Rear Adm. Danelle Barrett, USN, the US Navy’s director of cyber security, discusses improving cyber security, changing culture, training better cyber leaders, information warfare and more with Defense & Aerospace Report Editor Vago Muradian. The interview was conducted at the Navy League’s 2019 Sea Air Space conference and tradeshow near Washington where our coverage was sponsored by GE Marine, Huntington Ingalls Industries and Leonardo DRS.
Vago Muradian: Welcome to the Defense and Aerospace Report. I’m Vago Muradian here at the Navy League’s Annual Conference and Trade Show, Sea Air Space, the number one gathering of U.S. Navy leaders from around the world to meet with their international counterparts and also talk about strategy, technology, budgets and more. Our coverage here is sponsored by GE Marine, Huntington Ingalls Industries and Leonardo DRS.
It’s our honor to talk to the Cyber Security Chief of the United States Navy, Rear Admiral Danelle Barrett who is also the Deputy Chief Information Officer of the Navy. Ma’am, thanks very much for your time.
Rear Admiral Danelle Barrett: Thanks for having me. I appreciate the opportunity.
Mr. Muradian: You are one of the busiest people in the Navy. There was recently a Cyber Security Readiness Review that was spearheaded by Michael Bayer with a crack team. We did an interview with Michael, and that’s up on our web site. That was a very honest effort by the Secretary of the Navy to be like look, let me get an outside group of experts to come in and take an unvarnished look at cyber security in the United States Navy. You’ve taken a look at that report. You’re working with your Marine counterpart to sort of address bits of that report and how you translate it to reality.
Talk to us about sort of the good, the bad, and the ugly that the report discussed and how that’s shaping your thinking and how you and the Navy/Marine Corps team think about the future.
Rear Admiral Barrett: We really appreciated the report because the Secretary of the Navy had the intestinal fortitude to say hey look, we know we’ve got some issues and we want to have somebody outside look at us. We’ve been looking at ourselves internally for several years and putting billions of dollars into beefing up our cyber security. But sometimes when you’re living in your own house you don’t notice your windows might be dirty. Right? You have to find an outside voice to take a look and see where maybe you’re missing something systemically.
So we were very glad the he said hey, I’m going to be open kimono, I’m going to give you our best people and we did. For example we had Navy captains on the team and other people who are integrated, integral into our cyber security effort who were on that team to help identify where are there challenges and things like that.
So when the report came back there were very interesting things in there. I wouldn’t call anything like an aha moment. They weren’t like oh, my God, we have to fix it like this moment. But there were many, many things in there that we said okay, that is something that one, we don’t have something working on yet and we need to, or that is something we have effort on but we need more effort, or maybe it’s an effort that is going okay, and they just maybe weren’t aware of.
So some of the things that were very interesting to me were a lot of the cultural pieces, too. With cyber security, technology’s the easy part. You can apply a technology, a defense in depth strategy, a zero trust strategy or whatever, and all the tools and the monitoring and everything that comes with that. And that’s challenging on our networks from a technical perspective because we do have disparate networks. They’re old, they’re not always connected well. So it’s a bit of a challenge.
But the harder part is the people piece. How do I get so that everybody feels in the Navy that cyber security is their responsibility? On a ship, if everybody’s on the ship and the ship takes a hit, everybody does damage control. It’s not even a question. You do it. It’s inherent. You’re saving somebody’s life. People need to think that way about cyber security. So how do we do that not just at the deck plate level like I talked about but at the senior level too, to say hey, cyber security is as important as buying an aircraft carrier. If I have to live with one maybe less aircraft carrier so I can get a different cyber security capability or posture, or process in place, then maybe that’s worth it to do that. Again, it’s just challenging some root assumptions that we have both at the senior leadership level and at the lowest level to make it inculcated in everything we do.
Mr. Muradian: So how do you do that educational process? President Obama used to make that joke. Like whatever you do, don’t have password 123 as your password. It was very funny until you realized the Government Accountability Office did a study and a vast majority of some of our most classified systems like have the equivalent of password 123 on them.
Oftentimes when you talk to even the savviest senior warfighting leader, they have a tendency of saying I have really good cyber people who work for me. So talk to us about the base level education required even of the folks in the community, but then how your community actually works with senior leaders to think and understand this battle space as well as they understand the air domain, the undersea domain, or the sea surface domain.
Rear Admiral Barrett: When we look at cyber and information as a battle space or an information warfighting space, it is new ground for a lot of people, and it’s a bit of an odd duck where they don’t understand how it integrates and goes across everything. So that’s a challenge to make people understand, like for information warfighting effects how you can achieve those, both offensively against an adversary and also from a defensive perspective like the cyber security review discussed. So it’s an education from the ground up.
So for example at the Naval Academy now, all the Naval Academy students have to go through certain cyber security training within the course of their normal education. In our A schools and some of the schools where we use to train our enlisted folks and civilians, they’re getting cyber security training. We have annual cyber security training. There’s awareness programs, things like that. But we could do more. And that’s what the report gave us some good examples of things that we could do to even make that more on the forefront.
Then you have to hold people accountable. I don’t think we’ve had a good track record necessarily of holding people accountable when they do stick that USB thumb drive in a computer and now we’re got a virus. Right?
So when we deal with codes and cryptographic codes, we hold people accountable. If you screw that up, there’s a consequence there. So there needs to be a similar mentality as well for accountability at the most junior level to the most senior level that is everybody’s responsibility. Just like operational security, like OpSec.
Mr. Muradian: Obviously the cyber security [stuff], when Slapshot Carter, who’s Superintendent of the Naval Academy. Vice Admiral Carter. Worked very, very hard to put that kind of regimen in. And there are those folks who say that don’t we need, whether we need a national from elementary school on up standards in order to help everybody, because all of our information is also a collective challenge.
Talk to us a little bit about adversary, inasmuch as you can, how this, that it’s a very evolving threat. It includes state actors, it includes great powers, it includes regional powers that are problematic. Like North Korea actually has a remarkably good game on this. The Iranians are on it. You look at terror and criminal organizations as well.
Talk to us about this evolving space and how everybody, whether they wear a uniform or not should be thinking about this space given that I may come under personal attack in the network because I have an important job in the national security establishment. So they might not get everything, but they want maybe that key information, the hotel hacks and everything we’ve seen.
Talk to us about how, what the threat picture looks like and how people need to think about it for their own security but also the security of the nation.
Rear Admiral Barrett: The environment’s getting increasingly complex, but what it’s also doing is it’s a great leveler. If I’m a hacker and I can buy a tool off the internet for nine bucks that allows me to hack and get route access and all these other kinds of things to do bad things, and I don’t need to be an expert to operate that anymore, that’s a great leveler of capability. I don’t need to build a $13 billion ship if I can affect your ability to do your mission and interrupt your warfighting by hacking or by stealing information or something like that.
So there’s pieces that are definitely concerning, and we have to be aware of what are the things that are out there. We always have to think in terms of how we can use the capability against an adversary. We’re not going to just take the first punch, and how they might use that against us. So you have to have people who are thinking through operational scenarios, how that might affect traditional lines of warfighting or those kinds of things. How it might affect our SCADA, our ability to protect our critical infrastructure. And then you take a step back as well and think about okay, so if those capabilities are out there and if they’re ubiquitous, you have to assume someone’s going to use them for some bad behavior. You can’t do what we call the cardinal sin of operational planning is assuming away an enemy capability, right? You can’t do that. You have to assume someone’s going to use it. So you have to have your defenses ready just in case it happens so you’re resilient, so you can fight through the hurt. You may lose something here, may lose something there, but it won’t stop your mission.
So the way we architect and try to build our systems is to make sure that we can fight through whatever hurt, because there will be some sort of hurt, whatever that happens to be.
Mr. Muradian: Talk to us about Compile to Combat, which is a remarkably breakthrough way of thinking about the problem, especially if you’re going to be operating in a contested, electromagnetic uncontested cyber environment.
Rear Admiral Barrett: Compile to Combat in 24 Hours is the Navy’s transformational effort to modernize how we deliver content and applications and data between the ship, our warfighting platforms, and the shore. We have to communicate between those. So there’s things we had to fix there. How we move the information over satellites and how the information are developed so we can move them faster.
So no longer will we have big monolithic old applications. We’re doing what you would think of on your smart phone, it’s the kinds of things you would see on your smart phone. Smaller bits of code that you download from the app store, for example. That’s the kind of thing that we want our sailors at sea to be able to do is to get that code just as fast as you might on your smart phone so that things can happen at a much higher rate. So when new technology comes out, when new capability is developed in the commercial world, we can quickly leverage that, throw it on our infrastructure, and we’re off to the races.
Mr. Muradian: One last question. Two questions.
One, when it comes to industry some of the biggest breaches we’ve seen have happened, unfortunately, because companies have been targeted. Sometimes maybe smaller companies in that chain that still have access to some of that highly classified information. Are we doing a good enough job in terms of telegraphing, enforcing, on the industry side the standards we expect companies to meet for security of some of the nation’s most important information? Once you learn a secret, you can’t unlearn it.
Rear Admiral Barrett: Absolutely. And the Navy’s been leading the charge of all the joint communities in doing this. So there’s things that are being pushed to change regulations, like the DFARS regulations, to tighten that up. But the Navy took a bold step last year, Under Secretary Geurts and the U.S. Navy, to make sure that we tightened up the language that we use in contracts about how that information needs to be protected from our industry partners, and we worked with them on developing that policy because we want to make sure it is indeed executable and it will secure the information more appropriately.
They have the same challenge we do. They want the information secured just as badly as we do.
So in a world where things are going to the cloud, are getting disbursed, our networks are no longer just what we’re concerned about. It’s our information, wherever it is. It’s our industry partners and the work we’re doing with them and being on the cutting edge of implementing a little bit stricter controls and better ways of doing business to protect that will help us.
Mr. Muradian: Last question. What keeps you awake at night? Is it the cyber Pearl Harbor as some said, or rather the creeping, slowing attack? And what actually allows you to sleep well at night when you think about what we’re doing right? Sort of a yin and yang question.
Rear Admiral Barrett: Melatonin helps me sleep well at night. No. [Laughter].
What keeps me up at night is the attack of our SCADA, our national infrastructure, critical infrastructure. That is a concern for me. And I know Department of Homeland Security and others are working very hard on that. That’s a tough, hard, monstrous problem. Because the second and third order effects of that are quickly catastrophic.
The other piece that concerns me is the manipulation of information, information operations. So no longer does someone have to take down your network. If they change the calculus of decision-making because they’re changing information, how it’s perceived. We saw that during the election and other things. Even the graphics that can make it look like someone’s saying something they’re not. You know, the first story that’s out is the one that’s going to stick and you can forensically go back and say oh, a month later, that wasn’t it. They actually did a, you know changed the video and made it look like he was saying that. It won’t matter. In today’s world, that happens in an internet second, and we have to be prepared to determine and to make sure that the way we’re using the information is good, and the way that we understand our adversaries are going to use it against us is not going to be good. We have to be able to understand that environment and the complication of the internet of things. Everything is going to be connected whether you want it to or not.
So the issues of privacy and things, I just see that that’s going to increasingly become challenging for people to say I expect my privacy, but then I want all this technology, because it’s not going to happen.
Mr. Muradian: Ma’am, thanks very much. Your statement reminded me a little bit of what Bob Work, Deputy Secretary Work used to say. I sleep like a baby. I wake up every two hours screaming hysterically.
Rear Admiral Barrett: There you go. That’s right.
Mr. Muradian: Thanks so much for your time. I really appreciate it, Admiral Barrett, and look forward to continuing the conversation. Thank you so much.
Rear Admiral Barrett: Thank you very much. I appreciate it.