CyberWire Daily - Modernizing the U.S. Navy's cybersecurity posture. [Special Edition]
Episode Date: February 20, 2023Dave Bittner had a conversation with Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. They discuss...ed the Navy’s cybersecurity advances and how they have implemented them. Commander Brandon Campbell is the former Operations Director at Navy Cyber Defense Operations Command and Task Force 1020 where they protect, detect, and respond to global cyber threats against Navy networks. Captain J. Steve Correia is the Commanding Officer of Naval Network Warfare Command and the Commander of Task Force 1010 under the U.S. Navy’s Fleet Cyber Command where they execute tactical-level command and control to direct, operate, maintain and secure Navy communication and network systems. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more. The mission statement of the United States Navy is to recruit, train, equip, and organize
to deliver combat-ready naval forces to win conflicts and wars
while maintaining security and deterrence through sustained forward presence.
In today's world, achieving that mission means the U.S. Navy must maintain a high level of cybersecurity
in order to protect its data, networks, and systems from malicious actors.
My guests today are two distinguished naval officers on the front lines of that critical mission.
Commander Brandon Campbell is Operations Director at Navy Cyber Defense Operations Command.
Captain Steve Carrera is Commanding Officer of Naval Network Warfare Command.
Commander Campbell leads off our conversation.
And I'm the Operations Director at Navy Cyber Defense Operations Command.
And essentially, at NCDOC is what we call it, we are chartered and responsible for protecting
and defending the Navy's global array of networks across 180 networks, to be exact.
And in that responsibility, we protect and defend against malicious cyber
activity and advanced persistent threats. And we do that 24-7, 365. And then if there's actually
an incident or an actual compromise on a Navy network, we're then also responsible for doing
the risk analysis, assessing it, and then when needed, expelling the adversary from our networks.
Captain Carrera, how about you?
Naval Network Warfare Command's mission
is to operate and secure Navy networks
and communication systems.
So we do that in our Ashore Enterprise networks
and the Ashore portion of our float networks.
And we're also designated under Fleet Cyber Command
as the commander of Task Force
1010, which we have tactical control of the commander control communications commands within
the Navy. So I'd love to get the perspective from both of you. You know, the Navy's network has some
uniquely difficult defensive challenges. When you think about everything that's on your network,
you know, from data centers, office buildings, and then of course, ships and airplanes, and the global
distribution of all of that. And then also you're dealing with many levels of classification.
That's a big problem. And how do you come at that? Dave, I'll start first. So that's part of the
reason why the Navy's taken a more agile approach and we've
moved to a more zero-trust approach is because of those complexities. I think for the longest time,
we tried to keep the adversary outside the walls of the castle, if you will.
But we've realized over time that that's difficult, if not impossible, in a lot of cases.
So we've increasingly adopted a zero-trust approach where we assume the adversary is inside the castle walls,
and we've put controls in place to guard the data and information systems from those adversaries.
To dovetail a little bit on that, the Department of Defense recently just issued, late last year,
its overarching first- zero trust strategy.
And like Captain Correa just said, you know, the very first sentence of that strategy states that our adversaries are in our network.
So that's a huge that's a huge paradigm shift in how we look at, evaluate, and design resilient networks, resilient and
secure networks. So in parallel with that, a part of that strategy, the Department of Defense has
underlaid and implemented seven essential pillars for its zero trust strategy. And then with each
one of those pillars, there are sub activities,
152 to be exact, and set a very lofty goal of achieving zero trust capability strategies and
principles no later than 2027. And the Navy is well on its way and helping pave the way
towards those capabilities, aggressively modernizing its IT, as well as implementing cloud-native
cyber defense and cyber secure tools. So it's been a really exciting time, and I'm really excited to
see how the next five years or so, as we modernize and get to 2027, what the changes of our landscape
and how we design and secure our networks are going to look like. How have you all been able
to adapt? You mentioned moving things to the cloud.
We also, of course, had the pandemic and had to deal with more folks working from home,
bring your own device, things like that.
How does an organization as big as the Navy,
how do you adapt to those sorts of changes that happen in real time?
Commander Campbell, why don't you start off?
Yeah, so I think we took a look at different capabilities and tools that were out there
that were going to help us meet some of those pillars and targeted activities. And you're right,
scale is a problem for an organization as large as the United States Navy. You know, we've been really successful at implementing endpoint detection and response
tools.
We've pushed out those capabilities to over 400,000 endpoints across the entire global
sensor grid.
So that's been really exciting to see.
We've also utilized cloud-native Siemens or technologies to help build out and visualize and orchestrate what our data looks like.
And that's been really successful for us in terms of helping our analysts and operators sift through the billions of endpoints and signals that they get exposed to every day and whittle down through detections and automations what's really important for our analysts and operators.
And then another big factor, just like with any zero trust,
is identity management.
That is essential and a pivotal key aspect of implementing zero trust
and being able to provide users the access, the resources,
and the operations that they need when they need it and how they need it
and then able to be able to scale that back. And Captain Carrera? the access, the resources, and the operations that they need, when they need it, and how they need it,
and then able to be able to scale that back. And Captain Carrera? Yeah, Dave. So the Navy's journey on Zero Trust really actually started with a pandemic. So it's very apt that you asked
about that. So we had a requirement to increase the number of remote, the amount of remote work that was going on in the Navy because of the pandemic.
And so that led us to use some collaboration tools.
Originally, that was a CVR that we rolled out across the DoD.
But as the Navy looked for its specific approach because the services have specific needs,
we decided to bake into our collaboration tools, cybersecurity, through the zero trust principles.
This was actually prior to the DoD's zero trust strategy.
And so we built a test environment, which we configured, and we took a purple teaming approach where we had a red team try to pen test it and get in there.
And then we made our sysadmin teams actually configured it.
So through that process,
we were able to really get a hardened environment,
a test environment.
And that's what we moved out on for the Navy's cloud environment,
which we dub Operation Flank Speed. And those were the core principles and the core
configurations that we use. So it's apt that you ask about the pandemic because that's really
what started us on the journey for cloud security and our cloud implementation,
which led us to a lot of other things like increased endpoint security that Brandon mentioned
through using things like MDE and other cloud-based tools.
I'm curious, how does this all affect your average sailor?
I'm thinking of someone who is out on a ship who is supporting the mission.
Just basic things. Do sailors have access to Wi-Fi?
What's available to them and how do you both keep them safe but allow them to keep in touch
with friends and family? Yeah, it depends on the specific platform in some cases. I mean,
it's obvious that an aircraft carrier has more bandwidth and different capabilities
than, say, a smaller ship like a destroyer. But that is a challenge. It's been a challenge. But
I think we're, with things like LEO, we're looking, the Navy in general is looking at other
options. And we're definitely looking to harness those things. But from a cybersecurity standpoint,
you know, Zero Trust is, you know,
they say it's a journey, not a destination.
And that's definitely been the case for us.
It was a simpler environment to roll
some of those capabilities out of shore.
So our shore architecture
was definitely on the bleeding edge,
but we're definitely looking at
and implementing those
types of approaches afloat as well. I'm curious, Commander Campbell, have there been any situations
where you all have come up against some sort of challenge where you just had to say to yourselves,
you know, this simply isn't working. We're going to have to reevaluate how we're doing this and
maybe come at this from a different direction.
How do you face those sorts of challenges?
Yeah, absolutely. that many, you know, maybe your audience and private organizations are going to face when trying to implement, you know, a massive change in culture management processes, you know, technical hurdles that
maybe we do have to work with, you know, Captain Korea mentioned Microsoft, for example, you know,
where we've had to reach out to our private vendors to help us design and implement new
solutions. So we've faced those challenges and what we've tried to take, we've tried to be
innovative and agile with that and, you know, and not be afraid of failure, you know, in terms of, you know, let buy-in if you're going to try to change the framework and the mindset
and implement capabilities like what's required to achieve zero trust.
So having the leadership buy-in, people like Aaron Weiss,
the Department of the Navy CIO, Mr. Resnick,
who's a program officer for the Zero Trust Strategy,
and then the Department of Defense CIO, John Sherman,
their leadership and guidance have been essential. So if an organization is wanting to go down this
journey as well, they're going to have to have leadership buy-in and then understand that it's
not just a six-month journey. It's going to be a long process, and there's going to be failures
and challenges on the way, and you just got to roll with it and then learn and then try to iterate and then learn from that in order to be successful.
Captain Carrera, I'm curious how much interaction goes on between you all and your colleagues in other branches of the military.
I'm thinking specifically, I know the Army has adopted a lenient bring-your-own-device policy.
Is that the kind of thing that you all keep an eye on to see how it goes for them over there?
Perhaps something you could consider for your own sailors?
Yeah, Dave, definitely.
The services, because of our unique requirements, have taken slightly different approaches, I think, when it comes to cloud and cloud security and even zero trust. But we do kind of keep an eye on each other,
either directly or through the DoD structure. In fact, last week, Brandon and I were up at
Fort Meade at JFHQ Doden's Endpoint Security Summit, where that exactly happened. The services, including the DoD CIO and others, it was a sharing session where we talked about our own experiences and our own reflections,
kind of what was working and what wasn't working as well to get that sharing between the services and the DoD structure.
You know, there's that old cliche, and forgive me for using it, but, you know,
a battleship doesn't turn on a dime. Do you all feel as though you have the ability to be nimble,
to react to the things that are coming at you with, again, with an organization as large
in breadth and depth
as the U.S. Navy? Yeah, I'll take that one, Brandon. It's very perceptive, but in my career,
that's generally been my experience, but I think it's changed recently. And so we,
during the pandemic, because of leadership at the top, Mr. Weiss, Ms. Young's Lou at PO Digital,
so our acquisition partners, and operationally on our side,
myself and my predecessor, Captain Jody Grady, decided,
made a conscious decision to move out quickly on implementing cloud
once we had a secure implementation.
And we did so in the image of DevOps or Agile.
And our current framework is scaled Agile framework, so safe.
And we are definitely taking a more Agile approach.
And because of that, we're working together with acquisition partners and engineering
in a DevOps type of model where we are able to make agile decisions, make configuration
changes in that DevOps type of approach. And for me, it's been a revolution, you know,
very much getting away from the traditional waterfall approach where we took a long time
to write a requirement. And then the engineers went back into the engineering spaces and came
out with a product that wasn't to anyone's satisfaction on the ops world and a little
bit dissatisfaction on the engineering world too.
So we're in a different place right now where we're all working together toward a common
goal, and it's refreshing to see.
Commander Campbell, I'm curious what your pitch is for folks who may be considering
a career with the Navy.
We have a lot of listeners who are students coming up.
There are unique challenges there of joining the service, but also some really amazing opportunities.
Yeah, there really are.
And I'm wrapping up my two-decade career here in the next few months.
So I have done some reflection on that personally.
And it is an exciting time, especially in the cyber field, the cyber community at large.
There's a large modernization effort going on across the Navy.
You know, I've had the unique opportunity through my career, through working with SEAL teams, to being deployed on ships, aircrafts, and the whole host, the whole gamut.
So it's always exciting.
It's always challenging.
There are a lot of educational benefits and opportunities if you just take advantage of them.
them. So I would encourage anyone out there who's looking for a way to get a little excitement,
to do a very, very important mission for our Navy and for the national security of our nation,
and really just kind of embrace it and know that it's going to be long. Sometimes it's going to be hard and challenging, but at the end of it, you absolutely will be better off for it. And then walk away from the rest of your life knowing that you've served your nation and you've done something really unique and special.
So, yeah, I'm super excited to what the future holds, and especially as this advancing career in this industry and in the cyber defense and cyber security space and where it's going to go here in the next five,
five plus years.
You know, Captain Correa, we have quite a few senior members of industry and government
who listen to our show.
I'm curious if you had the opportunity to ask, is there any support or assistance that
you would request from those folks?
Actually, Dave, the support has been great to the approach that we've taken. And Brandon mentioned this earlier, the leadership has really leaned in on this, and they've put their money where their mouth is because they've really, really supported us on various approaches that we've taken, but also on the common decisions that we've made to secure the network.
And in some cases, you know, we've taken a pretty aggressive approach on security,
which, you know, can have impact in some cases,
but we've kind of all worked on that together and finding that right balance.
So I just want to say thank you, actually, to the leadership for the support. Our thanks to Commander Brandon Campbell, Operations Director
at Navy Cyber Defense Operations Command, and Captain Steve Carrera, Commanding Officer of
Naval Network Warfare Command. We appreciate them taking the time for us. Cyber threats are evolving every second Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.