The Navy League's annual SeaAirSpace Exposition, meeting this week in National Harbor, Maryland, addresses matters of concern to the US Navy, Marine Corps, and Coast Guard, and to those companies and organizations that work with, support, and depend upon those services. As always, the attendance is international. This year some cybersecurity companies were among the exhibitors--we spoke with Raytheon, Engility, and Palo Alto Networks, and we saw Tripwire. As Palo Alto put it in conversation, there's a perceived need for education of senior leadership that would move the Sea Services beyond a patch-and-repair approach to cybersecurity that can still remain too easy to fall into by default.
That those services are aware of the challenges they face in cyberspace, and are at least in principle aware of the opportunities that advanced and innovative approaches to security offer, would be hard to deny. A panel of Service cyber commanders described the US cyber posture as remaining essentially "reactive," and specifically called out Russia, China, Iran and North Korea as adversaries who are deliberately and "thoughtfully" building the capacity to challenge US interests in cyberspace. NAVAIR's Training Systems Division called out cybersecurity as one of its priorities, something it understands it needs to address across its spectrum of operations. US Strategic Command, of which the Navy's ballistic missile submarines make up an important part, recognizes its need to continue to incorporate effective cybersecurity into nuclear command-and-control systems.
The Services are, however, also very aware of budget constraints and the need to keep large numbers of platforms with very long lifecycles functioning effectively in a constantly evolving threat environment. (A warship, even a warplane, has a lifespan that can seem like an eternity by tech industry standards.) They see budget uncertainty as deeply problematic, rendering planning within the requirements process even more cumbersome than it is under ordinary circumstances, and they also see such uncertainty as potentially impeding the introduction and improvement of necessary cyber capabilities to the forces.
The Navy's longstanding commitment to network-centric warfare was much in evidence on the exhibit floor. Engility was noteworthy among the companies offering the sort of in-service cybersecurity engineering and assurance support the Services use in training, maintenance, and deployment. We also had a long talk with Raytheon about their program to develop cyber defense capabilities for aircraft.
The US Marine Corps was, as it always is, a highly visible presence on the floor. The Corps offered some discussion of its new cyber military occupational specialties (MOS). These will be available for enlisted Marines as well as noncommissioned, warrant, and commissioned officers. The advantage the Corps sees in this change is that MARFORCYBER will be able to retain its experienced personnel without having to rotate them back to a primary specialty after a few years of service. The personnel system is self-consciously modeled on that used by Marine Corps Forces Special Operations Command.
Lest anyone think otherwise, the Corps is quick to point out that its recognition of a need to recruit young people with cyber aptitude will result in no relaxation of its well-known high standards. There's a well-known millennial hacker stereotype--pudgy, scruffy, pierced-and-tatooed beyond reason, and of course parental-cellar-dwelling. Unfair or not, the Corps will have none of it. As cyber-boss Major General Lori Reynolds explained, if you're going to join, you'll first become a Marine, then a rifleman, and then a cyber operator. All the other US armed forces tend to recruit with the promise of service, career, and (sometimes) adventure. The Corps has long offered the promise of transformation, not accommodation, and (semper fi) that doesn't seem about to change.