25 November 2023

Navy’s new cyber strategy aims to place a premium on non-kinetic capabilities’ role in conflict

MARK POMERLEAU

U.S. Navy Operations Specialist 1st Class Frederick Robinson, from Abbeville, Louisiana, stands tactical data coordinator (TDC) in the combat information center (CIC) during sea and anchor detail as the Arleigh Burke-class guided-missile destroyer USS Carney (DDG 64) departs Azores, Portugal after a brief stop for fuel, October 5, 2023. (U.S. Navy photo by Mass Communication Specialist 2nd Class Aaron Lau)

The Department of the Navy’s new cyber strategy, released Tuesday, places an emphasis on cyber as a warfighting domain in an attempt to change the culture of the sea services and elevate this mission area as a core competency.

The guidance, which applies to both the Navy and Marine Corps, was about three years in the making. Officials involved in the effort sought to make the distinction from past strategies and documents, which were heavily focused on cybersecurity and defense, to one that recognizes cyber is part of warfighting.

“The [chief information office] really [focuses on] modernize, innovate, defend. They’re going to do a lot of that zero trust, identity management, [risk management framework] reform. What the [principal cyber adviser] really tried to bring to this was, … ‘Hey, this is a warfighting domain and we need to figure out how to talk about this a little more openly,’” Chris Cleary, the Department of the Navy’s principal cyber advisor, told DefenseScoop regarding the strategy that his office helped craft.

“When we released the cyberspace superiority vision a year ago, it was really to focus on that. This is not just a cybersecurity exercise, this is not just a zero-trust problem. This is a warfighting domain, this is a warfighting domain to be professionalized in, and this is a warfighting domain that the Navy and the Marine Corps need to adopt as a core competency in and amongst the services. Once you’ve come to those three conclusions, then the presentation of forces, the development of capabilities, the use of those capabilities just get more and more ingrained into the service moving forward,” he said. “It is no surprise that our adversaries are continuing to advance and professionalize in this space. We need to as well.”

The strategy warns that the next fight will be like no other prior conflict and the use of non-kinetic capabilities will likely be the deciding factor. Militaries that effectively synchronize non-kinetic effects, like cyber, will have a decisive advantage.

“We need to begin to have similar conversations about sort of the non-kinetic side of what we’re expected to do in the Navy,” said Cleary, whose last day in the department is Tuesday.

The risk of not talking about these things openly, he added, is there could be capabilities that key Defense Department components never become aware of because some organizations could be excluded if conversations are reserved purely for classified environments.

“As a warfighting organization, we need to be able to speak more openly about how we would expect to leverage certain kinds of capabilities in this domain without talking about those capabilities, specifically. The ones and zeros, the kinds of things that we’re going to be going after, the kinds of aim points we have to look at — those things are all very, very good reasons, classified conversations that we won’t have publicly … [but] we really need to talk about this a bit more openly, just like we do with any other weapons system we have in the Navy or the Marine Corps, [such as] the joint strike fighter, the Ford-class aircraft carrier, the Columbia-class submarine,” he said.

The Department of the Navy has begun thinking about how it provides certain non-kinetic effects and teams to achieve the services’ goals. The Navy and Marine Corps already provide cyber forces to U.S. Cyber Command, but they don’t exert any operational control over those cyber capabilities as that authority belongs to Cybercom.

Cleary said the Marines have really led the way in developing concepts, doctrine and forces in the non-kinetic realm for what’s known as service-retained capability, primarily through the Marine Expeditionary Force Information Groups, or MIGs.

Cleary explained there will be times when true remote cyber capabilities won’t be effective against certain targets given they may be disconnected from traditional networks or access might be difficult. As such, close and proximal forces might be needed to gain access and provide non-kinetic effects.

“Sometimes on net, or traditionally wired sort of cyber capabilities may not be available to us for a variety of reasons. And the ability to gain access to targets using off-net capabilities might be the way that you have to go about doing this. And who’s better to perform that than the Navy and the Marine Corps based on their presence?” he said, acknowledging that they’re in the process of figuring out what those capabilities and forces will look like.

Over the past year, Navy officials have described the notion of fleet non-kinetic effects teams that will augment afloat forces with critical information warfare capabilities.

A Navy spokesperson told DefenseScoop that a Center for Naval Analyses (CNA) study is still ongoing to analyze operational requirements, capabilities and potential options for the teams’ construct. That effort is expected to conclude in late 2024.
Changing the culture

The new strategy recognizes a need to drive culture change throughout the Department of the Navy.

Despite being a common refrain in strategic guidance, Cleary said this is a generational issue.

“We’re in the middle of one of these sort of cultural revolutions right now, which is the idea of kinetic warfare versus non-kinetic warfare. To be honest with you, there’s still folks in the Navy that are not completely convinced that the non-kinetic warfare delivers the kinds of things that we’re promising that it can,” he said. “That is a cultural transition. Again, you could argue, there were many people that didn’t believe in the airplane in the 1940s, or the submarine in the 1940s.”

Ultimately, the strategy must be viewed by the entire force, not just those in the cyber community. Cleary explained that cyber must not be an afterthought, but integrated equally with the services’ other warfighting capabilities.

“This is the cyber strategy for the entire Navy to read and to begin to fully embrace this as a warfighting function that is integrated across all things we do in the Department of the Navy and the Navy and the Marine Corps, because all future fights are going to begin and potentially end here,” he said.

“Cyber can’t be seen as a bolt-on to what we do. It can’t be seen as something that sits next to airplanes or sits next to submarines or next to Navy Special Warfare. It has to be fully integrated into the department for it to be successful … This has to be integrated into the department, resourced appropriately, manned appropriately, prioritized appropriately. And we’re hoping that this cyber strategy begins to elevate this mission space within the department writ large,” he added.

Some culture change has already made its way into the force. Cleary noted that the Marines have included cyber when listing the service selection of midshipmen out of the Naval Academy. A few years ago, there were only two classifications: marine air or marine ground.

“About three years ago, the Marines added marine cyber to the conversation. That culturally is an amazing shift that cyber was enough of a differentiator that it would break out from marine air and marine ground and be its own thing that the Marines called out specifically, when they commissioned midshipmen out of the Naval Academy,” Cleary said. “Culturally, they’re embracing it and they’re showing that embracing through making it very prominent in the way they talk about their force: marine air, marine ground, marine cyber. That’s amazing.”

Overall, the Navy’s cyber strategy has seven lines of effort:

1) Improve and support the cyber workforce

2) Shift from compliance to cyber readiness

3) Defend enterprise IT, data, and networks

4) Secure defense critical infrastructure and weapon systems

5) Conduct and facilitate cyber operations

6) Partner to secure the defense industrial base

7) Foster cooperation and collaboration

No comments: