PENTAGON: When Iran hacked the Navy-Marine Corps Intranet in fall 2013, it shook up the sea services’ approach to cybersecurity. Thanks to that new vigilance, their networks have fended off every subsequent attack, the head of Navy Cyber Command said today.
That doesn’t mean no one breached any portion of any Navy or Marine Corps network, Vice Adm. Jan Tighe told reporters here. “What we’re talking about is an actual operation, not that initial penetration,” she said. Cyber experts say intrusions are inevitable, so the question is how far they get. Do they flitter around the margins of the system? Do they start downloading sensitive data or plant malware to wreck the network? Tighe said no adversary has conducted a successful cyber operation against the Navy or Marines since her predecessor, Adm. Mike Rogers, led Operation Rolling Tide to clear out the Iranian infestation.
Rogers has since ascended to lead US Cyber Command and the National Security Agency. (The same person heads both organizations). The Rolling Tide experience “has shaped his way of looking at the fight,” Tighe said. Likewise in the Navy, she went on, “It’s influenced pretty much every process I have and every investment that I have.” After the 2013 breach, the Navy added $545 million for cyber across the 2014-2020 budget plan; more recently, it’s requested an additional $313 million for 2016 alone.
The Navy’s been building up its “cyber mission force” since 2013, said Tighe, but that build-up’s still only “about halfway through.” Some 22 of a planned 40 Navy cyber teams have reached initial operational capability, while three are at full operational capability, her staff told me afterward. Approximately 1,100 of about 1,750 needed personnel are now in place.
It takes years to find so many skilled personnel, to train them and to form them into tight-knit teams and then to win Adm. Rogers’ certification as fully ready. Tighe said teams won’t wait on certification to start defending the network. Most of the recruiting and training responsibilities lie outside her command, for example with the newly created Information Dominance Forces Command, she noted.
“Just to be really clear, I am an operational commander,” Tighe said. “This is an operational workforce” — a third of which is civilian, something very different from traditional, physical warfighting commands.
Tighe has stated emphatically in the past that what she and her people do is warfighting, not tech support. We need to overcome a complacency born of operating in an uncontested environment, she said today, where networks both wired and wireless were seen as mere conveniences, not vulnerabilities. “We’re not in that world anymore,” she said. “All you have to do is read the newspaper to know the volume and velocity of the adversary actors that are out there.”
Many “attacks” on the Defense Department are actually mindless criminal malware, she said, not actually aimed at DoD. These automated hacking tools that probe one network after another after another without ever intending to target the military. They’re looking for account numbers and other mundane targets of theft. But such low-level threats raise the background noise in which more sophisticated actors can hide, she said. As a result, it’s crucial to “rapidly triage” intrusions so cyber defenders can focus on the major dangers. Doing so will require a new combination of sensors, software roadblocks, and analytical power — what Tighe calls “cyber situational awareness.”
Once Tighe’s team have identified the threat, however, they need to tread carefully while combatting it. The collateral damage of fighting an intrusion — for example, by isolating an infected portion of the network or shutting down servers to patch vulnerable software — could potentially “shut down the Navy,” she said. “All the other operational commanders’ missions ride atop the capability that we bring, and the decisions that I have to make to defend the network potentially affect their ability to carry out their mission.”
In addition to discussing cyber defense, Tighe talked — a little — about the shadowy offensive side. Cyber weapons have to follow the same laws of war as physical ones, she said, such as minimizing collateral damage, and inflicting proportionate damage. They also need to be integrated into physical operations as one more option among many.
But cyber weapons must be much more “tailored” to a specific target than physical ones, Tighe said. A missile will explode with same force against whatever it hits, but hacking exploits highly specific vulnerabilities of the target. (Stuxnet is the prime example here). Two enemy computers sitting side by side might react completely differently to the same attack, depending on, say, which software patches each one has installed.
“A missile might blow up a bridge in Country A and Country B, but largely cyber doesn’t work that way,” Tighe told me after the roundtable. “You need a lot more and better intelligence, and you need [to] predict the effect that you’re gonna have.”
What about the way the attack propagates from one computer to the next, I asked potentially beyond your original intended target? Isn’t that essentially unpredictable? “That has to be knowable, and it can be knowable,” Tighe said.
But don’t these complex second-, third- and fourth-order effects get rapidly into the realm of chaos theory? The admiral laughed out loud. “I love chaos theory,” she said. “It’s my favorite, actually. That’s why I’m in this business.”