The U.S. Navy Handbook of Damage Control states “the ship’s ability to perform its mission will depend upon the effectiveness of its damage control organization.” We saw this in action with the hull breach in the USS McCain. On August 21, 2017, the guided-missile destroyer collided with an oil tanker outside Changi Naval Base in Singapore. Those aboard had to instinctively spring into action as compartments below the waterline flooded with water rushing though the breached hull.
An effective security strategy requires “all hands” to not only know how to prevent an attack, but to expect it as well. Damage control procedures aboard a ship are based on the repair party manual, which details critical systems, protective measures, investigation methods, tools available for response, plans for containment, first responder, and primary/alternate means of emergency service.
Using the same framework of damage control practices that kept the USS McCain afloat, the Navy can build a cyber strategy to prepare for, survive and return to mission readiness after a cyber incident. Like shipboard damage control, the cybersecurity continuum is broken into three main objectives representing before, during and after an incident.
Before - Practicable preliminary measures prevent damage
The Navy drills its sailors and commanders tirelessly to prepare for physical incidents that impact shift safety and mission. But what if the Navy practiced the same type of damage control preparation for cybersecurity?
The global average for detecting a cybersecurity breach, is around six months. Imagine if it took that long for a physical breach on a ship to be discovered, let alone fixed.
Like damage control, cybersecurity should be drilled until instinctive and an intricate part of the ship’s design. Each sailor should understand the signs of a cyber incident and the immediate first responder actions. Questions like, “How should sailors respond to the breach,” “Who is in charge of what containment and detection process,” and “How will that breach be contained so it doesn’t affect the entire network,” should be as quick to answer as the message of the day.
Along with having vigilant and responsive sailors, cyber defense can also draw from other protective mechanisms aboard ship. For instance, real-time systems like radar, sonar and other sensors give sailors on watch a real-time telemetry status of the integrity and operations of the ship. Cyber defense similarly requires real-time sensors to gather telemetry and detect malicious activity. Also, just as watertight doors can contain fire and flooding, the practice of micro-segmentation breaks the network into containment zones limiting the attack surface and controlling the scope of impact.
During - Minimize and localize damage as it occurs
The objective during a physical incident is to isolate and contain affected systems to prevent further damage with an understanding that some systems may have a requirement to remain in a degraded operational status to support mission requirements.
Often, the first response to a cyber incident is to shut down the system to contain the impact. However, shutting down a system risks a greater impact to mission readiness than the initial threat. Effective cyber policy should have the same capability of other shipboard systems to identify and implement battles scenarios where equipment is allowed to operate in a degraded state when its deactivation presents a severe impact to the mission.
Physical cameras are one way to increase real-time visibility for damage control teams on a ship. For example, cameras could provide immediate insight into the type and size of a fire, ensuring a proportionate response to avoid flooding a space over a trash can fire. Cyber policy should utilize similar deep visibility to provide immediate and accurate context to the risk assessment. Visibility tools using machine learning can provide insight not just into a breach, but it’s immediate and potential impact.
After – Restore operations to fully functional
As described in the Handbook of Damage Control, after a physical security incident sailors should follow emergency repair procedures as quickly as possible to restore equipment to full, normal operation. To achieve that goal in cyber and make network restoration possible by sailors with any skill set, the Navy will need to move further toward virtualization and automation security tools that allow push-button recovery capabilities.
Using machine learning and automated security policies, an incident can be identified, assessed and recommendations for actions can be made. Systems can be logically moved to a quarantine zone for assessment and cleaning if needed. With virtualization, a safe clone of the infected machine can be immediately brought back online.
The modern digital battlespace requires the Navy be as prepared for a cyber attack as they are prepared for a physical security breach. Luckily, the Navy already has a solid damage control plan that can be translated to defend and protect soldiers in the virtual world, just as it does in the physical world.
Kelly Jones previously served as a Cryptologic Technician Maintenance (CTM) in the Navy. She is currently a systems engineer for Cisco working directly with DoD customers.