Special Editions 2.20.23
Ep 49 | 2.20.23

Modernizing the U.S. Navy's cybersecurity posture.

Transcript

Dave Bittner: The mission statement of the United States Navy is to recruit, train, equip and organize to deliver combat-ready naval forces to win conflicts and wars while maintaining security and deterrence through sustained forward presence. In today's world, achieving that mission means the U.S. Navy must maintain a high level of cybersecurity in order to protect its data, networks and systems from malicious actors. My guests today are two distinguished naval officers on the front lines of that critical mission. Commander Brandon Campbell is operations director at Navy's Cyber Defense Operations Command. Captain Steve Correia is commanding officer of Naval Network Warfare Command. Commander Campbell leads off our conversation.

Brandon Campbell: And I'm the operations director at Navy Cyber Defense Operations Command. And essentially, at - NCDOC is what we call it - we are chartered and responsible for protecting and defending the Navy's global array of networks - across 180 networks, to be exact. And in that responsibility, we protect and defend against malicious cyber activity and advanced persistent threats. And we do that 24/7, 365. And then if there's actually an incident or an actual compromise on a Navy network, we're then also responsible for doing the risk analysis, assessing it, and then when needed, expelling the adversary from our networks. 

Dave Bittner: Captain Correia, how about you? 

Steve Correia: Naval Network Warfare Command's mission is to operate and secure Navy networks and communication systems. So we do that in our ashore enterprise networks and the ashore portion of our afloat networks. And we're also designated under Fleet Cyber Command as the commander of Task Force 1010, which we have tactical control of the command or control communications commands within the Navy. 

Dave Bittner: So I'd love to get the perspective from both of you. You know, the Navy's network has some uniquely difficult defensive challenges. When you think about everything that's on your network, you know, from data centers, office buildings, and then, of course, ships and airplanes and the global distribution of all of that - and then also you're dealing with many levels of classification. That's a big problem. And how do you come at that? 

Steve Correia: Dave, I'll start first. So that's part of the reason why the Navy's taken a more agile approach and we've moved to a more zero-trust approach is because of those complexities. You know, I think for the longest time we tried to keep the adversary outside the walls of the castle, if you will. But we've realized over time that that's difficult, if not impossible in a lot of cases. So we've increasingly adopted a zero-trust approach where we assume the adversary is inside the castle walls, and we've put controls in place to guard the data and information systems from those adversaries. 

Brandon Campbell: To dovetail a little bit on that, you know, the Department of Defense recently just issued late last year its overarching first ever zero-trust strategy. And like Captain Correia just said, you know, the very first sentence of that strategy states that our adversaries are in our network. So that's a huge paradigm shift in how we look at, evaluate and design resilient networks, resilient and secure networks. So in parallel with that part of that strategy, the Department of Defense has underlaid and implemented seven essential pillars for its zero-trust strategy. 

Brandon Campbell: And then with each one of those pillars, there are subactivities - 152 to be exact - and set a very lofty goal of achieving zero-trust capability, strategies and principles no later than 2027. And the Navy is well on its way and helping pave the way towards those capabilities, aggressively modernizing its I.T. as well as implementing cloud-native cyberdefense and cybersecurity tools. So it's been a really exciting time, and I'm really excited to see how the next, you know, five years or so as we modernize and get to 2027, what the changes of our landscape and how we design and secure our networks are going to look like. 

Dave Bittner: How have you all been able to adapt? You know, you mentioned moving things to the cloud. We also, of course, had the pandemic and had to deal with more folks working from home, bring your own device, things like that. How does an organization as big as the Navy - how do you adapt to those sorts of changes that happen in real time? Commander Campbell, why don't you start off? 

Brandon Campbell: Yeah, so, I think we took a look at different capabilities and tools that were out there that were going to help us meet some of those pillars and targeted activities. And you're right. Scale is a problem for an organization as large as the United States Navy. You know, we've been really successful at implementing endpoint detection and response tools. We push out those capabilities to over 400,000 endpoints across the entire global sensor grid. So that's been really exciting to see. We've also utilized cloud-native SIEM and SOAR technologies to help build out and visualize and orchestrate what our data looks like. And that's been really successful for us in terms of helping our analysts and operators sift through the billions of endpoints and signals that they get exposed to every day and whittle down through detections and automations what's really important for our analysts and operators. And then another big factor, just like with any zero trust, is identity management. That is a central and a pivotal key aspect of implementing zero trust and being able to provide users the access, the resources and the operations that they need when they need it and how they need it and then able to be able to scale that back. 

Dave Bittner: And Captain Correia. 

Steve Correia: Yeah, Dave. So the Navy's journey on zero trust really actually started with the pandemic, so it's very apt that you asked about that. So we had a requirement to increase the number of remote - the amount of remote work that was going on in the Navy because of the pandemic. And so that led us to use some collaboration tools. Originally, that was DISA CVR that we rolled out across the DOD. But as the Navy looked for its specific approach because the services have specific needs, we decided to bake into our collaboration tools cybersecurity through the zero trust principles. This was actually prior to the DOD's zero trust strategy. 

Steve Correia: And so we built a test environment which we configured, and we took a purple teaming approach where we had red team try to, you know, pen test it and get in there. And then we made our sysadmin teams actually configure it. So through that process, we were able to really get a hardened environment, a test environment. And that's what we moved out on for the Navy's cloud environment, which we dubbed Operation Flank Speed. And those were the core principles and the core configurations that we used. So it's apt that you ask about the pandemic because that's really what started us on the journey for cloud security and our cloud implementation, which led us to a lot of other things like increased endpoint security that Brandon mentioned through using things like MDE and other cloud-based tools. 

Dave Bittner: I'm curious. How does this all affect your average sailor? I'm thinking of - there's someone who is out on a ship who is supporting the mission. Just basic things - do sailors have access to Wi-Fi? You know, what's available to them, and how do you both keep them safe but allow them to keep in touch with friends and family? 

Steve Correia: Yeah, it depends on the specific platform in some cases. I mean, it's obvious that an aircraft carrier has more bandwidth and different capabilities than, say, a smaller ship like a destroyer. But that is a challenge. It's been a challenge. But I think we're - with things like Leo (ph), we're looking - the Navy in general is looking at other options. And we're definitely looking to harness those things. But from a cybersecurity standpoint, you know, zero trust is - you know, they say it's a journey, not a destination. And that's definitely been the case for us. It was a simpler environment to roll some of those capabilities out ashore. So they - we were - the shore - our shore architecture was definitely on the bleeding edge. But we're definitely looking at and implementing those types of approaches afloat as well. 

Dave Bittner: I'm curious. Commander Campbell, have there been any situations where you all have come up against some sort of challenge where you had to say to yourselves, you know, this is simply isn't working; we're going to have to reevaluate how we're doing this and maybe come at this from a different direction? How do you face those sorts of challenges? 

Brandon Campbell: Yeah, absolutely. You know, the Navy is not so unique where, you know, we're not going to get faced with, you know, the same type of challenges that many - you know, maybe your audience and private organizations are going to face when trying to implement, you know, a massive change in culture and design of zero trust strategies and principles. So, you know, maintenance and upkeep are still an issue. You know, change management - new change management processes, you know, technical hurdles that maybe we do have to work with - you know, Captain Correia mentioned Microsoft, for example, you know, where we've had to reach out to our private vendors to help us design and implement new solutions. 

Brandon Campbell: So we've faced those challenges, and what we've tried to take - we've tried to be innovative and agile with that and, you know, not be afraid of failure, you know, in terms of, you know, let's learn fast. Let's try to fail quickly and then iterate and learn and get better. I would say one real important aspect that has really helped in the Navy in general is the leadership that's been involved. Just like any organization, you're going to have to have leadership buy in if you're going to try to change the framework and the mindset of - and implement capabilities like what's required to achieve zero trust. So having the leadership buy in, people like Aaron Weis, the Department of the Navy CIO, Mr. Resnick, who's a program officer for zero trust strategy, and then the Department of Defense CIO John Sherman - their leadership and guidance have been essential. So if an organization is wanting to go down this journey as well, they're going to have to have leadership buy in and then understand that it's not just a six-month journey. You know, it's going to be a long process. And you're just going to - and there's going to be failures and challenges on the way. And you just got to roll with it and then learn and then try to iterate and then learn from that in order to be successful. 

Dave Bittner: Captain Correia, I'm curious how much interaction goes on between you all and your colleagues in other branches of the military. I'm thinking specifically - I know the Army has adopted a lenient bring-your-own-device policy. Is that the kind of thing that you all keep an eye on to see how it goes for them over there, perhaps something you could consider for your own sailors? 

Steve Correia: Yeah, Dave, definitely. You know, the services, because of our unique requirements, have taken slightly different approaches, I think, when it comes to cloud and cloud security and even zero trust. But we do kind of keep an eye on each other, either directly or through the DOD structure. In fact, last week, Brandon and I were up at Fort Meade at JFHQ-DODIN's Endpoint Security Summit, where that exactly happened. The services kind of - the DOD - including the DOD CIO and others, kind of - it was a sharing session where we talked about our own experiences and our own reflections, kind of what was working and what wasn't working as well to get that sharing between the services and the DOD structure. 

Dave Bittner: You know, there's that old cliche - and forgive me for using it but, you know, a battleship doesn't turn on a dime. Do you all feel as though you have the ability to be nimble, to react to the things that are coming at you, again, with an organization as large in breadth and depth as the U.S. Navy? 

Steve Correia: Yeah, I'll take that one, Brandon. It's very perceptive. But, you know, in my career, that's generally been my experience. But I think it's changed recently. And so we, during the pandemic, because the leadership at the top, Mr. Weiss, Ms. Youngs Lew at PEO Digital - so our acquisition partners - and operationally on our side, myself and my predecessor, Captain Jody Grady, decided - made a conscious decision to move out quickly on implementing cloud once we had a secure implementation. And we did so in the image of DevOps or Agile. And our current framework is Scaled Agile Frameworks, so SAFe. 

Steve Correia: And we are definitely taking a more agile approach. And because of that, we're working together with our acquisition partners and engineering in a DevOps type of model where we are able to make agile decisions, make configuration changes in that DevOps type of approach. And for me, it's been a revolution, you know, very much getting away from the traditional Waterfall approach, where we took a long time to write a requirement. And then the engineers went back into the engineering spaces and came out with a product that wasn't to anyone's satisfaction on the ops world and a little bit dissatisfaction on the engineering world, too. So we're in a different place right now, where we're all working together toward a common goal. And it's refreshing to see. 

Dave Bittner: Commander Campbell, I'm curious of what your pitch is for folks who may be considering a career with the Navy? We have a lot of listeners who are students coming up. There are unique challenges there of joining the service, but also some really amazing opportunities. 

Brandon Campbell: Yeah, there really are, you know? And I'm wrapping up my two-decade career here in the next few months. So I have done some reflection on that personally. And it is an exciting time, especially in the cyber field, the cyber community at large. There's a large modernization effort going on across the Navy. You know, I've had the unique opportunity through my career, through working with SEAL teams, to being deployed on ships, aircrafts and the whole host, the whole gamut. So it's always exciting. It's always challenging. There are a lot of educational benefits and opportunities if you just take advantage of them. 

Brandon Campbell: So I would encourage anyone out there who's looking for a way to get a little excitement, to do a very, very important mission for our Navy and for the national security of our nation. And really just kind of embrace it. And know that it's going to be long. And sometimes it's going to be hard and challenging. But at the end of it, you absolutely will be better off for it and then walk away for the rest of your life knowing that you've served your nation and you've done something really unique and special. So yeah, I'm super excited and - to what the future holds, and especially this advancing career and this industry and the cyberdefense and cybersecurity space and where it's going to go here in the next five-plus years. 

Dave Bittner: You know, Captain Correia, we have quite a few senior members of industry and government who listen to our show. I'm curious, if you had the opportunity to ask, is there any support or assistance that you would request from those folks? 

Steve Correia: Actually, Dave, the support has been great to the approach that we've taken. And Brandon mentioned this earlier. The leadership has been - has really leaned in on this. And they've put their money where their mouth is because they've really supported us on various approaches that we've taken, but also on the common decisions that we've make - we've made to secure the network. And in some cases, you know, we've taken a pretty aggressive approach on security, which, you know, can have impact in some cases. But they've - you know, we've kind of all worked on that together, on finding that right balance. So I just want to say thank you, actually, to leadership for the support. 

Dave Bittner: Our thanks to Commander Brandon Campbell, operations director at Navy Cyber Defense Operations Command, and Captain Steve Correia, commanding officer of Naval Network Warfare Command. We appreciate them taking the time for us.