemptive measures, and restoring assets to normal conditions and operations, he said.
The Navy is “operationalizing the way we do cyber,” Johnson said. This means the service is taking a risk-based management approach to cyber security, Johnson said.
Generally, the service’s risk management framework is patterned after the Cybersecurity Framework, Johnson said. The Cybersecurity Framework was published in 2014 by the Commerce Department’s National Institute for Standards and Technology as part of a partnership between the private and public sectors to develop risk management standards and best practices to guide organizations in improving their cyber security postures.
The risk management framework applies to all of the Navy’s domains, Johnson said, adding that all the service’s communities are taking a similar approach to the strategy. Johnson said the Navy is also working on a dashboard to help measure outcomes around its risk posture.
The resiliency strategy guides investments and actions, Johnson said.