The Navy is coming to terms with the notion that for its systems to fight through cyberattacks, that level of redundancy will cost more money.
The notion of “fighting hurt” is not new. However, the Navy is shifting its thinking to spending more on allowing its infrastructure to be able to push through adversary feints.
“One of the things we need to think about … whether it’s critical infrastructure or even IT systems, is how do we build those more like we look at building a warship than just an enterprise IT system,” Chris Cleary, principal cyber adviser for the Navy, said during a panel at Defense Talks Thursday hosted by DefenseScoop. “Those things are going to cost money. If I’m going to build defense critical infrastructure designed to withstand adversary activity, it’s going to be some unique design characteristics that are going to have some unique costs associated with it. I think that’s a realization the Department of the Navy, the Department of Defense needs to come to if we want to have things that are truly survivable.”
Cleary pointed out that traditional platforms are designed to withstand attacks given that they’ll be in contact with adversaries.
“Arleigh Burke-class destroyer is not a [commercial-off-the-shelf] piece of equipment. It is a specific mission-built piece of hardware designed to deliver effects on an adversary and actually sustain damage,” he said. “Sustaining damage, fighting hurt is a design characteristic of that ship, of that platform. All our weapons platforms, from tanks to airplanes all have certain survivability things built into them because they will be engaged.”
The Navy is readying a cybersecurity strategy, which encompasses three core tenets: secure, survive and strike.
The survive portion requires the Navy to be more resilient, Cleary said.
In order to achieve that, there needs to be a workforce component in addition to baking in greater resiliency.
“When we think about things, systems, when they have to be fought hurt, is there an additional workforce that needs to come online,” he said. “Is there a general quarters component of an IT system or defense critical infrastructure that when it’s at a certain condition of readiness, it requires additional whatever you want to put behind it, whether it’s people or technology to sustain it.”