Commander, Naval Network Warfare Command Capt. Eugene Costello and Commanding Officer, Navy Cyber Defense Operations Command Capt. Douglas Powers lead frontline cyber commands responsible for operating and defending the Navy’s networks. CHIPS senior editor spoke with them March 13, 2014.
Q: Can you talk about your command missions and the assets you are responsible for and the resources you have to protect and defend them? What does around the clock operation of Navy networks really mean? What kind of tools do you use to effectively operate the network?
Costello: NETWARCOM’s mission is to maintain command and control of the Navy’s networks to the best of its capabilities in support of the Navy and joint operational forces. As the operators of the Navy’s networks we work closely with NCDOC to ensure that we are operating the Navy’s networks securely. We work with NCDOC to allow it to perform its mission set in the Computer Network Defense Service Provider (CND-SP) role securely while NETWARCOM ensures capability and availablity [of Navy networks] to the end user.
NETWARCOM maintains a 24/7 battle watch to support operations by working with Hewlett-Packard Enterprise Services (HPES) and customers to identify and remediate network issues as they occur. We work very closely with HPES to monitor the health and status of the network, and our watch team is trained to issue Government Directed Actions (GDA) to the vendor which run from direction to the contractor to apply the most recently released Microsoft patches to maneuvering the Internet connections to avoid data transiting areas under tsunami threat. In addition, we maintain supervisory oversight of [the] OCONUS Navy Enterprise Network (One-Net), shipboard communications (IT-21) and the telecommunications systems for fleet and ashore operations from the watch floor.
Powers: NCDOC is the Navy’s designated Computer Network Defense Service Provider; each service has one. Our broad mission is to defend Navy networks worldwide. This includes CND, computer network defense, as well as with our cyber incident response team. NCDOC was born out of what used to be called NAVCIRT, the Navy Computer Incident Response Team. But that is the response side, to clean up or mitigate [incidents] and restore [network services]. NCDOC also provides an active defense of the Navy’s networks [that includes] live sensoring and monitoring of the network. We do that in many ways. In general, the two roles of computer network defense and cyber monitoring or cyber incident response go hand-in-hand. We monitor, analyze, protect and counter unauthorized activity.
Unauthorized activity can come in many forms; it can be theft. It could be exploitation, just for the purpose of access. It can be downloading or accessing [Navy resources]. It can be for the purpose of disruption or degradation [networks], or worst case scenario: destruction. Our mission is to defend against all of that.
Costello: I think a key point is that NETWARCOM is responsible for the availability of the Navy’s networks, and that NCDOC is responsible for their defense. Our watch stations are collocated here in Suffolk, so we have the same situational awareness. Our watchstanders work closely in day-to-day operations and incident response.
Q: So if NETWARCOM is watching network operations in real time and saw an abnormality on a network, NCDOC would take over to provide a response?
Powers: It’s actually the other way around. So if we saw an indication of unusual or unauthorized behavior, we would analyze the data through our Mission Support System. We would analyze the activities and logs. Data comes from disparate sources – all the way out to the DoD Internet access boundary — all the way out to the different tiers of access to the actual desktop. If we see something in any of those different segments we work with the operators of those segments to mitigate and respond. So it is not a total hand-off, it’s a synergy between organizations, an integrated effort to respond. Some [incidents] involve contractual agreements, there could be vendors operating the network, which is the case in overseas networks. There could be a vendor operating the network or ship-based networks, which are owned by the Navy. We work with the IT managers in each case and with Capt. Costello’s operators to take actions to maneuver the networks. It could be a simple block and tackle maneuver to redirect the network or more serious remediation in which case we would bring the discussion up to 10th Fleet.
But whatever the response, it has to balance the impact to operations. That’s where I think the synergy comes into play. If you have someone solely focused on security, they could remove something that someone needs operationally.
Q: You mentioned vendor agreements, are they very difficult to manage?
Costello: NETWARCOM manages the NMCI, soon to be [under the] NGEN [contract], Next Generation Enterprise Network, by working with Hewlett-Packard Enterprise Services. In the instances we’ve talked about we work very closely with the vendor to operate and maintain and ensure network availability. In addition to the CONUS network, we operate and maintain the availability of the network in Hawaii and Japan, the OCONUS One-Net with NCTS (Naval Computer and Telecommunications Stations) Far East, Bahrain and Naples.
Additionally, for the shipboard networks, NETWARCOM works very closely with the NCTAMS (Naval Computer and Telecommunications Area Master Station Atlantic) and the NCTS and NOCs (network operations centers), that host IP services for afloat units. There may be a ship that is pulling IP services in the 5th Fleet AOR through NCTS Bahrain and we are monitoring for transport connectivity whether it is SATCOM connectivity for the ship or for IP services from the NOC. Doug is monitoring from a network defense standpoint to make sure there is no malicious activity on the networks of those units. We are looking at operations from a transport and network availability perspective, and Capt. Powers is looking at protection of the network.
Q: So if a ship in the fleet needs more bandwidth or SATCOM, would that be NETWARCOM or NCTAMS that responds?
Costello: The fleet actually allocates how much bandwidth is given based on the resources available. NETWARCOM manages the commercial side of SATCOM leases, but the military SATCOM is managed at the Combatant Commander (COCOM) level and their staffs and the fleet communications officers will apportion bandwidth based on the fleet requirements of the ships. Fleet communications officers follow a submission process for commercial accesses, and the experts on my staff assign fleet units to available and appropriate capabilities. Military SATCOM assignments are handled through joint agencies and are brokered through the combatant commands and their staffs.
While we follow a formal process, because we are directly interacting with the fleet, response time can be significantly reduced and we can directly interact in some troubleshooting processes. Naturally, all agencies seek to respond quickly when crises occur and that’s just what we were able to do for fleet units responding to the humanitarian assistance missions supporting the Philippine earthquake relief.
Q. Cybersecurity threats range from criminals or rogue nation-states attempting to steal intellectual property or personally identifiable information to hacktivists aiming to disrupt operations on behalf of some cause. What do you consider the biggest threat to Navy network security?
Powers: While threats from outside the network will always concern us, I believe the greatest threat is from within the network. The insider threat is real and hard to protect against outside of increased vigilance and training. The insider threat could come from a person with malicious intent, but also occurs when our personnel make poor choices by violating information assurance policy, or when those entrusted with securing the network are slow to update and patch their servers and websites. The Navy has taken a very strong stand on identifying and preventing the insider threat problem, but as always you are only as strong as your weakest link.
Q. Navy users take mandatory cybersecurity training to be able to log on to the Navy Marine Corps Intranet, for example. Do you think the current cybersecurity training regime is adequate in view of the evolving threats?
Powers: As I said, the Navy has taken a proactive stance on preventing the insider threat through training and vigilance. The vigilance piece is executed through standardized enterprise-level management utilizing a network of sensors and network information assurance compliance. Scanning of Navy networks is continuous to ensure compliance with directed security procedures that identify violations.
Costello: Leadership, as with every other aspect of the Navy, is key in ensuring that network security is a priority through all levels of the chain of command. The Defense Information Systems Agency (DISA), provides the web-based cyber security training that end users must take annually.
But there are going to be actors, whether nation states or others who are going to try to intrude on our networks. Then there are those who do not keep up with software vulnerability patches. Vendors will correct these with updates but if those aren’t being pushed out to the network in a timely fashion that increases our risk vector. You may have an unwise user who is clicking on ‘the sounds too good to be true button’ and is redirected to a malicious site. Maybe someone is trying to do something malicious, but you can also have someone just making poor choices on the network.
Powers: Those poor choices include not only someone making poor choices going to a site they shouldn’t but someone bringing in their own devices and plugging them into the network just to charge them or using a thumb drive which is prohibited. These devices can contain malware which poses risk to the network.
There is no doubt that users can pose as the biggest threat because of TTPs, tactics, techniques and procedures, through spear phishing and social engineering. We focus extensively on training beyond the baseline. NCDOC and NETWARCOM have required users across the Navy to have cyber security training. NCDOC and NETWARCOM have quite robust training specifically tailored to the network because we run the transport layer and CND.
We have another layer of training which is much more complicated and we have specific skill sets. The military and civilians who work here have additional certifications that they pursue to really understand the intricacies of different operational systems and different types of software and different operational platforms that we use to really tighten up the security.
We can shore up everything, have the latest patches but all it takes is one user to jeopardize security on the network. Cyber security is not necessarily stopping all the attacks; it takes an all hands on deck approach. Everyone has a role to play in cyber security that takes care of about 80 percent… Training helps because what we really want to focus on are the sophisticated attacks, the 20 percent, and that includes a malicious insider.
Q: What types of military and civilian positions do you have?
Powers: NCDOC has a total workforce of 400 and growing with 250 military, a wardroom of about 12 and 36 in the chief’s mess. The rates of our Sailors are Information Systems Technicians (ITs) and Cryptologic Technician – Network (CTNs). The CTNs are specifically trained on analysis, more on forensics to analyze what has been detected, which is the defensive side and really looking at the 20 percent which are the sophisticated threats. Whereas the ITs, look at the CND, computer network defense of the infrastructure. They work hand-in-hand. The ITs are very familiar with the afloat networks, the overseas networks. So we have that synergy once again of the transport layer focused, the help desk, all the way to operating the network. We do have some ITs who crossover, who are the defenders that work in the sensor operations. We do have some overlap there between the forensics and threat side.
The really critical part is the 140 civilians. They are very uniquely technically skilled in web development and we have database managers to manage the aggregate data from the sensors so we can manage the mission support system so that we can get the alerts and help make the decisive response to any threat.
Costello: The majority of my military are in the IP rate, the Information Professional Officers. We have about 350 personnel in the command, of that, 200 are civilian employees. The one thing I want to point out is that NETWARCOM in its current state is looking at the tactical operations and employment of the network. NETWARCOM of several years ago was a flag-level command with the man, train and equip mission set as well.
NETWARCOM’s former mission is now split between three commands: U.S. Fleet Cyber Command/U.S. 10th Fleet, Navy Cyber Forces and NETWARCOM. FLTCYBERCOM is the Navy component to U.S. Cyber Command where they employ Doug and I as the Task Force Commander — we’re CTF 1010 and Doug is CTF 1020. They actually have a task force organizational structure.
Navy Cyber Forces is transitioning to become Commander, Navy Information Dominance Forces (NAVIDFOR) and will provide the initial infrastructure, resources and assets for the TYCOM and that will happen this year. So there are a lot of interdependencies between the three commands. But now NETWARCOM is focusing on the tactical operational employment of the networks.
Q: Threats to the network change constantly and so does technology. You both are on the frontlines of cyber defense, are you involved in recommending changes in training for your military personnel?
Powers: Absolutely. Security training in general remains a critical tool in the toolbox. But you have to make sure the user is up-to-date on the latest technology and threats too. New threats emerge on three to six months cycles. It is a challenge but we have many different vehicles to mitigate the threat. We can send naval messages, cyber alerts for something we have seen across the DoD or government to raise the level of awareness. We track vulnerability management, for example, if we find a fake website posing as a legitimate website we can send a cyber alert. We have a lot of organizations we can work with throughout the U.S. and world to manage the threat including with our anti-virus vendors. I mentioned the supplemental training, it’s critical because what we learn will be incorporated into training beyond the baseline training… It’s not the sophisticated threat that we usually encounter, it’s the kind of things that people should know that pose the most significant threats…
Q: Can you discuss some of the ways that you conduct root cause and trend analysis?
Costello: Root cause and trend analysis are used to identify areas of degradation or predict system failure. NETWARCOM identifies root causes for incidents and events on the network to identify the way ahead and to schedule system upgrades to prevent repeat incidents. Trend analysis is used to track network metrics such as bandwidth and CPU utilization at various locations. This also allows NETWARCOM to work with the vendor for system upgrades to prevent service degradation to the customer.
There is a software tool that is managed by the vendor for NGEN but there is an initiative for the Navy to develop more robust cyber situational tools.
Powers: NCDOC employs the Cyber Defense Mission Support System. CDMSS provides the mission capability necessary for the command to aggressively execute its mission, synchronized with both the Navy and overarching DoD defense-in-depth strategies. CDMSS is a system of systems that provides a continuous monitoring network defense decision support capability, displaying timely and relevant cyber defense information in an innovative manner by using a combination of traditional reports and interactive analysis tools and visualizations.
CDMSS is used to proactively defend Navy networks and can also be leveraged by the network operations community to enhance cyber battlespace awareness.
NCDOC maintains an operational watch and the necessary supporting infrastructure to provide 24/7 attack sensing and warning, incident management, malicious code reverse engineering, network and host-based forensics, and network vulnerability management aligned to a vision of aggressively executing effects-based counter cyber warfare to defeat the capabilities of an adversary from intruding or exploiting the Navy network enterprise.
Q: With the establishment of NAVIDFOR, do you foresee any changes coming to your organizations?
Powers: Not so much for us because we are at the operational level… I predict that the man, train and equip mission for NAVIDFOR is going to work much better because they will be linked closer to the Type Commander.
Costello: We are still going to be working for Tenth Fleet operating on their behalf but our administrative control (ADCON) will shift to the IDFOR, but day-to-day, our operations won’t change.
Q: With 10th Fleet located at Fort Meade, Md., and your move to Suffolk from Joint Expeditionary Base Little Creek-Fort Story has it made a difference to your operations?
Costello: Not at all. NETWARCOM operates in a distributed fashion through the NOCs and NCTAMS worldwide and coordination comes up through the battle watch to report network degradation to 10th Fleet so whether we are here in Suffolk or elsewhere doesn’t matter.
Powers: We are just a videoconference call away. This is an important point because even though cyber operations are managed centrally, they are executed in a decentralized way for 800,000 users worldwide through multiple enclaves whether it is a videoconference, a phone call, chat or email, whatever it may be, we understand the needs in distributed operations and the NCTAMS, NOCs and NCTSs are part of that.
Q: Who would you define as your primary customer, Fleet Forces Command?
Powers: The entire Navy… Many DoD users rely on Navy networks, educational institutions like the Naval Postgraduate School, that’s a .edu domain but something we defend. They are part of our excepted networks. They have their own structure but we partner with them, BUMED, the Naval War College, the U.S. Naval Academy, they are all on our situational awareness grid.
Costello: It’s the fleet users; it’s the joint users who are deriving services from our networks. When you are thinking NMCI, it’s the shore-based network in the United States and Hawaii, One-Net in OCONUS, or the IT-21 users on ships.
Q: It sounds pretty exciting to be on the frontline of cyber defense.
Powers: The NCDOC motto is ‘Cyber Warriors – Ever Vigilant.’ NCDOC defends the Navy’s unclassified and secret computer networks. Our personnel fight the ‘net’ through aggressive detection and analysis of adversary cyber operations while executing proactive defense actions to counter potential threats. A decade ago, the Navy viewed its networks as a business. Now the Navy treats information as a weapon system. Operations are 24/7 and our battle watch commanders for each task force commander realize they are on the frontline. In the Marine Corps these jobs are split out but NETWARCOM and NCDOC work side-by-side to make the decisions to ensure the network’s operation and security.
Costello: It’s kind of like telephone service; users just expect the network to be there. But it is all the things that happen behind the scenes that are in place to ensure these capabilities are available when the user needs them whether it is a computer network, a communications circuit, a telephone line, all the work that goes on behind the scenes. That is what our mission is to make available these things to the users whenever they need them.
Q: I know every warfare community has their own traditions and how they operate. Are there similar traditions in the Information Dominance Corps?
Costello: I think the Information Dominance Corps has really expanded on that a little bit. Right now there is an Intel officer who is commanding one of the NCTAMS. There is an Information Warfare Officer who is commanding the other NCTAMS. But there are also IP officers commanding a NIOC for example. I think the Information Dominance Corps has opened a lot of cross detailing opportunities where we’re really growing our experience base at a much lower level to where you can have an IDC officer that can be put into a leadership position at various levels and be competent due to the experience base they have developed.
Powers: I think the other thing that I’d add is an educational piece. A drumbeat I like to share is many people will use the terms information assurance and computer network defense interchangeably and they are different. Information Assurance is about assuring the network and tightening up the vulnerabilities you are aware of, but there may not be a specific threat against it. A threat, which we’re looking for, is someone taking advantage of that weakness. A specific actor or entity that we have detected – known or unknown. Where those converge is where we’re at. That’s the convergence of threat and vulnerability that moves it up to a higher risk. NCDOC on the CTF1020 side is really focused on the threat. We look at vulnerabilities but the main thing is the threat.
Naval Network Warfare Command – Commander Task Force 1010
NETWARCOM’s mission is to execute tactical-level command and control of Navy networks and to leverage joint space capabilities for Navy and joint operations. It operates the Navy’s networks to achieve effective command and control through optimal alignment, common architecture, mature processes and functions, and standard terminology.
NETWARCOM enhances network security posture and improves IT services through standardized enterprise-level management, network information assurance compliance, enterprise management, and root cause and trend analysis. It delivers enhanced space products to operating forces by leveraging Defense Department, national, commercial and international space capabilities and serves as the Navy’s commercial satellite operations manager.
NETWARCOM was established in 2002, with the consolidation of 23 organizations, including the former Naval Space Command, to act as the Navy’s central operational authority for space, information technology, and network and information operations in support of naval forces afloat and ashore.
In 2005, with the alignment of Naval Security Group, NETWARCOM brought the former Naval Security Group activities under its umbrella and the mission of the command fundamentally changed, making it the Navy’s lead for information operations, as well as networks and space.
The assumption, alignment and integration of Fleet Intelligence Type Commander duties, responsibilities and functions at NETWARCOM in 2008 began a measured and evolutionary process to provide a single fleet champion for ISR and positioned fleet intelligence for better and timelier support to fleet operations.
In 2009, the Secretary of Defense directed the establishment of U.S. Cyber Command and the establishment of supporting commands to USCYBERCOM by each of the services. The Chief of Naval Operations officially established U.S. Fleet Cyber Command and recommissioned U.S. 10th Fleet Jan. 29, 2009 in response to this direction.
With the establishment of USFLTCYBERCOM/NETWARCOM was reorganized and its mission revised to operate and defend the Navy’s portion of the Global Information Grid and to deliver reliable, secure net-centric and space warfighting capabilities in support of strategic, operational and tactical missions across the Navy.
NETWARCOM is collocated at the Navy Global Network Operations and Security Center (GNOSC) with Navy Cyber Defense Operations Command in Suffolk, Va.
Navy Cyber Defense Operations Command – Commander Task Force 1020
Cyber Warriors – Ever Vigilant
NCDOC is responsible for around the clock protection of the Navy's computer networks. It collaborates with other government and law enforcement agencies, such as the Naval Criminal Investigative Service (NCIS), on activities affecting Navy networks.
NCDOC is the first Computer Network Defense Service Provider (CND-SP) in the DoD to be recognized with top-level accreditation. NCDOC is designated as the Navy Level III CND-SP by U.S. Strategic Command and operationally executes its responsibilities through U.S. Fleet Cyber Command/Commander 10th Fleet under U.S. Cyber Command.
NCDOC was commissioned as an Echelon IV command under Naval Network Warfare Command in January 2006, and moved under U.S. Fleet Cyber Command in 2011. NCDOC is built upon the foundation provided by the Navy Computer Incident Response Team (NAVCIRT). NCDOC defends the networks used by more than 700,000 Department of the Navy personnel worldwide.
NCDOC is the winner of the National Security Agency 2011 Frank B. Rowlett award for Organizational Excellence. This honor is awarded to a U.S. Government organization recognized as making the most significant contribution to improving national information systems security, operational information assurance readiness, or the defense information operations posture of the United States. This award marks the first time a Navy command has received this prestigious recognition since the award was established in 1989.