Following a year in which spearphishing attacks including the one against the Office of Personnel Management were the main preoccupation of government cyber officials, the Navy’s top cyber commander said her service needs to spend the next one thinking about a broad array of new activities that fall under the general heading of “procedural compliance.”
By that, Vice Adm. Jan Tighe wasn’t only referring to the Navy’s own workforce and whether it’s following the service’s existing cybersecurity policies. For those matters, the Navy and the broader military already conducts regular cybersecurity readiness inspections, encapsulated in reports that now go all the way to the Secretary of Defense, tallying each command’s violations every time a sailor plugs a smartphone into a government computer’s USB port.
Instead, the “year of procedural compliance” is meant to ferret out potential cybersecurity gaps in almost every interaction between the fleet, its IT vendors and the ways the Navy currently integrates IT onto its ships and shoreside bases.
“Through a series of investigations and responses to actual cyber incidents over the past year, we’re finding that there may be weaknesses in the procedures we have now to transition IT systems onto platforms or how we’re modernizing our platforms,” Tighe, the commander of Fleet Cyber Command, the Navy component of U.S. Cyber Command said in an interview. “Those procedures could deal with our own crews and the tasks they have to accomplish, or it might have to do with a support contractor who’s coming onto a ship and modernizing the IT system. We’re looking at the types of vulnerabilities that could be introduced during any one of those transitions.”
Tighe, also the nominee to become the Navy’s next CIO and deputy chief of naval operations for information warfare (she’ll relieve Vice Adm. Ted Branch in that position as soon as the Senate confirms her), said she wants a closer look at the provisions the Navy includes in its IT contracts to minimize the chances of security holes being introduced while a new system’s being installed.
“Do we have the right contract language to make sure they know what’s expected? We’re finding issues. They’re not huge issues, but they’re things that make me realize we need some more focus here,” Tighe said.
In particular, she said she’s concerned about cyber vulnerabilities that might escape notice while both a ship’s crew and its private-sector systems integrators are in a hurry to get a vessel’s systems up-and-running in the last few harried days before a ship’s scheduled deployment.
“This is across our systems commands and across all of our type commanders,” Tighe said. “We’re going to have to go in and make sure we have all of the right procedures in place and all of the right training in place to make sure we’ve minimized our attack surface before we send forces forward.”
But the refocus on exciting procedures and projecting them through a cyber lens is not just about contractors.
For example, the aircraft assigned to a particular carrier for a given deployment are under the command of a separate air commander and join up with an aircraft carrier only shortly before they sail together, so the Navy needs to ensure that that the aviation wing isn’t introducing its own cyber vulnerabilities at the last minute as it plugs its own IT systems into the larger carrier strike group.
“We need procedures to ensure that we maintain the security of all of the platforms on which all of those people are depending,” Tighe said. “We have to institute procedures like that and then check them, and it’s going to take a lot of dedication from a whole lot of people across the Navy. The cybersecurity readiness inspections we have are one way, but we’re creating other ways.”