Federal Chief Information Officers were directed by the Information Technology Reform Act (Clinger-Cohen Act) of 1996 to address and improve information management and information technology (IM/IT) at the enterprise level.
The Secretary of the Navy established the office of the Department of the Navy Chief Information Officer in 1997 to provide department-wide leadership and advocacy in the development and use of IM/IT and to create a unified IM/IT vision for the DON as it supports the mission of the Navy and Marine Corps.
The DON CIO develops strategies, policies, plans, architectures, standards and guidance, and provides process transformation support for the entire Department of the Navy. Additionally, the DON CIO ensures that the development and acquisition of IT systems are interoperable and consistent with the department’s objectives, mission and vision.
The Chief of Naval Operations stood up the Deputy Chief of Naval Operations for Information Dominance (N2/N6) Nov. 2, 2009, with Vice Adm. Jack Dorsett as the head of both N2/N6 and Director of Naval Intelligence (DNI).
The stand up of N2/N6 was quickly followed by the establishment of Marine Forces Cyber Command and U.S. Fleet Cyber Command; and re-establishment of U.S. 10th Fleet in January. These initiatives signify cyber warfare and information management/warfare as top priorities within the DON.
CHIPS asked DON CIO Rob Carey to talk about how these recent changes affect the DON CIO’s objectives.
CHIPS: The DON CIO has been in the IM/IT business since 1997. Have the recent changes with the establishment of N2/N6, the Marine Forces Cyber Command, U.S. Fleet Cyber Forces Command and Fleet Forces/10th Fleet led to any organizational changes within the DON CIO? Have your priorities or objectives changed?
Mr. Carey: There have been no organizational changes within the DON CIO as a result of the establishment of these commands; however, we have accelerated our development of the Naval Networking Environment ~ 2016 strategy to ensure it supports the Navy and Marine Corps information management and cyberspace objectives.
Almost all of the work we do, ranging from cybersecurity and the future Naval Networking Environment, to knowledge management and enterprise standards support these commands.
So we embrace their establishment, as it underscores the importance the DON places on information and the security of that information as a crucial element of warfighting.
DON CIO, N2/N6, Marine Forces Cyber Command, U.S. Fleet Cyber Command and 10th Fleet all have complementary roles and we are working toward a common goal of enabling real-time decision making from anywhere with secure, accurate and actionable data.
CHIPS: How would you define information dominance?
Mr. Carey: N2/N6’s working definition of information dominance is: the ability to seize and control the information domain 'high ground' when, where and however required for decisive competitive advantage across the range of Navy missions. Information dominance means freedom of action to maneuver and act in cyberspace — conduct offensive and defensive actions, kinetically and non-kinetically — at the intersection of maritime, space, information and cyberspace domains. At this intersection, Navy exploits deep penetration, expanded maneuver space and information advantage to deliver warfighting options and effects.
I believe we achieve information dominance as a byproduct of a successful development and deployment of the Naval Networking Environment. We must ensure that the network architecture supports these goals, the decision making process supports these goals, the computer network operations support these goals and the development and deployment of systems support these goals.
Without changes to broad facets of our 'system,' we will only marginally increase our decision advantage. We must get to the place where we can make decisions inside the OODA (observe-orientdecide- act) loop of our adversaries… and net-centricity is the basis of this way ahead.
CHIPS: You serve as the community leader for the DON Cyber/IT workforce and develop cyber/IT workforce policies, plans and guidance, in coordination with the Assistant Secretary of the Navy (Manpower and Reserve Affairs), as appropriate, to ensure that the DON has sufficiently trained personnel in IM/IT competencies. With the N2/N6 stand up of the Information Dominance Corps, will the IM/IT workforce now become the Information Dominance Corps? Will training requirements change for the IM/IT workforce?
Mr. Carey: The Cyber/IT workforce is a key part of the Information Dominance Corps. There are other communities in the Information Dominance Corps such as intelligence, information warfare, oceanography and space cadre personnel. As the work, environment and missions change, so will training. Technical and business skills, as well as oversight and command and control skills, will also continue to evolve. The Cyber/IT workforce must constantly upgrade its skills and have the ability to adapt to changing technology and product demands through lifelong learning. Lastly, we need to ensure there is fungibility across the military, civilian and contractor communities for specific jobs because we will need flexibility and consistency across skills.
CHIPS: I’ve read comments from Navy, as well as DoD leadership, about the urgent need to develop a force of cyber warriors because the next 9/11 is likely to be in the form of a catastrophic cyber attack. How can the DON prepare for such an attack? Are there offensive measures that the DON can take to prevent such an attack from occurring?
Mr. Carey: The DON CIO made cybersecurity a key focus area several years ago. The foundation involves people, process and technology. All too often we jump to technology as the answer, but cybersecurity is not just about technology. A lot of it is about changing behavior and making people 'cyber warriors' — making them aware of possible threats and vigilant in protecting against them.
Central to this effort is ensuring that the 'defenders' of the network and its information are trained as attackers. In this way I believe we will be better able to provide mission assurance.
The DON’s computer network defense (CND) strategy is one of defensein-depth and defense-in-breadth across the entire life cycle to protect the department's information and information systems. The defense-in-depth strategy forces adversaries to penetrate multiple protection layers, thereby decreasing the likelihood of success. Our defense strategy is also about risk management — focusing our finite resources on the high payoff tools.
There are many additional efforts and initiatives underway in the DON to improve CND posture to prevent such an attack from occurring. They include the Host Based Security System (HBSS) to detect and counter against known cyber threats in real time; NIPRNET DMZ to add protection between internal and external networks; and Intrusion Protection Systems to monitor networks and system activities for malicious and unwanted behavior.
These are just a few of the offensive measures we are taking. The Computer Network Defense Roadmap we published last year goes into more detail (available at www.doncio.navy.mil). With our cybersecurityIA/CND workforce, we are developing a cadre of skilled professionals who perform IA/CND/network operations functions for our information systems and networks.
CHIPS: As the DON’s senior IM/IT (including National Security Systems), and information resources management (IRM) official, can you talk about how cyber threats have changed policies and processes within the DON regarding its networks and cyber assets?
Mr. Carey: As the threat has become more persistent and sophisticated, so have we. We’re addressing the threat holistically, which involves changing culture, conduct and capabilities. For example, we will never go back to the days of anyone/everyone using a personal thumb drive on a DON network.
This change affects culture — knowing you can't take a thumb drive you get from a conference and plug it into a military network; it affects conduct — the thumbs drives are for mission use only; and it affects capabilities — we need to be able to technically enforce this policy. Good security hygiene starts with basics and moves outward toward the edge with the deployment of advanced network tools.
We need to make security part of the culture and a command priority. We need to change conduct by ensuring we have an adequate assessment/compliance program. We need to ensure adequate capabilities; ensuring trained personnel are assigned where they need to be and that technology is utilized smartly.
Cyber threats are constantly evolving; therefore our reactions to these threats must constantly evolve. Two policy changes that we instituted in response to cyber threats come to mind. Mandatory annual information assurance awareness training was instituted four years ago to educate users on the threats, and how to identify and prevent them.
We also made cryptographic logon mandatory several years ago to improve the security of DON networks by eliminating reliance on usernames and passwords. We are digitally signing e-mails to address spear phishing and encrypting sensitive information to protect information in transit. We are now working to extend the protections of PKI and cryptographic logon to our classified networks.
In addition to training and individual precautions, we are also taking action at the network level. I mentioned HBSS earlier, and I think it is an important element in securing our networks. HBSS is a suite of integrated IA/CND tools that will enable system administrators or IA/CND operators to maintain up-to-date protection, configure/enforce protection policies, create asset baseline configurations, monitor a system’s security and compliance status, and detect rogue systems operating on the network at the host machine level.
HBSS will also provide application monitoring with both whitelist and blacklist capability. Security is an ever-evolving process as new threats are continuously emerging; however, by taking the precautions above, we significantly reduce the impact on our networks.
CHIPS: Can you provide an update on the DON CIO’s work regarding the Next Generation Enterprise Network (NGEN) planning?
Mr. Carey: The NMCI contract ends on Sept. 30, 2010, and the transition to NGEN begins in earnest on Oct. 1, 2010. However, October will not see a spike in network capability; rather we believe it will be a seamless and almost boring event. It will be the beginning of a transition with plans for continued incremental capability growth in our largest network environment. The first element of this transition is a continuity of services contract which is being negotiated with EDS, our NMCI partner, to bridge the timeframe between the end of the NMCI contract and the competitive award of the NGEN contract (or contracts).
We are working on the early transition activities (ETAs) with both the Navy and Marine Corps to lay the groundwork for NGEN. These ETAs are key enablers for the overall success of this transition to NGEN. The ETAs will establish government management capabilities, allow greater participation in operational decisions, reduce risk, help expedite transition time, and provide the foundation for full and open competition for services. Also, the NGEN Acquisition Strategy is currently in review and provides the acquisition roadmap for NGEN’s successful implementation.
The DON CIO, Program Executive Office for Enterprise Information Systems, and NGEN System Program Office (SPO) are focused on ensuring a smooth transition from NMCI to NGEN, with the goal of achieving the NNE~2016 vision.
CHIPS: Can you talk about department progress toward the Naval Networking Environment ~ 2016?
Mr. Carey: We are making a lot of progress, and there are many initiatives underway that are furthering our vision for the Naval Networking Environment. We have defined our future as:
A Department of the Navy netcentric environment that securely leverages the full range of information resources enabling rapid, on-demand, ubiquitous access to authenticated users and systems in support of the Joint enterprise environment and all Navy and Marine Corps strategic, operational, and tactical missions.
Efforts in this area include: the stand up of NGEN, Consolidated Afloat Networks and Enterprise Services (CANES), Marine Corps Enterprise Network (MCEN) and Marine Air Ground Task Force Command and Control (MAGTF C2) concept, as well as the stand up of the CNO's information dominance initiatives.
We are aggressively pursuing the use of enterprise software and hardware initiatives. We are forging a path to implementing the DoD Enterprise User concept that includes enterprise e-mail and active directory optimization — so an authenticated DON user will be able to go anywhere in the DoD, log in and be productive.
Effective use of our resources is important, and we are actively implementing green IT initiatives as a part of the NNE. As such, we are actively and aggressively reducing excepted and legacy networks and consolidating portals, data and servers.
The Information Age demands that we possess the ability to make decisions at network speed, and outmaneuver our enemies. In short, we believe we need to be able to deliver any content, anywhere, anytime to any device to arm our warfighters with necessary information. The NNE is central to everything we do in the department. And information dominance is a byproduct of NNE.
CHIPS: Department of the Navy personnel now have the opportunity to discuss and help shape current and future IM/IT initiatives using the Pulse, a collaborative Web site, sponsored by the DON CIO, for members of the DON IM/IT community. What led to the establishment of this Web site and what recommendations or comments do you hope to receive from the workforce?
Mr. Carey: I've had a blog for more than two years now, and although it has been successful and has encouraged the exchange and sharing of ideas and opinions, I wanted to take the dialogue a step further by creating a site that would provide the opportunity to engage the department more directly and candidly than possible on a public Web site.
We researched existing tools but found that, for our purposes, we would still need a degree of customization and security. My Web development team redesigned our public Web site and incorporated Web 2.0 tools a couple of years ago. So we already had the infrastructure in place to make this an extension of our public site, and we already had resources dedicated to the maintenance of the Web site. We decided to make the Pulse a Common Access Card-restricted site open to users with .mil e-mail addresses.
Since the Pulse went live on Feb. 8, 2010, 27 blogs have been posted and more than 400 members have joined. So far it is enabling the candid exchange that I had hoped for. Users are able to talk about what’s on their minds, ask questions, and get answers from knowledgeable DON personnel, regardless of their positions within the organization.
The Pulse has provided a forum for department personnel to discuss and collaborate on key information management, information technology and cyberspace initiatives, and it is providing insight into the concerns and challenges being felt across the department.
CHIPS: Is it a nonattribution site? I realize that personnel must behave professionally, but can they make suggestions or provide constructive criticism without fear of reprisal?
Mr. Carey: Yes. Members create their own usernames so they can be creative if they want to be and some certainly have been. And by all means, I want members to feel they can be open and honest in their discussions. In order for the department to get to where it needs to be, we need to know both what is working and what is not working. All opinions are welcome and considered.
CHIPS: Will you comment on the new social media memo that just came out?
Mr. Carey: The department completely supports the Directive-Type Memorandum (DTM) 09-026 issued Feb. 25 by the Deputy Secretary of Defense on the responsible and effective use of the Internet. In the past there has been confusing and conflicting guidance on the use of social media, Web-based e-mail, etc. We collaborated with the DoD CIO on the content of the memo to ensure that Navy and Marine Corps inputs were heard. The DTM is valid for 180 days from the date it was signed and is meant to clarify DoD policy and provide guidance until more permanent policy (a DoD directive) is released.
It is a very basic policy that says: (1) the NIPRNET shall be configured to provide Internet capabilities across the DoD; (2) DoD components shall continue to defend against malicious activity affecting the networks; (3) DoD components shall continue to deny access to sites with prohibited content and to prevent users from engaging in prohibited activities on social media sites; and (4) all use of the Internet shall comply with Joint Ethics Regulations. We have worked with the Navy and Marine Corps to develop DON specific guidance that is based on the DoD guidance.
CHIPS: I always look forward to talking about your recommended reading list.
Mr. Carey: My recommended reading list comes primarily from books we read during what we call our "Expanding Boundaries" seminars. I hold a quarterly seminar to encourage personal growth, superior leadership and innovation among my staff.
We read a book before the seminar and then take a day away from the office with facilitators to discuss it and apply its principles. The last one we read is called, 'Building the Bridge as You Walk on It.' It’s about people who embraced change — whether voluntarily or out of necessity — and entered the fundamental state of leadership. It shows how anyone can enter this state by putting into practice eight principles that center on integrity.
One of my all-time favorite books is 'The Speed of Trust' by Stephen Covey Jr. Right now I am reading 'Who Says Elephants Can’t Dance' by Lou Gerstner, which is about the turnaround of IBM in 1993.
Although leadership is a running theme, the topics vary and include creating a sense of urgency to effect change, creating a culture of candor through transparency, using Web 2.0 tools for mass collaboration, executing or closing the gap between results promised and results delivered, and discovering your strengths.
Also included on the list is, 'Rule Number Two' about the experiences of a Navy psychologist deployed to Iraq. I highly recommend this read to better understand the experience of a deployment supporting the global war on terror.
CHIPS: Can you discuss the DON’s greatest IM/IT challenges and successes?
Mr. Carey: One of our greatest challenges, which also became one of our greatest successes, is NMCI. The centralization of the majority of Navy and Marine Corps networks was a daunting effort that proved over time to be a success. Understanding our IT spending and getting a handle on all the legacy systems out there and getting everyone to accept and adopt this totally new way of managing desktop computing was a huge achievement.
But we persevered and in doing so we standardized our desktop computing hardware and software, reduced legacy applications, and greatly enhanced the security of our networks. As we move on to NGEN and then NNE, I’m sure there will be additional challenges, the most prominent of which remains the culture of control. But with the careful planning that's underway, we are looking forward to successes in our future networks also.
Get the latest news on your mobile device at www.doncio.navy.mil/mobile.
Join the Pulse, a collaborative Web site for the DON IM/IT community at https://www.doncio.navy.mil/pulse.