The guidance, which applies to both the Navy and Marine Corps, was about three years in the making. Officials involved in the effort sought to make the distinction from past strategies and documents, which were heavily focused on cybersecurity and defense, to one that recognizes cyber is part of warfighting.

“The [chief information office] really [focuses on] modernize, innovate, defend. They’re going to do a lot of that zero trust, identity management, [risk management framework] reform. What the [principal cyber adviser] really tried to bring to this was, … ‘Hey, this is a warfighting domain and we need to figure out how to talk about this a little more openly,’” Chris Cleary, the Department of the Navy’s principal cyber advisor, told DefenseScoop regarding the strategy that his office helped craft.

“When we released the cyberspace superiority vision a year ago, it was really to focus on that. This is not just a cybersecurity exercise, this is not just a zero-trust problem. This is a warfighting domain, this is a warfighting domain to be professionalized in, and this is a warfighting domain that the Navy and the Marine Corps need to adopt as a core competency in and amongst the services. Once you’ve come to those three conclusions, then the presentation of forces, the development of capabilities, the use of those capabilities just get more and more ingrained into the service moving forward,” he said. “It is no surprise that our adversaries are continuing to advance and professionalize in this space. We need to as well.”

The strategy warns that the next fight will be like no other prior conflict and the use of non-kinetic capabilities will likely be the deciding factor. Militaries that effectively synchronize non-kinetic effects, like cyber, will have a decisive advantage.

“We need to begin to have similar conversations about sort of the non-kinetic side of what we’re expected to do in the Navy,” said Cleary, whose last day in the department is Tuesday.

The risk of not talking about these things openly, he added, is there could be capabilities that key Defense Department components never become aware of because some organizations could be excluded if conversations are reserved purely for classified environments.

“As a warfighting organization, we need to be able to speak more openly about how we would expect to leverage certain kinds of capabilities in this domain without talking about those capabilities, specifically. The ones and zeros, the kinds of things that we’re going to be going after, the kinds of aim points we have to look at — those things are all very, very good reasons, classified conversations that we won’t have publicly … [but] we really need to talk about this a bit more openly, just like we do with any other weapons system we have in the Navy or the Marine Corps, [such as] the joint strike fighter, the Ford-class aircraft carrier, the Columbia-class submarine,” he said.

The Department of the Navy has begun thinking about how it provides certain non-kinetic effects and teams to achieve the services’ goals. The Navy and Marine Corps already provide cyber forces to U.S. Cyber Command, but they don’t exert any operational control over those cyber capabilities as that authority belongs to Cybercom.

Cleary said the Marines have really led the way in developing concepts, doctrine and forces in the non-kinetic realm for what’s known as service-retained capability, primarily through the Marine Expeditionary Force Information Groups, or MIGs.

Cleary explained there will be times when true remote cyber capabilities won’t be effective against certain targets given they may be disconnected from traditional networks or access might be difficult. As such, close and proximal forces might be needed to gain access and provide non-kinetic effects.

“Sometimes on net, or traditionally wired sort of cyber capabilities may not be available to us for a variety of reasons. And the ability to gain access to targets using off-net capabilities might be the way that you have to go about doing this. And who’s better to perform that than the Navy and the Marine Corps based on their presence?” he said, acknowledging that they’re in the process of figuring out what those capabilities and forces will look like.

Over the past year, Navy officials have described the notion of fleet non-kinetic effects teams that will augment afloat forces with critical information warfare capabilities.

A Navy spokesperson told DefenseScoop that a Center for Naval Analyses (CNA) study is still ongoing to analyze operational requirements, capabilities and potential options for the teams’ construct. That effort is expected to conclude in late 2024.

Changing the culture

The new strategy recognizes a need to drive culture change throughout the Department of the Navy.

Despite being a common refrain in strategic guidance, Cleary said this is a generational issue.

“We’re in the middle of one of these sort of cultural revolutions right now, which is the idea of kinetic warfare versus non-kinetic warfare. To be honest with you, there’s still folks in the Navy that are not completely convinced that the non-kinetic warfare delivers the kinds of things that we’re promising that it can,” he said. “That is a cultural transition. Again, you could argue, there were many people that didn’t believe in the airplane in the 1940s, or the submarine in the 1940s.”

Ultimately, the strategy must be viewed by the entire force, not just those in the cyber community. Cleary explained that cyber must not be an afterthought, but integrated equally with the services’ other warfighting capabilities.

“This is the cyber strategy for the entire Navy to read and to begin to fully embrace this as a warfighting function that is integrated across all things we do in the Department of the Navy and the Navy and the Marine Corps, because all future fights are going to begin and potentially end here,” he said.

“Cyber can’t be seen as a bolt-on to what we do. It can’t be seen as something that sits next to airplanes or sits next to submarines or next to Navy Special Warfare. It has to be fully integrated into the department for it to be successful … This has to be integrated into the department, resourced appropriately, manned appropriately, prioritized appropriately. And we’re hoping that this cyber strategy begins to elevate this mission space within the department writ large,” he added.

Some culture change has already made its way into the force. Cleary noted that the Marines have included cyber when listing the service selection of midshipmen out of the Naval Academy. A few years ago, there were only two classifications: marine air or marine ground.

“About three years ago, the Marines added marine cyber to the conversation. That culturally is an amazing shift that cyber was enough of a differentiator that it would break out from marine air and marine ground and be its own thing that the Marines called out specifically, when they commissioned midshipmen out of the Naval Academy,” Cleary said. “Culturally, they’re embracing it and they’re showing that embracing through making it very prominent in the way they talk about their force: marine air, marine ground, marine cyber. That’s amazing.”

Overall, the Navy’s cyber strategy has seven lines of effort:

1) Improve and support the cyber workforce

2) Shift from compliance to cyber readiness

3) Defend enterprise IT, data, and networks

4) Secure defense critical infrastructure and weapon systems

5) Conduct and facilitate cyber operations

6) Partner to secure the defense industrial base

7) Foster cooperation and collaboration

The post Navy’s new cyber strategy aims to place a premium on non-kinetic capabilities’ role in conflict appeared first on DefenseScoop.

Cleary was the Navy’s first-ever PCA as Congress mandated in the 2020 defense policy bill that each service create such a role to provide insights on recruitment, training and readiness of cyber forces and acquisition of offensive and defensive cyber capabilities, among others.

Cleary, whose last day on the job is Nov. 21, told DefenseScoop that he enjoyed his experience as the Navy’s PCA and wished he could stay longer, but as the position is outlined currently, it was not allowed to be extended — something he knew going into the job.

However, that timetable may change in the future for top cyber advisers, he said, noting that he hopes his replacement is able to stay in the role longer than he did, given there needs to be more continuity to oversee change — especially on the civilian side.

“There is something to be said for having established the PCA billet and needing to understand it has to continue over time. The next person who comes in here, I hope, stays longer than three years, because for cyber to be successful, it really needs somebody in the seat that can spanned over the traditional sort of three-year [Office of the Chief of Naval Operations] tours,” he said during a call Tuesday.  

Uniformed service members typically rotate in and out of jobs every couple of years, but one of the benefits of having DOD civilians is they can generally stay longer, which brings with it a sense of institutional knowledge, Cleary said. That allows for personnel to ensure policies and initiatives are set.

“There is something to be said for coming to these jobs and having some longevity to it,” he said. “For as quickly as cyber changes, a lot of things [we] are going to do are going to take a long time to get established. And this is not one of those things you can change your mind every three years.”

Reflecting on his time as a top adviser, Cleary said he is proud of the Navy’s Cyberspace Superiority Vision, published last October, which essentially laid out a paradigm shift in the way the service articulates cyber through the mantra “secure, survive, strike.”

The word “security” follows the word “cyber” almost 99 percent of the time, Cleary stated, adding that for the vast majority of the world, that’s apt. However, the Navy, as a warfighting organization, must be positioned to fight — and the term “cybersecurity” typically conjures discussions around IT such as zero trust, identity management and the like.

“What I’m trying to emphasize through the Cyberspace Superiority Vision is this is a warfighting function. It goes well beyond cybersecurity,” Cleary said. “That was kind of what the superiority doctrine was really about, was to take the whole subject of cyber, everything from security to warfighting and make it a topic of conversation and ensure that just wasn’t a zero-trust conversation.”

The Navy has always sought to secure networks, but Cleary noted that he’s especially proud of the work that’s been done to elevate operational technology within the department. It’s now something that’s discussed within the E Ring at the Pentagon whereas three or four years ago, OT or defense of critical infrastructure discussions wouldn’t have made it out of niche offices.

Now, the Navy acknowledges it needs to focus on defense of critical infrastructure just as much as ships, planes or submarines, Cleary said, predicting more resources will be rolling into that in 2025 and 2026.

The paradigm shift has really come on the survive-and-strike portion of the vision. Cleary has spoken in the past about the need to “fight hurt,” noting that warships are meant to withstand damage from attacks, but IT systems are not thought of in the same vein. Digital capabilities must be designed to fight through attacks just as physical platforms are.

When it comes to offensive strike, Cleary has sought to speak more openly about the fact that the Navy, as a warfighting organization, will use cyber weapons against adversaries.

“The strike piece of it, hey, this is what we do. Right? This is our business. Most of the things that you see in the Navy are platforms that are designed to deliver lethality. It should be no surprise that we are developing capabilities in the non-kinetic space to do those similar things,” he told DefenseScoop. “Now, we’re not going to tell you how they work. Just like I’m not going to tell you how a nuclear power plant on a submarine works. Right? But you know what’s out there. You know it exists … We’re not going to tell you how we’re going to do some of our cyber stuff, but to begin to talk a little more openly about the fact that cyber is a means and methods of warfare that we’re going to professionalize in which would allude to building capability to do those things, that shouldn’t be a surprise to anybody.”

It’s important for the Navy to acknowledge that cyber is not only a domain of warfare, but a core competency for it as a military service, he suggested.

Cleary noted that he’s passionate about the cyber mission and plans to continue to champion the Navy’s needs from the private sector, adding that he’d like to leave the door open to coming back into government in the next few years.

The post Chris Cleary, Navy’s first-ever principal cyber adviser, set to leave Pentagon appeared first on DefenseScoop.

A revised version of Joint Publication 3-12 Cyberspace Operations — published in December 2022 and while unclassified, is only available to those with DoD common access cards, according to a Joint Staff spokesperson — officially provides a definition for “expeditionary cyberspace operations,” which are “[c]yberspace operations that require the deployment of cyberspace forces within the physical domains.”

DefenseScoop has seen a copy of the updated publication.

The last version was published in 2018 and was publicly available. The Joint Staff spokesman noted that five years has been the norm for updates.

The definition, recognition and discussion of such operations are indicative of not only the maturity of cyberspace and associated operations, but the need for more tactical capabilities to get at targets that the current cyber force might not be able to access.

U.S. Cyber Command owns the offensive cyber capabilities within DOD, and the services conduct offensive cyber ops through Cybercom and the cyber mission forces that each service provides to the command. Authorities to launch cyber effects have traditionally been held at the highest levels of government. In recent years, those authorities have been streamlined and delegated. However, most cyber operations are still conducted from remote locations by the cyber mission force (CMF) and primarily focused on IP-based networks.

Many of the services have begun investing in capabilities and forces for their own offensive cyber, however, that is mostly in the blended electronic warfare or radio frequency-enabled sphere at the tactical level.

The updated doctrine recognizes that these capabilities, which will still have to be coordinated centrally, could provide access to targets that remote operators might not be able to get for a variety of reasons.

“Developing access to targets in or through cyberspace follows a process that can often take significant time. In some cases, remote access is not possible or preferable, and close proximity may be required, using expeditionary [cyber operations],” the joint publication states. “Such operations are key to addressing the challenge of closed networks and other systems that are virtually isolated. Expeditionary CO are often more regionally and tactically focused and can include units of the CMF or special operations forces … If direct access to the target is unavailable or undesired, sometimes a similar or partial effect can be created by indirect access using a related target that has higher-order effects on the desired target.”

It also notes that these effects and operations should be coordinated with the intelligence community to deconflict intelligence gain/loss.

Moreover, the updated doctrine recognizes the complexity of cyberspace and how in-demand cyber capabilities might be. Thus, global cyber support might need to “reach-forward” to support multiple combatant commands simultaneously.

“Allowing them to support [combatant commands] in this way permits faster adaptation to rapidly changing needs and allows threats that initially manifest only in one [area of responsibility] to be mitigated globally in near real time. Likewise, while synchronizing CO missions related to achieving [combatant commander] objectives, some cyberspace capabilities that support this activity may need to be forward-deployed; used in multiple AORs simultaneously; or, for speed in time-critical situations, made available via reachback,” it states. “This might involve augmentation or deployment of cyberspace capabilities to forces already forward or require expeditionary CO by deployment of a fully equipped team of personnel and capabilities.”

When it comes to internalizing the new doctrine, the Air Force sees this as additional access points for operations.

“How do we leverage folks that are and forces that are at the tactical edge for access? That’s primarily how I think about the expeditionary capabilities we have … is empowering or enabling the effect they’re trying to create or using their access or position physically, to help enable some of our effects,” Lt. Gen. Kevin Kennedy, commander of 16^th Air Force/Air Forces Cyber, told DefenseScoop at the AFCEA TechNet Cyber conference.

He noted that these access-enabling capabilities could be across the services, but primarily from an Air Force perspective, “I’m looking at looking within the Air Force, from aerial platforms down to ground-based airmen, as well about how we would do that,” he said.

Officials have described how the services are seeking to build their own forces separate from Cybercom.

“There was a lot of language that came out the [National Defense Authorization Act] that talked about force design in general. All the services to one degree or another are really — I’m not going to say rethinking — but evaluating what their contribution to the joint force is, as well as what their own … service-retained cyber teams are,” Chris Cleary, principal cyber advisor for the Department of Navy, told DefenseScoop at the AFCEA conference.

Last year’s NDAA directed the Pentagon to develop a strategy for converged cyber and electronic warfare conducted by deployed military and intelligence assets, specifically for service-retained assets.

As electronic warfare and cyber capabilities are expected to be a big part of the battlefield in 2030 — a key waypoint the Army has been building toward — it recognizes those capabilities can’t be held from remote sanctuary, Maj. Gen. Paul Stanton, commander of the Army Cyber Center of Excellence, told DefenseScoop in an interview on the sidelines of the AFCEA conference.

In fact, the Army’s principal cyber adviser has tasked the Cyber Center of Excellence with clarifying certain authorities and capabilities.

“How do you execute electronic attack to achieve effects? How do you differentiate a cyber-delivered capability that benefits from proximity based on owning the land, owning the ground?Because that’s what the Army does. The principal cyber advisor, Dr. [Michael] Sulmeyer is tasking me with conducting a study to clearly define and delineate where those lines are,” Stanton said. “This study is going to help us be able to clearly define that. I expect to be tasked to kick that off here in the very near future with about 90 days to complete.”

When it comes to service-retained forces and capabilities, the Army has built the 11^th Cyber Battalion, formerly the 915^th Cyber Warfare Battalion, which provides tactical, on-the-ground cyber operations — mostly through radio-frequency effects — electronic warfare and information ops. The unit will help plan tactical operations for commanders and conduct missions in coordination with deployed forces. It consists of several expeditionary cyber and electromagnetic activities (CEMA) teams that are scalable and will maneuver with units and conduct operations on the ground for commanders.

The Navy, meanwhile, is building what it’s calling non-kinetic effects teams, which will augment afloat forces with critical information warfare capabilities. Cleary has previously noted that the service is still working through what cyber ops at sea will look like.

“As we continue to professionalize this, [information warfare commanders within carrier strike groups] will become more and more important as it fully combines all aspects of the information warfare space, the electromagnetic spectrum, command and control of networks, eventually potentially offensive cyber being delivered from sea, information operations campaigns,” Cleary said.

“That job will mature over time, and then the trick is to get the Navy and the Marine Corps to work together because we are back to our roots of being an expeditionary force. Even the Marines through [Commandant] Gen. [David] Berger’s new force design is really about getting the Marines back to being what the Marines were designed to be, which is an expeditionary fighting force that goes to sea with the Navy. We work together to achieve our objectives as a team, and we’re getting back to our blocking [and] tackling them.”

For the Marine Corps’ part, officials have been building Marine Expeditionary Force Information Groups (MIGs), which were created in 2017 and support each MEF within the Corps, integrate electronic warfare with intelligence, communications, military information support operations, space, cyber and communication strategy — all to provide MEF commanders with an information advantage.

The service has also recently established Marine Corps Information Command (MCIC), which was designed to more tightly link the service’s information forces — including cyber, intelligence and space — in theater with the broader joint force across the globe.

Mission elements the Marines have created and sent forward with Marine expeditionary units are “right in line with [Joint Publication] 3-12,” Maj. Gen. Joseph Matos, deputy commander of Marine Corps Forces Cyberspace Command, told DefenseScoop at the AFCEA conference.

“How do we take what we do at the fort, or back at Fort Meade [where Cybercom is headquartered], and be able to extend that out to the services? That’s what we’re in the process of doing right now … We started about two years ago doing that. That capability is starting to mature pretty well,” he said. “It’s to extend Cyber Command out to those forward units.”

Matos said the recently created MCIC will act as the integrator for a lot of these capabilities throughout the force, acting as a bridge of sorts.

The organization will help tactical forces understand the authorities and capabilities that cyber can provide to help them conduct their missions.

“You kind of hit a glass ceiling of the capability [of] the lower elements being able to reach out and do cyberspace operations,” Matos said of the process prior to establishing that entity. “We’re able to say, OK, here’s a team, trained, capable,’ understand the capabilities that we can bring, give them to the deployed forces to say, ‘OK, you want to do cyber operations, here’s how we can help you do that.’ We know who to talk to, the authorities and so on so forth, and we can do that. I think it’s right in line with what the [Joint Publication] 3-12 is trying to do.”

That command essentially acts as the glue between the high-end cyber forces and the tactical elements, bridging the gap between Cybercom forces and the deployed forces.

“The genesis of the Marine Corps Information Command to tie all these elements together is to address that concern, is to be that integration point between the forces below the tactical edge who have these requirements to operate in a rapidly changing environment. But also tie that to the Marine Corps Information Command knows who to talk to at Cyber Command, or at NSA, or at Space Command. To be able to be that touchpoint between the two organizations so you don’t have to have an infantry battalion going all the way to” a combatant command, Matos said during a presentation at the AFCEA conference.

“I think as we operate in this rapidly changing cyberspace world, that Marine Corps Information Command’s going to be a tremendous benefit to the [Marine Air Ground Task Force], but also to the joint world and the intelligence and cyber world,” he added.

The post New DOD doctrine officially outlines and defines ‘expeditionary cyberspace operations’ appeared first on DefenseScoop.

A provision in the fiscal 2023 National Defense Authorization Act, which was passed into law late last year, mandates the Navy create specific military occupational specialties — or in Navy parlance, designators — for cyber.

The Navy is currently the only service that does not have a dedicated military role for cyber. Its cyber personnel are primarily resourced from its cryptologic warfare community — which is also responsible for signals intelligence, electronic warfare and information operations, among several mission sets — with additional roles resourced from information specialists and cyber warfare engineers. Cyber warfare engineers are not operators, but specialize in highly technical skills and development of tools.

Critics have said this risks neglecting cyber and having a lack of institutional expertise both in the operations community and at top echelons of leadership. However, others in the community believe a cyber-specific work role is too limiting, leading to a lack of expertise across the entirety of the information warfare discipline.

Congressional defense committees grew weary that the Navy was falling behind in cyber relative to the other services. Each service is responsible to provide a set amount of personnel to U.S. Cyber Command for the cyber mission force. However, an additional NDAA provision raises the specter that the Navy should entirely get out of cyber operations for Cybercom. It calls for a study, which, among other aspects, could help determine whether the Navy should no longer be responsible for developing and presenting forces for the cyber mission force.

The Navy, when building its cyber mission force at the outset, relied heavily on its signals intelligence personnel that worked for the National Security Agency, given similarities in the mission. Since that time, the Navy has, for the most part, kept the same structure in place.

Service officials have acknowledged that they’ve fallen behind in recent years, however.

“Up to this date, the Navy has struggled in fully manning their requirements to the mission force,” Chris Cleary, principal cyber advisor for the Navy, told reporters at the annual WEST conference in San Diego this week. “We’ve taken it in the teeth a little bit, but we now are moving very diligently to ensure that our requirements, particularly of the joint force, are being met.”

Vice Adm. Kelly Aeschbach, commander of Naval Information Forces, noted that the Navy had been on a path prior to congressional involvement, acknowledging the service made “some poor decisions relative to the cyber mission force and that we had not put in place the processes to effectively train the individuals who serve on the cyber mission force.”

There has been a spirited debate back and forth between the Navy and lawmakers, with one congressional aide telling DefenseScoop that Congress wouldn’t have gotten involved in this issue if there was confidence that the Navy would tackle this on its own.

“There’s a reason that multiple NDAAs contained pointed requests about Navy workforce and career management issues, and it’s not because of the service’s exemplary performance,” the aide said.

The Navy had put their attention toward the issue and believed a specialization was the right way ahead, but Congress disagreed.

“We were looking at a specialization track before we got the congressional language. We have a model for that in intelligence where we do that for one of the intel skill sets, where we allow you to re-tour over the course of a career. We were looking at that within the existing cryptologic designator and the information professional designator because we have multiple officers who serve on the cyber mission force — that if they could specialize and get the right training that we thought that would be sufficient to really raise our game,” Aeschbach told reporters at the WEST conference Wednesday.

“Congress — and I talked to them a lot over the last year — had a little bit different view. They really like that the other services have established a dedicated designator or officer capability. I explained to them that the work we were doing on specialization, essentially provides the foundation for what you need for an officer designator. In the back and forth with them, when it became apparent that they really wanted us to do the designator, we really just transitioned the work we were doing on specialization to how we’re going to establish a designator.”

Aeschbach explained that she expects to get the first proposal on the initial billet base this week. It will have somewhere between 200 and 300 billets.

The goal is by the end of the year, but hopefully earlier, to do a first call to officers currently in service to apply for the cyber designator.

On the enlisted side, Aeschbach noted that the service already had a rate, or work role, for cyber called cryptologic technician network (CTN), which is part of the cryptologic series.

The Navy is in the process of talking to that community to rename that role and a cyber rating will be created. There will now be a family of cyber designators and ratings similar to intelligence specialties.

While officials have to balance how many personnel from the cryptology field transition to cyber, given they have limited personnel, Aeschbach said overall, this will allow both communities to up their game.

The cryptology field has signals intelligence, electronic warfare and information operations. Now, they will be able to more intently focus on these disciplines while the cyber professionals can focus on cyber.

The Navy owes a report back to Congress in March to give lawmakers an update on what the plan is.

“I think Congress was a little frustrated when I first came in that the Navy in their minds was not being as responsive or performing at the level of the other services. I really think we’ve made a lot of progress with the committees on demonstrating Navy’s commitments and really showing them that we have a really thoughtful plan for how we’re going to get after it,” Aeschbach said.  

All in all, this new system will allow cyber operators to be in their jobs for a longer period of time instead of cycling out after a short stint.

Aeschbach also acknowledged issues with training the Navy’s cyber mission force members. Up until recently, they weren’t getting adequate training prior to going to their duty assignment, instead getting on-the-job training.

“We are lifting and shifting all training to the left so that our cyber operators and everyone who fills the 15 different work roles across the cyber mission force teams actually shows up fully trained, because we actually weren’t doing that,” she said. “We didn’t do a very good job of putting the foundational training infrastructure in place to ensure over time that as the work roles matured and the demands increased in terms of a level of proficiency you have to have, that we had a really good training path for every work role.”

The post Navy details its plan to build a new cyber-specific work role appeared first on DefenseScoop.

“I want to talk about the word ‘attack’ for a minute. Because this is something that I think we’ve overused, and we have to get better with this,” Chris Cleary said at the AFCEA NOVA Naval IT conference.

He used a parenting analogy to illustrate his point.

“If my oldest daughter called from school and said, ‘Dad, I’ve just been attacked’ … And If when I got there she opened up her laptop and showed me a spear phishing email, I’d say ‘we have to work on your language.’ Because right now, we call that an attack. Everything that happens in this domain has one word associated with it: attack. And I would argue this is where industry is taking words that the military always use that has very specific definitions” and applying them incorrectly to certain types of cyber incidents, Cleary said.

Under the laws of armed conflict, an attack is generally defined as something specifically designed to kill or injure people or damage equipment, he noted.

“If you’ve haven’t found yourself in one of those two aspects, you’re probably not quote-unquote under attack. Somebody stealing actual trade information from you is not necessarily an attack — they’re not trying to degrade your ability to conduct your mission,” Cleary said.

However, government agencies need to know when institutions are experiencing a true cyberattack so that they can better provide assistance, he suggested.

“Once it begins to tip into that space, you have to learn how to identify that differently, because then it will require resources,” he added. “We can’t go everywhere, but there are always some things that we need to respond to a little bit differently. And this really comes into the whole whole-of-government approach to include being led by CISA and the Department of Homeland Security. But how do we work together to identify when there are legitimate attacks in this space and how we, you know, marshal resources to come to your aid?”

The post Navy’s top cyber advisor decries overuse of the word ‘attack’ to describe cyber incidents appeared first on DefenseScoop.

Officials, such as Chris Cleary, the principal cyber advisor, have been previewing the plan for some time.

Cleary, speaking Wednesday at the Trellix Cybersecurity Summit, noted that the vision is in line with the Navy Chief Information Officer’s information superiority strategy released about three years ago. That strategy aims to ensure the availability of information from any place at a given time, while the cyberspace superiority vision is about enabling military actions through cyberspace to deliver non-kinetic effects against an adversary.

Documents like this are aimed at the broader Navy and Marine Corps and “the people who don’t consider this their core business spaces why these things are important — [and] more importantly, why it’s important to their mission,” Cleary said.

“What the vision really talks about is we need to talk about those three things in concert. One doesn’t outweigh the other,” Cleary said, referring to secure, survive and strike. “It’s not to do offensive cyber operations takes away from defensive cyber operations — or to go do Office365 to enable zero-trust structures doesn’t take away from something we’re trying to do in the other two domains.”

The Navy has done a pretty good job on the “secure” front to date, Cleary said. He noted while the SolarWinds intrusion was pretty wide in scope and very sophisticated, the Department of Defense responded quickly once it was discovered.

“We did a pretty good job of getting our hands around that,” he said. The “organizations responding to those things are pretty well-trained, pretty well-equipped within relative orders of magnitude for what they have to do.”

Efforts to secure systems include things like enabling zero trust and identity management.

When it comes to survivability, Cleary explained that the Navy and DOD writ large are under constant attack and thus must be able to fight through to still achieve mission success.

He has previously talked about the need for the Navy to “fight hurt.”

“One of the things we need to think about … whether it’s critical infrastructure or even IT systems, is how do we build those more like we look at building a warship than just an enterprise IT system,” he said last month at the DefenseTalks conference hosted by DefenseScoop. “Those things are going to cost money. If I’m going to build defense critical infrastructure designed to withstand adversary activity, it’s going to be some unique design characteristics that are going to have some unique costs associated with it. I think that’s a realization the Department of the Navy, the Department of Defense needs to come to if we want to have things that are truly survivable.”

He explained that warships are meant to take hits and IT systems must be built with the same mentality.

Lastly, when it comes to strike, the vision notes that it would be “unthinkable” to cede domains such as maritime, land or air to the adversary. As such, the Navy must be able and willing to go on the offensive to ensure it does not cede cyberspace.

“It is not enough to statically defend our systems, installations, and networks,” the Navy’s new vision states. “We must dynamically project power in and through cyberspace as part of integrated deterrence. That requires manned, trained, and equipped cyber forces that can defend forward, persistently engage adversaries, and deliver non-kinetic effects at speed. We envision a Navy and Marine Corps performing joint operations in the cyber domain and achieving cyberspace superiority at a combatant commander’s designated time and place.”

While U.S. Cyber Command owns the offensive cyber capabilities within the DOD — and the services conduct offensive cyber operations through Cybercom — Cleary explained to DefenseScoop following his presentation that the Navy is looking at its own version of service-retained capability in line with what other services have done.

Each of the services have begun investing in capabilities and forces for their own offensive cyber, however, that is mostly in the blended electronic warfare or radio frequency-enabled sphere.

“What I will say is the Navy’s looking at, what I’ll use the word, service-retained [forces] — and I think the language we’re going to call them is non-kinetic effects teams,” Cleary told DefenseScoop. “Non-kinetic effects teams will be the Navy’s version of [Marine Expeditionary Force] information groups the Marines have, the mission defense teams the Air Force has” and the Army’s expeditionary cyber teams.

He said the services have missions outside of what they need to present to Cybercom.

“The Navy is still working through what does cyber at sea look like,” he said. “It’s not that the Navy’s not doing these things. It’s just that we are all struggling with what does cyber really mean to our respective service. The Navy is now working through what cyber at sea — a little more specific to Navy missions — really looks like.”

Senior leadership of the Navy is on board with these types of capabilities, but they’ve always fell down the priority list for whatever reason, Cleary said.

“My only reason for existing is to try and drive this higher on priority lists,” he said. “I don’t control resources, nobody really works for me. So I champion an idea, hopefully get the reason for doing it brought and acknowledged to the service — and then once we’re there, help get it resourced.”

The post Navy releases cyberspace superiority vision appeared first on DefenseScoop.

The notion of “fighting hurt” is not new. However, the Navy is shifting its thinking to spending more on allowing its infrastructure to be able to push through adversary feints.

“One of the things we need to think about … whether it’s critical infrastructure or even IT systems, is how do we build those more like we look at building a warship than just an enterprise IT system,” Chris Cleary, principal cyber adviser for the Navy, said during a panel at Defense Talks Thursday hosted by DefenseScoop. “Those things are going to cost money. If I’m going to build defense critical infrastructure designed to withstand adversary activity, it’s going to be some unique design characteristics that are going to have some unique costs associated with it. I think that’s a realization the Department of the Navy, the Department of Defense needs to come to if we want to have things that are truly survivable.”

Cleary pointed out that traditional platforms are designed to withstand attacks given that they’ll be in contact with adversaries.

“Arleigh Burke-class destroyer is not a [commercial-off-the-shelf] piece of equipment. It is a specific mission-built piece of hardware designed to deliver effects on an adversary and actually sustain damage,” he said. “Sustaining damage, fighting hurt is a design characteristic of that ship, of that platform. All our weapons platforms, from tanks to airplanes all have certain survivability things built into them because they will be engaged.”

The Navy is readying a cybersecurity strategy, which encompasses three core tenets: secure, survive and strike.  

The survive portion requires the Navy to be more resilient, Cleary said.

In order to achieve that, there needs to be a workforce component in addition to baking in greater resiliency.

“When we think about things, systems, when they have to be fought hurt, is there an additional workforce that needs to come online,” he said. “Is there a general quarters component of an IT system or defense critical infrastructure that when it’s at a certain condition of readiness, it requires additional whatever you want to put behind it, whether it’s people or technology to sustain it.”

The post The Navy’s IT systems need to be designed to “fight hurt” appeared first on DefenseScoop.

Core tenets of the new governance document are “secure, survive and strike,” the Navy’s Principal Cyber Advisor (PCA) Chris Cleary confirmed at an event hosted by CyberScoop and Okta on Thursday. 

“Make no mistake: Cyber is a means and method of warfare that our adversaries are getting better at,” he said. 

Though he couldn’t go into great detail ahead of its release, Cleary briefed FedScoop on the new strategy after his keynote address. 

Shortly after he assumed the role of PCA in late 2020, Navy leaders directed Cleary and the service’s chief information officer to jointly draft a unified cyber strategy — and acknowledged the maritime branch’s serious need for a clear and comprehensive contemporary approach. Following a long development process, that strategy is now currently under an extensive review.

“General officers and flag officers in the Navy in the Marine Corps are all reviewing it, and we’re anticipating it to be published in a month. That is when it will be publicly available,” Cleary said.

Once completed and formally released, the strategy is expected to provide Navy personnel with deeper insights into warfare and cybersecurity that are specifically aligned with their military missions. It will include elements associated with enabling cyber forces, acquisition of additional tools that go beyond security, and a focus on critical infrastructure, according to Cleary. 

“We do a good job of the enterprise [information technology] stuff. We are pretty mature in this space. Obviously we’ve got ways to go,” he said. But there are areas “where we haven’t been giving it the attention that’s deserved,” he added. “So we’re moving into critical infrastructure, weapon systems and the security of weapons systems, and then ultimately how we embrace cyber as a warfighting domain in the service.”

The post Navy about to release unified cyber strategy appeared first on DefenseScoop.