The increased digitalisation of navies has led to an increased interest in implementing cybersecurity solutions. Cyberattacks are analogous to physical warfare; the success of an offensive will determine its detrimental effect. Norbert Neumann discovers there are some fundamental differences.
To date, no comprehensive cyberattack targeting naval facilities has come to light. However, the digitalisation of command and control systems in warships and connecting naval assets via radio frequencies, satellite and data links have increased ships’ susceptibility to cyber threats.
The US and Royal Navy (RN) are taking very similar approaches in building their cyber-resilience, and they are not limited to technology.
Cyber threats and navies
The kind of damage a potential cyberattack could inflict on naval assets largely depends on the nature of the vulnerability and how that is exploited, RAND senior information scientist Bradley Wilson believes.
“Modern navies would have many of the same things to worry about as private companies do, whether they are serving a back-office function or managing an industrial control system. Typically – a ‘defence in-depth’ approach is used to protect data and systems, monitor them, and respond, when necessary,” he says.
In common with all armed forces, navies are increasing their reliance on digital technology which poses the threat of an increasing number of cyberattacks on those digitalised assets and the severity of their impact. But the nature of the vulnerability and the attacks would determine the scale of the problem, Wilson says.
He explains: “Are they more probing attempts to exfiltrate information by low level minimally resourced actors, or something more robust? Further, is there any cyber deterrent employed that might put downward pressure on attacks? These are just some of the things that would drive the volume of attacks.”
But besides some added complexity stemming from the nature of maritime context, naval cyberspace is not very different from cyberspace in other domains; forces need to ensure preparedness.
US Navy and Royal Navy
US Navy cyber security division director of the Office of the Chief of Naval Operations Rear Admiral Susan BryerJoyner says, however, that there is a fundamental difference we need to bear in mind.
“I would argue that in cyberspace, just based on the pervasiveness of the domain and the high level of interaction every individual in the navy has in that domain, is a much broader problem than we have in the other warfare areas,” BryerJoyner explains.
She also emphasises the importance of the US Navy’s ‘defence in-depth’ approach, saying that no system is ever going to be fully secure on its own. But by making them work their way through individual layers before reaching their intended target can significantly increase the cost of an attack and discourage and slow down cyber threats.
“It starts with physical security, system isolation and reducing attack surface that adversaries can touch,” BryerJoyner says.
There is an emerging concept called zero trust, and the idea is that implementing it can eliminate the need for defence in depth. But she warns about the potential issues of that approach.
“When you look at the types of information that need to be accessed to implement zero-trust, identity being a key one, it is very difficult to implement that level of configuration at the tactical edge”, BryerJoyner explains.
“To some extent, it has an unvoiced reliance on access to commercial Cloud. That’s where the information is going to be stored and that’s where the analytics are going to be done. That is not readily available at the tactical edge.”
Instead, she says, the US Navy is looking into zero-trust principles and how they can be applied to its defence-in-depth approach to maximise the application of modern principles to the greatest extent.
The RN’s thinking about cyberspace is indifferent to the US Navy’s, and it also understands that cyber-readiness is a fundamental component of operational readiness and ensuring solid cybersecurity is an integrated part of the force.
As per the overall RN cyber strategy, it is a part of a broader strategy called Cyber and Electro-Magnetic Activity (CEMA) that addresses the Navy’s ‘understand, protect, develop, operate, export and sustain’ methodology.
Information Warrior and NAVWAR
The RN’s Information Warrior joint, multi-domain training event has taken place every year since 2016. It is an environment for the RN to develop and demonstrate its information warfare programme innovations in five different areas including CEMA. The exercise allows the RN to test new concepts at all stages of the development lifecycle, including the measurement of current capabilities against novel threats.
The US Navy Naval Information Warfare Systems Command (NAVWAR) is fulfilling two major roles. Primarily, it acts as the system command for the design-development fielding upgrades for the Navy’s command, control, communications and computers system.
“It deploys systems ashore and afloat, and its job as a system command is to ensure that the programmes are developing and upgrading our systems and taking the new technologies and principles into account,” says BryerJoyner.
This includes the testing of various cloud-based applications and their abilities to work in a maritime context.
NAVWAR is also a cybersecurity technical authority. That means that it examines the standards across the systems that are to be implemented from a cybersecurity perspective.
“It works with chief engineers across all of the system commands to identify and formalise those cybersecurity standards as we need to embed in our systems,” BryerJoyner explains.
This applies to various aspects of the US Navy, such as Naval Sea System Command, Naval Air System Command and naval facilities.
Core of cybersecurity
BryerJoyner deems monitoring and relevant technologies the most important element of cybersecurity. Having a full understanding of the systems and their normal functionalities will allow the US Navy to detect and identify anomalies quicker, and that, in turn, leads to more rapid counter-response.
But she warns that focusing on individual technologies is not as productive as concentrating on technological approaches. Around three years ago, the US Cyber Command began working on a framework called Navy Operational Command and Control System.
BryerJoyner says: “It’s a framework to identify what cybersecurity information and network operations information needs to be collected and aggregated in order to provide good situational awareness of the network.”
This helps the Navy understand what normal is and thus spot anomalous activity better. For the same reasons, RN research aims to baseline ‘normal’ for its systems and platforms. But preparing for cyber threats is multifaceted.
Wilson says: “Part of it is that ships take a long time to build and many in the fleet are older, yet typically the most cyber-secure platform are those that have been designed and built with security in mind from the beginning”.
BryerJoyner echoes this saying: “Preparations start at the system design and extends into systems operation and sustainment, but it really is not just about technology.”
Although cyberattacks can be very damaging and both the US and the Royal Navy deem it extremely important, BryerJoyner says there is an important distinction between what is possible and what is probable in cyberspace.