House Armed Services Committee concerned with state of Navy cyber readiness

U.S. sailors assigned to Navy Cyber Defense Operations Command (NCDOC) man their stations at Joint Expeditionary Base Little Creek-Fort Story, Va., Aug. 4, 2010. (DOD photo)

The House Armed Services Committee is pushing the Navy to create a singular and special work role dedicated to cyberspace matters and is willing to play hardball with the service to get it to do so, according to a provision in its version of the fiscal 2023 National Defense Authorization Act.

Not having such a specific role risks neglecting cyber and having a lack of institutional expertise both in the operations community and at top echelons of leadership, sources have indicated. Others argue the Navy is organized properly and the changes advocated by the HASC are unnecessary.

The Navy is currently the only service that does not have a dedicated military occupational specialty or, in Navy parlance, “designator” for cyber. Its cyber personnel are primarily resourced from its cryptologic warfare community — which is also responsible for signals intelligence, electronic warfare and information operations, among several mission sets — with additional roles resourced from information specialists and cyber warfare engineers. Cyber warfare engineers are not operators, but specialize in highly technical skills and development of tools.

A provision in the fiscal 2023 NDAA policy bill directs the secretary of the Navy to establish and use a cyber warfare operations designator for officers and warrant officers — which will be distinct from the cryptologic warfare officer (CWO) designator — and a cyber warfare rating for enlisted personnel separate from the cryptologic technician enlisted rating.

As a means of forcing the Navy’s hand, the provision prevents the service from assigning a member of the Navy to a billet within the core work roles at teams or components of the Cyber Mission Force – the teams each service is responsible to provide to U.S. Cyber Command to conduct offensive and defensive cyber operations — if a member has a cryptologic warfare, intelligence, or information professional designator in the officer corps or a cryptologic technician, intelligence specialist, or information systems technician rating among the enlisted ranks after June 1, 2024.

“For a number of years, I and the Committee have become deeply concerned by information about the Navy’s cyber efforts and particularly, the readiness of its contributions to the Cyber Mission Force,” Rep. Jim Langevin, D-R.I., chairman of the HASC subcommittee on Cyber, Innovative Technologies, and Information Systems, told FedScoop in a statement. “Across several recent NDAAs, we charged the Navy to review and evaluate potential remedies. However, the Navy has not progressed as directed, and considering a continued decline of its readiness, it became apparent that if the Navy was not going to help itself, Congress would have to step in.” 

Langevin said it’s become clear the Navy’s operating model of using its cryptologic community for cyberspace operations is broken.

“While I am under no illusion that the provision will be a panacea to the Navy’s woes, I feel strongly that the Navy requires a dedicated cadre of officers and enlisted service members for cyberspace operations,” he said. “My hope is that the language included in this year’s legislation will serve as the impetus for the Navy to understand that cyberspace operations are not at odds with the institution’s central focus on the maritime domain, but rather, are a core component. I believe that future conflicts will require the Navy to be as adept at striking and disabling an adversary’s air defense system through cyber means as it is in striking through carrier-launch aircraft and conventional munitions.”

Many inside and outside the Navy are concerned about the state of the service’s cybersecurity posture and forces as well as their level of readiness.

“It’s unusual that Congress would have to involve itself in such a directive way, which means that the service has probably been unresponsive to more subtle hints from the Congress that the Navy’s positioning [is problematic]. And it’s the difference between how the Navy and the other services handle things [that] is drawing attention,” retired Rear Adm. Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and the executive director of the Cyberspace Solarium Commission, told FedScoop.

“I suspect that if properly implemented and received appropriately by Cyber Command, in the long term, this will proactively [and] positively address Navy cyber readiness, at least from the personnel perspective … But the Navy is years away from being healthy,” he added.

The Navy, for its part, recognizes the legislative language and said it is working on a way ahead.

“The Navy remains committed to delivering exceptional and qualified cyber teams trained, ready and certified to support the Navy and the Nation,” a Navy spokesperson told FedScoop. “We have nothing further at this time.”

How we got here

Many sources that spoke to FedScoop indicated that when Cyber Command was first created and the services were building out their contributions for the joint Cyber Mission Force, the Navy was a leading branch of the military when it came to cyber. At the time, it had a rich heritage in what was then known as “tailored access operations” at the National Security Agency, which was responsible for breaking into adversary computers for intelligence gathering purposes (Cyber Command and NSA share the same director and are closely aligned). Those cryptologic personnel were then put on the Cyber Mission Force because of the similarities between the work.

Since then, however, the Navy has, for the most part, kept the same structure in place. While all the other services eventually created specific military roles for cyber operations — in many cases, that meant a servicemember would focus on cyber for the duration of their career — the Navy didn’t.

The other services have established cyber billets and even whole career fields for cyber, in part to create greater continuity within their cyber roles and teams. What some were finding is they would spend lots of resources to train a servicemember to serve on the Cyber Mission Force, only to see them leave to either a non-related cyber job or a work role unrelated to cyber in a short period of time. Establishing a cyber field ensures those personnel remain in those roles for the duration of their career and the service isn’t constantly training new personnel to serve in these highly technical fields.

Rather than build out a cyber force from a warfighting perspective, successive Navy leaders decided to move its cyber force closer to the NSA and intelligence community rather than the fleet in line with its cryptologic roots from inception, according to a former top Navy cyber official. As the force has matured, they said, it has become apparent that this was the wrong decision and the time has come to modernize with a specific cyber designator.

Another source indicated that the Navy prioritizes signals intelligence and electronic warfare because it’s not conducting cyber operations off of ships.

Lack of expertise?

For years, many observers have been concerned about the state of the Navy’s cybersecurity with several junior officers penning op-eds decrying the lack of a cyber designator.

Many argue that relying on the cryptologic warfare community to do cyber — in addition to their other proficiencies in signals intelligence and electronic warfare — neglects cyber and prevents the Navy from developing the needed expertise over time.

“Navy cyber is a ship without a rudder. While every other service has one cyber designator, the Navy’s cyber expertise resides in three separate communities. As a result, the three communities are each plagued with unnecessary problems, and none are fully empowered or capable of leading the domain,” Lt. Cmdr. Derek Bernsen, a Navy Reservist, wrote in an article for the January 2022 edition of Proceedings, a magazine published by the U.S. Naval Institute, titled “Navy Cryptologic Warfare Officers Cannot Do Cyber.”

“To solve this issue, the Navy must consolidate responsibility for cyber, invest in the cyber warfare engineer community, and require deep technical experience for all cyber roles,” Bernsen wrote.

He contends that cryptologic warfare officers are spread too thin with other responsibilities, are too few in number and major decisions regarding cyber are made by individuals without technical expertise.

“At present, there is no incentive for the CWO and [information professional] communities to develop genuine cyber expertise and viable cyber officer career path, because doing so would require prioritizing cyber above their traditional areas of expertise. Because of this, each community invests far too little into cyber professionalization, which further undervalues cyber,” Bernsen continued. “This negative feedback cycle causes the NSA and the other military services to view the Navy as poor performers on all things cyber. Even U.S. Cyber Command recognizes this and does not list Navy CWO as a cyber officer community on its careers page (the Navy enlisted cryptologic technician rating is included).”

Sources also indicated growing concern at Cyber Command regarding the readiness of some of the Navy’s cyber teams.

In order to get promoted, servicemembers must have diverse experiences. This means they will cycle in and out of cyber roles in order to gain expertise in the other proficiencies within their designator as well as take leadership and operational roles in warfare such as the surface Navy community or aviation community.

This, some say, not only leads to a lack of expertise within the operational hands-on-keyboard force, but also at the top echelons of Navy leadership. Most current admirals in the Navy cyber community are career aviators.

“Cyber is really, really hard … You have to investigate a network, you have to do reconnaissance, you have to develop the maps, you have to figure out what’s there, what’s in the network, what software it’s using, what the vulnerabilities are, chain those with exploits, identify the effects you want to have and make sure the exploits that you have or the tools you’ve developed can actually have the intended effect,” Brandon Karpf, a Navy veteran with CyberWire told FedScoop. “If you don’t understand the technology, if you don’t have the background and the experience, the technical knowledge, if you don’t have the right make up of teams with the right training and the right people at the right time, it’s not going to happen.”

While the Navy and joint force provide great cyber training, sailors might not have the institutional expertise to lean on in real-world situations like pilots that fly a single airframe for the duration of their long careers.

“When you have a mission planner or an operations chief or a mission commander who has had four of their last five billets not in cyber and they’re currently in a cyber role and they’ve been there for six months — they went through some good training, but it’s all classroom — and they don’t have that institutional knowledge of having done this for the last five years, they’re going to make mistakes,” Karpf said.

However, others disagree on the need for a cyber-specific designator.

“Cyber effects are one element of information as warfare and the more you separate it off, the less you’re going to have a good understanding of that and the less you’re going to have a good integration of all of the information warfare capabilities,” retired Rear Adm. Danelle Barrett, who served in various Navy cyber and Cyber Command roles, told FedScoop. “Cyber effects has to be baked into all of those. And the more you separate out cyber as something special, unique — it’s a little niche community or boutique community or something — the less they’re going to be integrated in all of our lines of warfare, which is what we need. We need it normalized in all of our lines of warfare.”

Moreover, Barrett lauded the need for diverse backgrounds, especially for top leadership within the Navy and other parts of the joint force.

“You’re going to have areas where you specialize, but you also need to be both a leader and have technical expertise. It’s not one or the other. Because as you progress, we want to have a Navy officer again, like we had with Adm. [Michael] Rogers, be USCYBERCOM [commander] someday,” she said, noting they need to understand operations across the spectrum of information warfare, not just one discipline. “You don’t want an officer community or enlisted community that just is technical and does nothing but technical their whole career. If you want to advance in the military, you have to be a leader as well as a technical expert. It’s not one or the other, you need to do both.”

However, other sources indicated to FedScoop that talented cyber operators were passed up for promotions due to a lack of diversity in their work experience. Some chose to stay in cyber roles and thus were not promoted. Others who have a lot of joint intelligence and operations experience have been promoted, with some landing top cyber jobs with the Navy.

The risk this runs, sources indicated, is leaders don’t understand the technology or what could be in the realm of the possible when asking for military effects or options.

Barrett disagrees with Congress getting involved in something so specific, noting the Navy knows how it fights. She added that the Navy is currently in the midst of a study to determine how to manage a potential cyber effects officer or enlisted person.

The study, being conducted by Naval Information Forces, will be completed this summer, she said, and will identify potential gaps and seams to address and shape personnel training and retention.  

Further congressional interest

The Senate Armed Services Committee passed its version of the NDAA on June 16, but as is typical every year, the text of the bill is not made public for some time.

Sources have indicated that the SASC has also been concerned with the state of the Navy’s cybersecurity.

“As the Committee’s hearings as well as the executive summary [of the legislation] have shown, the committee is taking a hard look at the recruiting and retention of cyber forces across all services,” a spokesperson for the committee’s minority told FedScoop. “I’ll defer any further specifics to the bill when it’s released.”

According to the House bill’s language, following the establishment of a cyber designator, the Navy must submit a report certifying certain actions have taken place, to include the creation of cyberspace operations as a military discipline, a training pipeline for it, and funding. Following that report, the commander of Cyber Command must also submit a report determining if the issues addressed in the Navy’s report satisfy requirements of the command.

Cybercom enjoys unique authorities and responsibilities not typical for combatant commands. Specifically, it sets training and readiness standards that the services must meet for their Cyber Mission Force contributions, meaning there is some authority for the command to direct the Navy to take certain steps with its cyber force.