Anchors Aweigh: A CIO's Farewell
In what may be his final blog as Navy chief information officer, Rob Carey writes the Navy should establish a doctrine to train its cyber defenders as if they were attackers:
"We need to ensure that our network defenders possess the same skills and knowledge as our attackers. Our goal should be to break down the barriers between the defenders and the red teams. After all, we are all on the same team."
Carey, who has served as Navy CIO for the past four years, will begin a new assignment as director of strategy and policy at the Navy Fleet Cyber Command/10th Fleet in the coming weeks. In that job, where he'll report to Vice Adm. Bernard McCullough, the 10th Fleet commander, Carey will help develop cybersecurity strategy for the IT and communications systems that support the Navy's war fighting apparatus.
The outgoing Navy CIO, one of the first government CIOs to write a blog as a way to open a dialogue with Navy and Marine IT personnel and users, focused his latest blog on cybersecurity:
"As I step closer to the operational component of the cyber world with my move to U.S. Fleet Cyber Command/U.S. 10th Fleet, the concept of team, as it relates to cybersecurity, becomes even more important to me. This means industry, academia, military, civilians and contractors working together toward a singular purpose: to operate and defend the department's networks against attack, while enabling access to information for those who require it."
Besides training defenders as attackers, Carey leaves his post with several other notions such as no one tool will carry the day and the need for a cybersecurity investment management tool. Carey writes that the Navy Department has done an adequate job of balancing the risk associated with information access, but:
"Where will we spend our next $10, what will we get for it, and how can we demonstrate the value of the expenditure to our bosses sitting in the E Ring (outer ring of the Pentagon, where the top brass resides)? What we develop next, the cost and the problems it solves must be based on the ever-changing threat landscape. A dire need exists for the department, and every federal agency, to be able to plan its next investment and understand (based on what is already deployed) what we will get in return for our next investment and what the metrics-based payoff will be. The ultimate outcome is to reduce the number of successful attacks on the network."
Carey also had kind words for Defense Secretary Robert Gates' initiative to consolidate DoD's information technology infrastructure, characterizing the plan as "spot on." Earlier this month, Gates announced a major reorganization of Defense IT, including the elimination of the Network and Information Integration unit, whose head - an assistant secretary - also serves as DoD's CIO. Gates also said he intends to eliminate the Joint Chiefs of Staff's Command, Control, Communications and Computer System operation known as J6, whose mission is to lead the joint communications community to achieve the decisive information advantage through a single, coherent, secure and globally accessible joint information environment. Many of the Network and Information Integration and J6 responsibilities will be absorbed by other DoD units including the Defense Information Systems Agency and the Office of Acquisition, Technology and Logistics.
Carey writes that across the department's four major domains - afloat, ashore (continental U.S.), ashore (overseas) and tactical, the basic network architecture is the same: IP.
"There may be radio frequency links or fiber optics involved, but the majority of TCP/IP packets must be able to move freely around the world. That being said, our infrastructure stovepipes must be opened and secured appropriately. Many lower echelon commands are operating independently from mainstream networks; however, future budgets will no longer support this model, again suggesting that teamwork is needed for success."
As he leaves one Navy post to another, Carey expresses faith in the personnel and leadership of the Navy and his Army and Air Force counterparts to collaborate on cybersecurity:
"When it comes to cybersecurity, teamwork wins the day."