As Navy Cyber Security Division director, Rear Adm. Danelle Barrett casts a wary eye over the rising importance of data as a weapon of war. Data is an ever-more-critical battlefield asset, given the rising internet of things, including a rapidly growing inventory of unmanned intelligence, surveillance and reconnaissance assets across the Navy. Protecting all that data from enemy exploitation represents a potentially massive cyber challenge.
This spring, the Navy announced “Compile to Combat in 24 Hours,” a pilot project to leverage web services and a new cloud architecture in the service of data security. C4ISRNET’s Adam Stone spoke to Barrett about the potential there, and about the emerging IT security landscape in a data-centric military.
C4ISRNET: Data has become increasingly valuable, especially in terms of intelligence, surveillance and reconnaissance. How valuable is it? How do you describe the significance of data these days?
REAR ADM. DANELLE BARRETT: If you look at what goes on in industry and how they use big data for decision making, to be predictive and proactive: that’s exactly the kind of environment that we want to get to. Being able to trust those data, to access the data, expose the data, reuse the data — that becomes actually the hardest part.
C4ISRNET: Let’s talk about that. Sharing data involves risk. Talk about that risk landscape.
BARRETT: The more data that you have out there and the more places you have it, obviously you have an increased attack surface. Adversaries will go after your data to try to get an advantage. So, you want to protect data down to the lowest layer and you want to make sure that you have defense in depth built in, and resiliency to be able to work through any kind of attack or interruption in your data flow.
We build our architectures around being resilient using the NIST [National Institute of Standards and Technology] model of “detect, react and restore.” You build in as much resiliency as you can.
C4ISRNET: Can you say, specifically, how that’s done?
BARRETT: I’ll give you an example of something that we’re testing in our architecture to try to improve the data down to the data element layer. We have an effort called “Compile to Combat in 24 Hours.” We’re looking at modernizing our afloat architecture and, as we do that, we’re decomposing big monolithic applications, if you will, into web services similar to what you’d get on an iPhone: smaller capabilities, smaller web services as opposed to these big monolithic applications.
As you do that, you can ensure that you’re using standard ports and protocols, so you don’t have applications on the ship that are reaching back over nonstandard ports, which would present an increased attack surface. If you can standardize on your ports, you can sense those better and monitor those better.
Then you then go down to the data element layer. Say you standardize on extensible markup language, XML, you can then apply the SAML protocol that is inherent to that to protect your data at that lowest layer. We’re testing that concept in an architecture now.
C4ISRNET: There’s a lot of talk in the military about breaking down monolithic systems. How do smaller, cloud-based applications help with cybersecurity?
BARRETT: Every time you drop another box or a computer that has to be configured and patched and scanned correctly. All of those things increase your attack surface. So, you can smartly move the data into an environment where you can monitor it better — i.e. the cloud, right? When you move your environment into that, you can monitor that cloud environment in a very controlled manner, instead of having 100 different servers and boxes and programs with different software and different protocols.
This is not something unique to the military. We’re just trying to leverage industry best practices here and industry open standards.
C4ISRNET: All of this requires cyber expertise and the labor market there is notoriously tight. How does the Navy workforce situation stand in terms of cyber?
BARRETT: We’ve got a really strong and committed workforce, which is great. People love to work for the Navy because of the mission that we do. There’s a lot of people who have prior military service in the Navy and people who just come in because they believe in the mission.
By the same token, we have to take care of them and make sure that we’re modernizing our civilian workforce and military workforce at the same rate. That’s tough. We’re a big bureaucracy sometimes, but we work very hard to make sure that the training and the opportunities for our civilian workforce and the challenges that will keep them engaged and creative and being innovative on our behalf are there.
C4ISRNET: How does this impact your ability to innovate?
BARRETT: In this new architecture that I was talking about, it requires different skills for developers. Maybe the people who used to develop in the old model, that old monolithic applications, their skills aren’t the same as would be needed in this new model. So we have to look at, “Okay, how do we retrain them to give them the skills then to operate in this new model?”
The piece, though, where I would say we don’t necessarily have the right construct yet is how we build, for example, people who are experts in data science. How do we build people who are experts in artificial intelligence and machine learning and the human machine interface?
We have some pockets of excellence like that, but how do we grow that? And where do we need those people the most? We’ll need to figure out, as an institution, how we get that systemically in place and how we train people and build a cadre of folks who are very skilled at that.
C4ISRNET: What’s the pictured goal of cyber? You’ve said it is impossible to have an impenetrable network. What constitutes a win for you?
BARRETT: We’re always going to have vulnerabilities. You have to understand what the risk is to the systems and the networks that support your critical missions. Say my critical mission is, for example, ballistic missile defense or close air support to troops on the ground in Afghanistan. What is my critical cyber key terrain, if you will, that supports that mission? And, then, what are the systems that support that critical terrain?
You just have to be able to understand your risk. And it may be that there is a human factor to this. The Naval Academy didn’t used to teach celestial navigation because we had electronic navigation aids, but recently they have been breaking out the sextant, sitting on the bridge wing and shooting up at stars. Your resiliency plans need to include those human elements. There may not always be a technology solution.
C4ISRNET: Looking ahead, what’s the next area of interest for Navy cyber, especially around ISR needs?
BARRETT: That emerging architecture I told you about, that has implications for ISR. In our maritime domain we increasingly have unmanned vehicles, autonomous vehicles. They’re all going to be a sensor of some kind. They’re all going to be moving data back and forth across the war-fighting surface out there.
What this new architecture allows us to do is capture a lot of those data that might not have found a way back into the big cloud ashore, to have those data analyze for perhaps another purpose that they weren’t intended for.
With a lot of those sensors or data feeds that are in the tactical environment, they provide that data and then the data just sort of dies in a black hole somewhere because there’s no mechanism or means to get that back where someone else might use it for some war-fighting purpose or operational advantage. We’re trying to make sure that this architecture allows us to capture those data and get them back to the big lakes, so that they can be used for big data analytics for other purposes.
There’s going to be more and more data that can be leveraged from that environment back for other purposes beyond the initial tactical implementation. There will need to be cyber protections around all of that.