Cyber Warfare in the Maritime Domain
September 14, 2017
VICE ADMIRAL JAN TIGHE: (In progress) – the architect, and systemically address the cyber threat across all the platforms in the Navy and our networks and our weapons systems. And so, clearly, it would be a dereliction of duty if I were not thinking about cyber warfare in the maritime domain every day, and it would actually be quite reckless for the Navy not to be addressing the real threat of cyber in the disruption of maritime operations.
We do have to worry about the same thing that a lot of the industry is worrying about and corporations, and that is the – you know, the cyber fatigue is starting to set in. You know, sort of across our – across our nation and in boardrooms and others, this sense of it just keeps coming, this sense of victimization and helplessness that’s out there, and not really knowing exactly what to do. So we kind of have to guard against that.
I think back to probably 10 years ago or so, when a lot of what we knew and understood about the cyber threat was classified. And internal to the government, internal to the DOD we had lots of classified discussions about the risks that were out there, about the types of things that would be facing us from this threat of cyberspace. And I – you know, I’m happy or not happy to say we were – you know, our predictions have come true and then some. And so continuing to imagine what’s within the realm of the possible in cyberspace, and then mitigating those threats, finding innovative ways to defend and protect our – you know, assure our missions in the maritime domain, is what – is what we have to be able to do.
You know, today we face the threats from both individual lone-wolf kind of actors out there to nation-states, and it’s really the nation-state actors that keep me awake at night and that we have to be most concerns about – concerned about. In spite of the fact that all that, you know, crimeware and commodity malware is out there and potentially hitting our networks every day and could cause a problem, the big – you know, the big issues that we have to worry about really are coming from the nation-state actors, you know: Russia, China, Iran. We have to be concerned about how they may use cyberspace and what it might mean for us.
Ten years – more than 10 years of espionage and theft of intellectual property, it’s almost passé at this point. And yet, it’s going to continue. You know, why do people rob banks? That’s where the money is. Why do people go after the data? That’s where the money is. And depending on, you know, whether you’re a nation-state or a criminal, I expect that to continue – and to get more innovative, like we’ve seen with the ransomware, you know, new twists on old themes to get money. WannaCry was a good example of that, using, you know, extortion – extorting companies where data has been stolen or movies have been stolen or, you know, “Game of Thrones” has been stolen to try to gain financial incentive there. But really, when you – when you think about the threats to maritime operations, it’s those disruptive and destructive attacks that we have to worry most about.
You know, I think – I think, clearly, our nation is struggling with and thinking about, you know, those influence operations, as well, as being disruptive – maybe not to maritime operations, but certainly when you think about the elections and the use of cyberspace in elections, that’s not actually new. The European countries – many of the European countries have been dealing with that for more than 10 years, have been seeing cyberspace attacks into – influencing operations into their elections for more than two years.
I think – I think more troubling for the United States is – and probably a(n) existential threat to our nation – is the fact that many of these cyber actors are using our own value system against us – you know, freedom of speech and our freedom of the press – you know, to the degree that malicious cyber actors would leverage social media to come in and influence our population to almost, you know, foment distrust – distrust of the government, distrust of each other, drive wedges between, you know, different parts of our country. I think that is a(n) incredibly huge threat that we’ve – that we are going to have to deal with as a nation. And those type of threats translate into our naval – our naval forces, our DOD forces, that we’ve got to in a leadership way be able to deal with. You know, whether it’s white supremacy or different groups being targeted and, you know, sort of hate types of things, we have to be – we have to find a way to deal with, you know, the use of our own social media against us as a nation. One nation, indivisible. And, you know, to the degree that our value system is used to allow people to come in and potentially divide us, we’re going to have to get after that.
The other threat to physical infrastructure, to our critical infrastructure, you don’t have to look much further than, you know, the past two hurricanes, Harvey and Irma, to see the kind of disruption that loss of electricity and critical services can have on people: you know, death and disruption to our daily lives. The good news with hurricanes is at least there is some warning. There is some ability to prepare for those.
In December of 2015 and then again in December of 2016, Ukraine faced attacks against their electrical grid. There was no warning. Perhaps in December of ’17 they’ll be ready because there seems to be a trend. But Ukraine faced attacks against their electrical grid, and there’s no way to prepare for that, and so you only can respond. And so I think that understanding and watching these types of events happening globally has got to make us continue to up our game in being able to deal with that.
The notion that cyberwarfare would play a role in a military campaign, again, not new – 2008, we saw it in Georgia, when there was a distributed denial of service against public services while the tanks were rolling into southern Ossetia. And so this is not a new idea. The ways in which cyber could be leveraged today, however, are much more sophisticated, much more advanced, and probably would – in my estimation would come in advance of a military campaign. That’s probably going to be one of the first places that we would see an escalation of some kind of a conflict.
So the Navy has leveraged our own cyber talent and some of the cyber talent of our national agencies to imagine and demonstrate what kinds of risks that are posed to military operations and specifically to maritime operations. And we have a multi-pronged approach to addressing those threats, and making our platforms and weapons systems and networks more resilient to cyberattack.
The first thing we did – and this started a couple of years ago – is we are leveraging the NIST framework for improving critical infrastructure cybersecurity. So the framework of identify, you know, what’s important to you, harden that, protect that, create capabilities inside of your systems that can detect cyber threats.
And again, that needs to happen at machine speed, and we’ve got to be able to leverage all of the more current technologies out there – like artificial intelligence and human-machine teaming and machine learning – to really be able to do a great job in detecting and reacting to a cyber threat coming after us. That’s the next step.
And being able to fight through those cyber threats. So a cyber – a cyber threat hits you. We can’t afford to shut down the network. We can’t afford to shut down the propulsion system while we go clean up. We’ve got to be able to, just like in kinetic operations, fight through any kind of network attack that’s there, be able to potentially segment the area that is where the suspicious activity is going on and be able to continue our mission and continue to fight through while we restore the integrity or the capability of any particular part of our system.
And then the last piece of that that we’ve – that we’ve focused on is making sure our workforce – both our cyber workforce, cybersecurity workforce, and our – and, quite frankly, our engineers and our systems command workforce are up to and understand the types of cyber threats that could face them, whether they’re the technical authority for a control system or a weapons system or a network. And so increasing the knowledge and skills of that workforce is – has been critically important in beginning to really build cybersecurity and cyber resiliency into our Navy.
What we’ve done is created – taken that in this framework and then created a set of defense in depth, functional implementation architecture, a set of information-assurance standards by which new programs, new platforms, you know, the future frigate can adopt those standards as they’re building their network. And those standards help ensure that we’re building the cybersecurity aspects, the ability to detect/react/restore, into the network from the beginning for those new future designs.
And then, for our existing platforms and weapons systems and control systems, they are migrating in their modernization programs to make sure that we have all of those capabilities built into the various enclaves and networks that the Navy depends upon in warfighting in maritime operations. We’ve also created techniques, tactics and procedures to maneuver to mitigate threats that may be coming against, you know, those systems that are out there today that haven’t had the benefit of being updated yet.
So I guess my – in summary, my message is: We don’t have cyber fatigue in the Navy or in the department. There is no sense of helplessness here. We have an awful lot to do, and there’s certainly more work to be done. We have organized around this problem. We’ve created processes. We’ve made investments, about $1.5 billion between fiscal year ’14 and projected into the – into fiscal year ’23 is already set aside. We’ve created human-capital approaches to make sure we’ve got that expertise in all the areas that we need it. But again, you know, as I said, there is more to be done, and we need to do it faster than we typically are able to make changes in our – in our architecture. The threat is constantly evolving, and so we are going to have to continue to morph – you know, monitor that threat, morph, and figure out what are the best ways that we can defend and assure maritime operations from the cyber threats.
And with that, I thank you. Look forward to your questions. (Applause.)
KATHLEEN H. HICKS: Well, as I said in the introduction, you have no shortage of things to keep you very busy. If we could start with the recent accidents/incidents involving the Fitzgerald and the McCain, there has been some press reporting or speculation about the causes potentially involving a cyber aspect. Can you talk a little bit about how the Navy is approaching that issue, and the degree to which you and your team are involved?
VICE ADM. TIGHE: Sure. As everyone – as everyone must realize, you know, the investigations are ongoing into the causes of the incidents, both McCain and Fitzgerald. Today we have assembled a team to be part of that investigation from the cyber – from cyber – from a cyber expertise perspective. We have no indications or reason to believe that there was a cyberattack that had – you know, a malicious cyberattack that had an effect on or created the effect on either Fitzgerald or McCain, but we’ve assembled a team starting with Fleet Cyber Command / Tenth Fleet, and including the technical experts that come out of the NAVSEA Systems Command, and some technical experts out of our SPAWAR Command to go out, be on the ground, and look for and assess any anomalous activity that may exist onboard John S. McCain.
And with that, you know, we will look for a couple of things: One, you know, try to confirm that cyber had no role in the – in the collision, but also determine how we move forward in making this a normal part of these kinds of investigations. You know, it is something that we think about a lot, and we have got to have both the authorities and the human capital built that’s ready to respond to these types of events.
When I talked a little bit about building the workforce, part of that building is taking those mechanical engineers and aeronautical engineers that live in our systems commands today and are the technical authorities on mechanical systems in our weapons systems or control systems or aviation platforms, taking those types of people and really exposing them to and making sure they understand the potential threats that could affect those pieces of gear that they’re responsible for. And so the systems commands have been building that kind of expertise within each of their warfare centers.
MS. HICKS: Is that –
VICE ADM. TIGHE: And those kind of people we think would be the ones that we would tap into. You know, they would have multiple reasons for existing. One is simply we want to build systems that are, you know – are anticipating and resilient from cyberattack from the get-go. But the second piece is, well, what if we do detect – you know, as we continue to grow the amount of capability we have out there, what if we detect a cyber intrusion into one of those machinery systems, et cetera? We need to have expertise that can respond to that. And then this is sort of a third use for that type of expertise, so that they are capable of being part of the investigation, and they have the full knowledge of their systems that they’re the technical authority for and can look for any signs of cyber intrusion or cyber malicious – malware.
MS. HICKS: Right. You know, maybe there’s a competition from UPS. I doubt it, though. I think the U.S. Navy is probably – arguably the most distributed networked – and thus comms-dependent, meaning it’s a network – entity in the world. Obviously, it’s the one with the most, you know, importance. So an incredible challenge, because everyone can look to go after that target, right? How do you instill in an organization that large, that networked as you were just indicating, the kind of innovation and mindset and workforce over time – what’s your confidence about the ability to stay ahead – as you talked about in your opening remarks, stay ahead of those threats, given that, you know, when you’re number one everyone’s come at you?
VICE ADM. TIGHE: I think what you’re talking about principally is what we think of as assured command and control –
MS. HICKS: Yeah, mmm hmm.
VICE ADM. TIGHE: – the ability, you know, to be able to command and control forces, ships, weapons systems specifically, maybe a(n) individual weapon through the network. And that’s one of our pillars of information warfare that we have worked to build resiliency in. That includes cyber resiliency, but more important, you know, the diversity of – the diversity of communications paths that we may use. And so, you know, continuing to look at what are those options, how might we offer multiple paths for command and control, that’s what we’re sort of building into our mesh network of communications.
So, you know, any individual commander out there doesn’t have to worry about how his command gets there. (Laughs.) You know, it’s kind of like the internet. I don’t care what path it takes, I just need to know that it’s going to get there. We need to have that kind of resilience inside of our communications networks and datalinks, et cetera, so that whatever path is available – that’s not the way we’re architected today. We have a lot of stovepipe architectures out there. But as we move forward, looking for every possible path to be available for the highest-priority traffic that may need to flow from, you know, command and control of a weapon to orders coming from – you know, from ashore, et cetera. So we’re building that robustness into our – into our communication networks.
MS. HICKS: What priorities do you have at this point for investment as you’re looking ahead, whether it’s the next five years or the next year? You know, what do you want to make sure, given all the challenges that the Navy is facing on cyber, that you all have as a number-one focus?
VICE ADM. TIGHE: Yeah. That’s really – I mean, that’s – we have a lot of number ones.
MS. HICKS: I’m sure. (Laughter.)
VICE ADM. TIGHE: We do. We have a lot of number ones, and –
MS. HICKS: I used to help with that in the building, yeah. (Laughs.)
VICE ADM. TIGHE: And depending on which of my hats I put on, I might answer slightly differently.
MS. HICKS: Yes.
VICE ADM. TIGHE: But for this crowd, I think we have, particularly in the cyber defensive arena, the network situational awareness, the cyber situational awareness that we have begun to build, but still have some ways to go to be able to fully take advantage of the technologies that are out there and provide the warfighting commander with a sense of how his cyber risk posture might, you know, look at any given moment. That commander may want to look through a lens of, well, for ballistic missile defense today, I’m most interested in what are the risks that are associated with all the networks and systems that I need to be able to command and control for ballistic missile defense today, and I just want to look at that. Could I just organize my – you know, my view, my situational awareness view, my COP, to understand the threats associated with that? And if there – it may be we need to maneuver the network to make it more secure for this period of time because I think there is a threat out there I’ve got to be able to deal with, then that commander would have the ability to do that.
And so the situational awareness in cyberspace is something that Fleet Cyber Command needs to defend the network writ large, but it’s something that each of our tactical- and operational-level commanders also need to be able to tailor their view to. And we’ve been working that very hard for the C4ISR systems, the typical network systems that, you know, we’ve been working on for 10 years. That has to extend into the backbones of the enclaves onboard the ship, you know, to be able to see is there something strange going on in the whole mechanical engineering system, in the navigation system, in – you know, in the weapons system itself. And so we’ve got to have those sensors built-in. That’s more cyber situational awareness, but spread deeper into our mechanical systems, et cetera, so that that situational awareness can be rolled up for whomever.
You know, if you’re the guy responsible for HM&E, you want to be able to see that if there’s a problem coming from the network. If you’re the commander of the ship, you want to be able to tailor your view to understand your cyber risk writ large. If you’re the fleet commander, it’s a slightly different view. But it’s all drawing on the same data, and we should be able to pull that information together for them so they can make good decisions.
MS. HICKS: What is the potential that exists in artificial intelligence to enable you to achieve all that you’re trying to do, frankly, on the cyber side? And what are the risks?
VICE ADM. TIGHE: Yeah. I think there’s incredible potential in artificial intelligence and the machine learning side of that. Specifically, as we get more sensors out there, the degree to which we can aggregate, you know, sort of the data science of it – just the pure data science, not even out to artificial intelligence. To the degree we can aggregate that data in a way that we can see the trends, we can see the anomalous behavior, not signature-based but because it’s just anomalous – that’s not the way the – that’s not the way you shop online, you know, those kinds of – those tools that the banking system is using – this is not the way this network normally behaves. We’re seeing, you know, strange communications coming from, you know, the navigation system, and talking to the gas turbine generator. That’s not supposed to happen. Make it stop.
So the artificial intelligence pieces of that would be, you know, the risk calculus of what if I stop that signal, you know. Not just detect it, not just alert someone, but let’s just stop it before it happens. So being able to fine-tune that so that at machine speed we can detect threats and stop them from happening. And on the – you know, sort of the cyber intelligence side, being able to use machine learning and artificial intelligence to watch where the trends are going. OK, so what does this mean if there are – we’re seeing cyberattacks coming into these various places inside the Navy or inside the DOD or across our nation? I think there’s huge, huge opportunity here.
MS. HICKS: And you mentioned the nation piece. What’s the role and responsibility of the Navy as part of the national security community, as part of the overall cyber defense architecture? How do you all define that for yourselves?
VICE ADM. TIGHE: You’re saying the Navy specifically?
MS. HICKS: The Navy specifically. Is there a role that you feel you uniquely play inside that architecture, or not?
VICE ADM. TIGHE: Well, I think – we’re certainly a tremendous part of the joint force, so we have within Navy networks our own sensors, our own analysts, our own hunting capability for cyber adversaries. All of that work is aggregated with the other joint services under U.S. Cyber Command. We benefit from each other, and together we’re actually much stronger than individually – you know, individual services. So the Department of Defense benefits from that.
But we also contribute to the Cyber National Mission Force. We’ve got Navy teams that are part of that force, and that force has been designed with defense of the nation in mind. And so our contribution to that is providing sailors and tools and capabilities so that the commander of the National Mission Force, when called upon in defense of the nation, you know, has a ready and relevant capability to come to bear.
You know, the harder part of that is, well, how long does it take to call? Who’s going to call them? Who’s going to detect that there’s something that needs to be – that becomes a harder challenge. So the department has been preparing the Cyber National Mission Force for, you know, the defense of the nation, but we still have some, you know – at the machine speed at which an attack could disrupt operations – you know, all kinds of different operations that we depend upon as a nation, how quickly could – you know, can DOD respond if we’re outside of that process? So I think there’s still some work to be done there.
MS. HICKS: Work to be done, yes. I’m going to ask one more question and then I’m going to turn to the audience.
And that’s on the workforce side. You know, on cyber in particular, but overall I think also with intelligence, you’re working against an environment where these people are highly sought. Anyone who has these skills are highly sought. How do you keep a workforce energized and engaged and wanting to work for the Navy, as opposed to taking those skills into the commercial sector or otherwise?
VICE ADM. TIGHE: Well, I think the most important thing we do – certainly, it’s not going to be a financial incentive. We’re never going to compete financially. It has to be a combination of a couple of things: one, providing our workforce with the training and the tools that they need to get on mission and do the job, and giving them the meaningful work that they need. You know, they’re not sitting around waiting, they’re actually hands-on-keyboard doing work, and we have provided the right – you know, the right training and the right tools that they can be gainfully employed in defense of this nation. And, you know, that’s the other part of it. That sense of service, combined with having, you know, a productive, interesting, exciting work to do, where we’re prepared them for that work, is – you know, is the other part of the equation. And that’s –
MS. HICKS: Do you face recruiting challenges and retention challenges?
VICE ADM. TIGHE: We have not faced recruiting challenges. Our retention is pretty good across the cyber workforce. There are pockets where we – you know, we do struggle, very high-end – you know, the very high-end talent we struggle a little bit with. But again, some of the work that we provide is work that they cannot do anywhere else legally – (laughter) – and so they actually have a lot of fun with it. And so I think, you know, when we lose them, we lose them to our own partners, so they’re still part of the family. Even going to industry in a lot of cases, you know, there’s opportunity to partner and continue to benefit from that workforce.
MS. HICKS: Great.
OK, I’m going to open it to the audience. When I call on you, a mic is going to come. Give your name and your affiliation, and it has to be one question, and it should be a question without a statement preceding it. So why don’t we start right here in the front.
Q: Hi. Good morning. Yousef Alhami (ph) from FEMA.
MS. HICKS: Can you stand up? I’m sorry. Can you stand up? It helps.
Q: Yes, of course.
MS. HICKS: Thank you.
Q: Yes. Good morning. Yousef Alhami (ph).
So my question will be in regards of the control of the networks and the clouds and the bandwidth. Is there a specific way for the U.S. Navy to track the safety of the bandwidth and the safety of the clouds? Because information can create several breaches in (other context ?) of actions in these kind of sectors. Thanks.
MS. HICKS: For those who may not have heard, so safety of bandwidth and safety operating through a cloud.
VICE ADM. TIGHE: Right.
So, on the bandwidth side of the house, obviously, something we’ve been concerned about for a long time. The ability to jam or disrupt, you know, RF operations has been something we’ve been working on for a long time under our electromagnetic maneuver warfare concept. And so equipping the fleet with capabilities that allows them to monitor, you know, how our transmissions are being – you know, look, our own transmission self-awareness of our bandwidth; being able to, quite frankly, make good decisions about how we use the bandwidth we have. So if we go into a situation of reduced bandwidth availability, understanding what’s the most important communications that need to go out, and how we would operate in those sort of restricted-bandwidth environments – denied or degraded environments – is something that the fleet has actually been practicing and working on for many, many years, so that we – you know, it’s not suddenly, you know, you’re without electricity and you don’t know how to operate because you don’t have your cellphone and there’s no – you know, we don’t want to put our fleet in that situation. So we’ve actually been practicing how we would operate in those restricted-bandwidth situations.
At the same time, my job from an architecture perspective is to try to make, you know, that bandwidth as resilient as possible, have multiple ways by which we could provide bandwidth and innovative ways by which we could provide bandwidth. And so we are – you know, we have undertaken an assured command-and-control study that allows us to generate bandwidth in different kinds of time.
And to be quite frank, maneuvering in the RF spectrum is a key feature of fighting in the RF spectrum, in electronic warfare. Being able to maneuver different communications to different frequency bands or different types – modes of communication is something that we’re equipping the fleet and they’re practicing doing. So that’s the bandwidth side of the house.
On the – on the cloud side of the house, the – cloud security is, you know, something that DOD is taking a look at. We in the Navy have been looking very closely at that. The industry acknowledges that security of information in the cloud is a shared responsibility. That cloud service provider has a responsibility. The data owner has a responsibility. And recently you’ve seen lots of examples of where the data owner has brought in a third-party vendor to create analytics or to create – or to manage data for them and inadvertently exposed data to the open internet there.
So I view, you know, our responsibility – as we migrate more and more Navy data into the cloud and, you know, various types of clouds that we may be doing that into, we have our own responsibility to assure that we’re protecting our data and the operations of the users of that data. We have a responsibility in addition to what the cloud service provider has. And so what we’re looking at is: What is the right language to go into the contracts when we’re migrating to the crowd – what kind of language that provides the type of security that we expect? Either the cloud service provider is doing that security and is feeding us data back to assure us, or we have some ability to command and control inside of that cloud. And so we’ve been iterating internal to DOD and with – and with the cloud services provider on what that should look like for DOD specifically because we recognize our own responsibility.
And then, finally, you know, looking for opportunities to externally scan and verify. You know, in the same way that an adversary may be looking for opportunities to penetrate, let’s scan and look for exposures of data that was inadvertent, like – you know, like what we’ve been seeing in many of the cloud breaches. You know, it’s not somebody breaking in; it’s accidentally a misconfiguration. It’s the human component of how the data is being handled inside of – inside of the cloud that has actually exposed – inadvertently exposed the data.
MS. HICKS: OK. I have one all the way in the back.
Q: Charlie Dunlap from Duke Law School.
Ma’am, do you think that you’re getting the legal support that you need in the sense of rules of engagement and so forth? And are you having any challenges with your JAGs and your civilian lawyers understanding the technology enough to give you the kind of legal advice that you need? You spoke recently or just a moment ago about the language in the contract, and that would require a lot of knowledge of the technology.
VICE ADM. TIGHE: No, I think – I think that’s a great question. It’s been – you know, when you think about the rules-of-engagement side, my experiences were more in my previous jobs. I don’t have to invoke rules of engagement in the current job at the Pentagon – well, maybe just with my co-workers. (Laughter.)
But, you know, under U.S. Cyber Command and Fleet Cyber – the Fleet Cyber Command roles, that interaction with the legal staff – our JAGs and the civilian workforce that is at OSD – it has been pretty good. And, you know, I see that it is growing in terms of the knowledge – the knowledge base of the legal advisers there. Certainly, you know, across the country you’re seeing the lawfare discussions. I mean, it’s getting much more secure than – in cyberspace than it has been previously. But I think what the military justice side has done is look to create some experts – but again, they still end up being pockets of experts – that can support commanders in the rules-of-engagement side of the house.
On the contracting side of the house, that’s a completely – you know, that’s a completely different set of OGC types of lawyers that have to be – that have to be brought up and understand these things. I think the cloud part of it really challenges us because, again, we’re not talking about government-owned infrastructure that we can, you know, just do what we will with it. To the degree that we leverage the public cloud, different than the government cloud – the actual public cloud – you know, our ability to go in or to direct things inside of that commercial side, I think, is – will continue to challenge us as we’re writing the policies for what good security looks like when we put DOD data into public infrastructure. So there’s a lot – there’s a lot there for the legal side. But I think – you know I think everyone is – everyone is coming up on step, you know, at the same time.
MS. HICKS: Good.
OK, let’s come –
VICE ADM. TIGHE: Wait, can I –
MS. HICKS: Oh, yeah. Please, go ahead.
VICE ADM. TIGHE: Because it kind of touches on – I was thinking when you first asked it, you know, some of the challenges that are – that the legal side has is the lack of norms out there, right. And so international law, how do you apply it? What’s reasonable? You know, what’s reasonable to expect in cyber? Those norms – 10 years ago we thought, well, there’s just – there hasn’t been enough run time in the cyber warfare domain to establish norms of behavior and what’s acceptable.
Well, we’ve had an awful lot of examples of what, you know, 10 years ago we assumed would be construed as an act of war.
MS. HICKS: Right.
VICE ADM. TIGHE: And that – in a lot of cases there has not been a response, either a military response or diplomatic response. And so, you know, that gets back sort of to the policy. How do – how does the legal side advise us on, you know, what’s good policy going forward? And, you know, the example I used in the Ukraine, the international community did not even really come out strongly and say this is unacceptable; you cannot go after critical infrastructure. Where is the hue and cry in that?
And so if we – so what that says is that must be OK; that must be perfectly acceptable. When you’re not at war, you can attack someone’s critical infrastructure. You know, without that voice, without that strong response from the international community, we’re not going to get to real norms and standards of behavior that can then influence rules of engagement, et cetera.
MS. HICKS: Great answer.
OK, I think it was right here. Yeah. Thank you.
Q: Hi, Admiral. Steve Winters, independent researcher.
You mentioned AI several times. Could you comment on possible uses of AI as interpreting the behavior of adversaries to try and anticipate perhaps when they would attack? Because I’ve heard that the Russians, for instance, are feeding their supercomputers with all sorts of data on past NATO operations, and the computers are trying to learn from that so that they could advise the Russians when perhaps NATO might actually be on the verge of doing something. And so are we thinking of that?
MS. HICKS: This may go into your intel –
VICE ADM. TIGHE: Yeah.
MS. HICKS: – director of naval intel hat.
VICE ADM. TIGHE: No, I think that’s fascinating. I think the hardest job we have is predicting human behavior, right, and the sort of the cultural aspects of that, the differences between the different cultures and how you might predict one from the other. I think we as Americans are inherently bad at being able to understand other cultures and predict how – what their motivation might be and what actions they might take.
I can see an application for AI to look at historical – you have to look at it at a country-by-country basis. And as those countries have morphed and changed, I’m not sure if past behavior is good for projecting future, but I think it’s a start. I think it gets you to sort of that human-machine teaming, where, you know, there may be several plausible COAs that come out of what might happen or be able to predict what might happen. And that’s where the – you know, the human side comes in and either messes it up and interprets it wrong or takes advantage of it moving forward.
So I think there’s great potential. The hard part is, you know, being able to feed the beast, feed the AI machine with the data in a way that it can make – sense make of that data.
MS. HICKS: Good.
Let’s come –
VICE ADM. TIGHE: I wouldn’t want to have to be that solver, but I know we have people who can.
MS. HICKS: Over here, right in front. Sydney.
Q: Hi. Sydney Freedberg from Breaking Defense.
Admiral, you’ve said a couple of times we need diversity in communications. We need alternate ways to get the bandwidth. I presume that that doesn’t mean semaphores and signal flags and messages in bottles. But besides stick more different antennas on the ship, what does it actually mean? What kinds of options are you exploring so that, if one thing gets jammed or hacked or physically blown off the ship, you have another means and another means and a backup to the backup?
VICE ADM. TIGHE: Well, it’s exactly what you described, although I will say a semaphore is really going to be hard to hack, Sydney. That’s a joke. (Laughter.)
But, you know, as you suggest, it might mean different antennas. But to the degree that we can, I guess, be more conformal in our antenna designs on ships, you know, we’re not trading antennas in and out. To the degree that we can use software to find radios, you know, we’re not physically swapping hardware in and out. And so being able to leverage sort of those technological advancements to give us an ability to transmit in multiple different frequency bands and to be able to change the way-form types of we communicate, and to take advantage of novel commercial communication capabilities that people might not expect us to use, you know, I think we have to be willing to consider and innovate across a wide spectrum of solutions.
MS. HICKS: Good.
OK, let’s come to the middle here; how about second row right here.
Q: Hi. Justin Katz, Inside Defense.
You mentioned that there is a team from 10th Fleet investigating the McCain incident. Is there a similar team investigating the Fitzgerald? And is there a timeline on those assessments from the cyber teams?
VICE ADM. TIGHE: No, there is not a similar team on board. And, quite frankly – onboard Fitzgerald. Quite frankly, with respect to McCain, since this is a first of, we have a really hard time predicting sort of the timeline. It rather depends on what and if we find anything that looks suspicious and what and how we will go about determining whether it is actually suspicious or not.
So, you know, it could be weeks. It could be months. I don’t think it’s years. But it very much depends on if we find anything that we cannot explain.
MS. HICKS: OK. There’s – thank you, woman of the audience. Yes, thank you. (Laughs.) We have one right up here. My eyesight is clearly not what it once was.
Q: Hope Seck with Military.com.
You said earlier in your talk that sailors need to be able to fight through a cyberattack. And you addressed some elements of that – degraded network capability, that sort of thing. But I was wondering if you could expand on the other elements of what fighting through looks like and how that’s being incorporated into training right now.
VICE ADM. TIGHE: I think the best example I can give you is – you know, takes us back to the intrusion on the Navy networks back in 2013. We called it Operation Rolling Tide. And at that time the general response to a cyber intrusion, the way you deal with that is you shut it down. Well, the Navy-Marine Corps internet, over 350,000 accounts, is not something you could just shut down for an indeterminate amount of time and have the Navy business keep going. So that was something that Admiral Rogers at the time, while he was Fleet Cyber, you know, despite recommendations from others saying, oh, no, you’re going to have to shut it down and clean it out, he said there is no way I can – you know, we would be shutting down the Navy, the business of the Navy.
And so you take that same thought process and apply it to a shipboard environment and you’re like, you know, you can’t shut down the propulsion system and the navigation system and the communications system while you clean up. That’s not going to work. So the notion of fighting through the attack and what we have to be able to do is architect – and it’s not architected this way today – we’ve got to architect in an ability to isolate different segments of the network, of the total shipboard environment, so that if we detect something anomalous, we can isolate that and prevent potentially the adversary from moving into multiple different areas of the ship. And to the degree it’s isolated, then we go in to try to react and clean up and restore that.
And so that was one of our big lessons out of Operation Rolling Tide is, you know – and that was a sea change, really, for the cybersecurity community in the Navy, in the Department of Defense, that, you know, an intrusion, you know, as widespread and as on a network that large, you know, your response can’t be we’re just going to shut it down and clean it up. And so building both the architecture that allows us to isolate and the TTPs and the training that’s required to help the crews understand what they do is – you know, is exactly the types of things that we’re working on, identifying what those critical components are to allow the mission to continue and isolate – you know, and make those decisions moving forward.
So that’s the fight-through mentality that we mean. It’s the same thing we do when we take a – you know, if a ship, you know, had an explosion or had a – and you’ve seen it in Fitzgerald and McCain. You know, how do you fight through the water intruding into the – into the skin of the ship? You know, you begin to batten down the hatches and you isolate that intrusion. And you continue to fight the ship. And that’s what you saw in spades from our crews aboard Fitzgerald and McCain.
MS. HICKS: Let’s see. Right here on the edge, three rows back. Yeah.
Q: Mike Murphy, vice president of American Maritime Officers.
Admiral, could you elaborate a little bit on how the Navy plans to incorporate the 125 or so civilian merchant ships that are designated to carry the Army and Marine Corps into the theater during a contested environment?
MS. HICKS: In a contested environment, yeah.
VICE ADM. TIGHE: In a contested environment?
MS. HICKS: Yes, that was the end.
VICE ADM. TIGHE: OK. I think –
MS. HICKS: I think it’s cyber – I think he means a cyber-contested environment. Yes, largely? A cyber-contested environment or –
Q: Both cyber and physically, but cyber for you.
VICE ADM. TIGHE: No, I think – I think that’s a great question. Each of us – you know, each of the services and even our Military Sealift Command are all looking internally, you know, at the risks – at the risks of not being able to communicate, interoperate, and going about solving them individually, although we’re sharing across each of the services.
I think we share risk with, you know, Coast Guard, clearly, the Merchant Marine, MARAD, and across a wide spectrum. So we are interested and are continuing to innovate with all of the people that potentially have the same problems to solve that we do. So we solve them once and then can share them more broadly, beyond the Navy, with, you know, our Coast Guard brethren across our private – the private industry, particularly when it comes to marine technologies that are commercial off-the-shelf types of technologies out there.
And so it’s our intent to, you know, as we innovate, as we bring industry partners in to solve those problems, to be able to share them across. I don’t know if that’s answering your question precisely, but –
MS. HICKS: Well, I wonder – just broadening that out to something you had said earlier about third-party, you know, vendors, if you will. Obviously, the Navy has a lot of partners – some governmental, some nongovernmental. Some are – you know, most are operating in support contractors. And obviously there’s a lot of risk that comes with it. There’s a lot of gain. And there’s, from a cyber perspective, a lot of risk that you bear.
Are there – there’s no polite way to say this. Are there enforcement mechanisms in place to ensure that that broader Navy support industrial base is maintaining its cyber defenses to help you rather than hurt you?
VICE ADM. TIGHE: Absolutely. I mean, clearly the defense-industrial base was ground zero for the last 10 years or so in terms of theft of intellectual property.
MS. HICKS: Espionage, yeah.
VICE ADM. TIGHE: Espionage. You know, maybe –
MS. HICKS: Well, and commercial theft, yes.
VICE ADM. TIGHE: Maybe it’s really just theft of the intellectual property that can be used for gain. And so, you know, they have been very focused on improving their own cybersecurity. We have – DOD has been working towards and beginning to insert contract language about that.
MS. HICKS: Right.
VICE ADM. TIGHE: There has to be a consequence –
MS. HICKS: Right.
VICE ADM. TIGHE: – for losing, you know, government data inside of our partners’ networks. And so I think we’ve seen that really, compared to when I started at Fleet Cyber Command in 2014, that’s changed a lot in terms of the amount of breaches that are getting detected or reported. Sometimes, you know, that’s reported from an intelligence source.
MS. HICKS: Right.
VICE ADM. TIGHE: But in many cases the defense-industrial –
MS. HICKS: Self-reported.
VICE ADM. TIGHE: – is self-reporting it, and we’re dealing with that.
MS. HICKS: Good.
OK, let’s see. How about over on this side, right here? I think that’s five rows – four rows or five rows there.
Q: Good morning, Admiral. Amanda Hartgrave (sp) from the Office of Net Assessment.
What is the most significant challenge to meeting DOD’s maritime cybersecurity objectives in the next five years?
MS. HICKS: What are your basically priorities in meeting maritime –
Q: Most significant challenges –
MS. HICKS: Most significant challenges.
Q: – challenges you envision for the next five years in meeting your cybersecurity objectives.
VICE ADM. TIGHE: Sure. I think I’ll say – I’ll give you two answers. One is on the – when we talk about the maritime cybersecurity solution set, the cybersecurity industry writ large as it pertains to C4ISR systems, IT-based, you know, network systems, domain controllers, et cetera. That is a huge industry. There is a lot of opportunity to incorporate commercial products into our networks and into our network design. In fact, you know, I’d like to move faster at being able to bring new ones in and push older ones out, you know, as that industry continues to evolve.
When we talk about control systems, the Internet of Things side of the house, that industry, in terms of providing cybersecurity, is not very big. There’s not – there’s not nearly the amount of work going into securing, you know, physical devices that connect to a network. When you have systems of systems, you know, that – you know, if you’re running a power grid or running a modern destroyer, you’ve got a whole lot of systems of systems.
And understanding the potential cyber threats inside of those, having sensors in there, having tools to be able to go convince yourself that there’s not adversary militia software on your control systems, that is something that we’ve been pushing for several years to try to get more industry help in that regard, because our cybersecurity tools that we look at for the traditional IT networks do not work in the controls, inside of the control systems.
And so, you know, we need that innovation and development to continue to grow. And then I’ve got to be able to get it on the ships. And, you know, many of, you know, our modernization rate to get – you know, to go from a solution, you know, and an alteration to our systems, to getting it fully deployed across the entire fleet, takes a really long time. We’ve got to be faster. We’ve got to be faster.
So we’re looking at different types of architectures that allow us to move software in and out better. That works for your C4ISR systems. That doesn’t work so much for some of those marine systems that got put on the ship and was intended to last the life of the ship, not be modernized. You know, there was never a plan to modernize those.
So how do we get that situational awareness into those enclaves that are not your traditional C4I systems but, you know, beyond into the control systems?
MS. HICKS: I think we have time for one final question. Why don’t we go right here in the front? And then we’ll probably have reached our hour.
Q: Hi. Elias Groll from Foreign Policy Magazine.
You had mentioned that the McCain has an investigation looking at whether a cyberattack was a component of that incident but the Fitzgerald does not. Does the Navy have some indication in the McCain incident that there was a cyber-related incident and not in the Fitzgerald? Why the discrepancy between the two investigations?
VICE ADM. TIGHE: I think that the – you know, there was no indication on either account that – you know, that there was any cyber implication for the cause of the accident.
With the McCain incident happening so close to the Fitzgerald, I think the – you know, the speculation that began drove us. You know, we are going to go, you know, confirm that this is not – there is no indication in either accounts that cyber had anything to do with either of these. So we put the team onto McCain to go confirm that.
We have all the data from Fitzgerald. If anything is found, we can go back and take a look at that. You know, but that’s where we are today. And then, moving forward, codifying, you know, how we will do these types of mishap investigations to account for a cyber component moving forward is – you know, is where we will, you know, learn from the results of the McCain investigation and just make it part of the normal process of how we do mishap investigations moving forward.
MS. HICKS: Very good.
Well, Admiral Tighe, I want to thank you not only for sharing your time with us today and your thoughts on this very important topic of cyber defense in the maritime, but also for all your service and for everything you’re doing for the country day in and day out.
I just want to say a final thank-you to Lockheed Martin and to Huntington Ingalls Industries for their support today.
And please join me in a round of applause for Admiral Tighe. (Applause.)