Troy M. Johnson is the director of the Navy’s Cybersecurity Division, in the office of the Deputy Chief of Naval Operations (DCNO) for Information Warfare (OPNAV N2N6F4).
Mr. Johnson served on active duty for 22 years in the U.S. Navy as a Cryptologic Officer and Information Operations (IO) Planner. He became a member of the federal civil service in 2004 and was appointed to the Intelligence Community Senior Leadership Corps in 2012. Johnson’s service to the Navy and Department of Defense has spanned more than 30 years.
Mr. Johnson responded to questions in writing in September.
Q: At the Sea Air Space Exposition in May, you talked about the lessons learned from Task Force Cyber Awakening. You said the “cost of adding resources for every individual solution is unaffordable… Instead, we should focus on mission prioritization, recovery and fighting through.” So how does the Navy ensure successful mission execution in the face of persistent cyber threats?
A: The key to mission assurance is resilience. In traditional warfighting areas we work hard to design, operate and maintain our capabilities in a way that assesses and expects risk and then plans for it. In this way, we are able to “fight through” unplanned circumstances whether they are the result of adversary action or not. Similarly, we are designing, fielding, operating and maintaining our capabilities for cyber resilience which, in turn, supports mission assurance. We must be ready to “fight through.”
Q: The Navy stood-up the CYBERSAFE program to assess and provide maximum reasonable assurance of the survivability and resiliency of critical warfighting information systems and platforms. As CYBERSAFE is modeled after SUBSAFE, which is the rigorous submarine safety program begun after the loss of USS Thresher in 1963, is the Navy following SUBSAFE’s rigor? Has the CYBERSAFE model been accepted across the Navy and fleet?
A: We are building the CYBERSAFE program in a deliberate manner to ensure that we maintain the necessary rigor. SUBSAFE has enjoyed decades of success by limiting the universe of items that it applies to and then insisting on significant rigor in how those items are built and maintained. We are starting with the same approach and adapting it to the cyber realm.
Q: In May you explained that your team is writing technical standards specific to the Navy based on the National Institute of Standards and Technology Cybersecurity Framework to measure performance. You said the IT/IA Technical Authority Board has completed 20 of 48 standards signed, or being reviewed. What is the status now of the number of standards issued?
A: The technical standards are actually being written by a collaborative group consisting of representatives from each of the chief engineer groups within our systems commands. This body is chaired by our Information Assurance (Cybersecurity) Technical Authority and the technical standards are issued under that authority. The exact numbers vary depending on how you define standards and count them, but it is fair to say that we have more than half of our planned technical standards signed and are quickly transitioning to implementation and enforcement. The systematic use of the various standards is telling us how close we are for each standard and whether we need to modify and update the standards.
Q: One of the products your team developed is the cyber resilience framework in which you said Navywide risk will be measured in accordance with the technical standards. How often will the Navy assess cyber resilience — is this an ongoing assessment or periodic review?
A: We already measure risk in many other areas at many levels of the Navy and cyber resilience will be no different. We measure differently and at different periodicities at the various levels based on how the information is used. For instance, at the Navy HQ level we are constructing a way to periodically measure the Navy’s strategic cyber resilience posture whereas a local command would frequently measure its own specific ability to “fight through.”
Q: In ensuring a resilient communications and network infrastructure, is it still possible to be agile and innovative in providing the fleet and warfighters assured communications?
A: Agility and innovation are achieved by planning to be agile and innovative. We are working to design our capabilities and their sustainment to be agile. In other words, the equipment and our processes must both be designed with the expectation that we will be agile in our communications.
Security and resilience are both necessary and they go hand-in-hand with agility. In other words, these two sides are not in opposition. Good security means better resilience, which implies better agility. Innovation is a matter of planning for change and designing in the ability to change quickly. The same argument applies to innovation as well since the traits that allow innovation also allow agility.
Q: In view of the Office of Personnel Management data breach, some experts are recommending the federal government adopt the “zero trust” model for authentication, where users inside and outside the organization require multiple levels of authentication and authorization to access data. Is the Navy looking at new methods of identity management to prevent insider and outsider threats?
A: Access control is a key to cybersecurity and cyber resilience. The ability to know and control who is accessing which data is a central component to any cybersecurity approach. In cybersecurity parlance this is often referred to as a “deny by default” approach, which is the strongest form of access control. The key is to balance access control with the requirements of the mission in question, so the DoD is constantly searching for the right method to control cyber access in each of our many domains.
Q: Director of National Intelligence James Clapper recently said that the current threat environment is the most complex and uncertain that he has ever seen. How would you rate the threat environment facing the nation and Navy?
A: The nation faces a growing threat and the Navy is no different. Cyber resilience is about giving yourself the ability to “fight through” adversity. In a way, the approach is almost threat-agnostic. We need to keep an eye on the threat, of course, but we also need to be ready for things to go wrong.
Q: After 22 years as a naval officer and 12 years as a Navy civilian, I understand that you are taking a job in private industry. Your career path follows an example given by Defense Secretary Ash Carter where he envisions individuals moving between private industry and government innovating and learning from each other to solve our tough national security challenges. Do you think it is a model that will appeal to millennials? Would you be open to serving again in government?
A: Cybersecurity and resilience are growth areas and this presents many opportunities for the professionals who work in this area, including good chances for younger workers. Job certainty is still important but less so in today’s environment. The dynamic nature of this field seems to be one of the things that appeals to millennials. Personally, I would be open to returning to government. I am constantly searching for new and interesting ways to solve hard problems and make a contribution.
Q: Is there anything you would like to talk about?
A: I would like to close with a key thought in this new area. Cyber resilience is about giving yourself the ability to “fight through” adversity. In a way, the approach is almost threat-agnostic. We need to keep an eye on the threat, of course, but we also need to be ready for things to go wrong. This is what we do in all other warfighting areas and this area, at least in this way, is no different.