Sunday, June 26, 2016

VADM Hilarides coins phrase "CYBERTIGHT"


VADM WILLIAM HILARIDES, USN COMMANDER, NAVAL SEA SYSTEMS COMMAND
OCTOBER 21, 2015 


"The way we think to do that is to basically create water-tight compartments, cyber-tight compartments, create enclaves that have defined connection points, just a few connection points between the ship’s LAN and the combat system, maybe only one, between the navigation system and combat, between machinery controls and navigation, those sort of things."

Unlike it's parallel phrase - watertight - all hands can't contribute to the fight during a cyber attack to make your system cyber-tight.  The skills are far too specialized - as is the access to the cyber tools.

15 comments:

Anonymous said...

Mike,
I, a non-cyber professional, beg to differ with your statement that all hands can't contribute. Just as all hands can help set as well as break watertight integrity, the same is true of "cybertight integrity". If I fail to guard my two factor authentication, then the most dangerous threat, the insider threat, can get access to the network and violate cybertight integrity. Additionally, the cyber "experts", just like the Damage Controlmen, are part of the damage control and watertight integrity solution; they are not the whole solution. The alerted network operator (Fire Controlmen, Operations Specialist, etc) may be the first to see indications of a network intrusion and need to ask the question "what's going on, is this a network loading issue or indications of an attack?" The network traffic tools, etc, used by our cyber experts are not the only tools we have to get at this problem.
Based on discussions in VTC's and Cdr's Conferences by ADM Haney and ADM Rogers, I believe they would agree.

BMD_SWO

HMS Defiant said...

I worked as a PM at SPAWARSYSCOM for 9 years. You don't begin to understand how vulnerable systems are to intrusions but you do. You join all your contractor brothers and sisters in pretending to offer a solution.

It's why we despise people like you and all the rest. You are quite useless in the real world.

We get forced to work on NMCI and the remaining legacy networks and none of them is the slightest bit more secure for being controlled by central authority.

Reading that cyber warriors were refused permission to take down ISIS networks in Syria because 'rights', yeah, you remain netwarcom and remain the standing joke it always was.

Anonymous said...

Agree with BMD_SWO. This is not about skills that are far too specialized - as is the access to the cyber tools. Get over yourself.

Don't know about HMS Defiant's "rights" and ISIS comment.

As for NETWARCOM, some of us felt the command was beginning to get its footing when someone had a better idea to create FCC/10FLT, commands envisioned to be lean and operational focused (presumably on cyberspace operations). However, the realignment of MF&T moved legacy support and MT&E responsibilities from the TYCOM to the new command. This set everything back at least six years (the length of time FCC/10FLT has been in commission), and possibly more.

FCC/10FLT's designation as the "central operational authority" for cryptology, IO and EW is a distraction. Don’t know what central operational authority means because it isn’t defined in doctrine and its validity is suspect to me since it’s in quotes in a Navy directive. Be that as it may, however, the reality is that much of what FLTCYBERCOM performs in these areas are traditional MT&E functions that need to be transferred with resources to NAVIFOR.

FCC's strategic plan provides descriptions of its mission areas, which include overseeing IO and coordinating Navy EW for automated and reprogrammable systems. FCC is not in a position to oversee IO for the Fleet and the EW responsibilities identified are more appropriate for a TYCOM, a SYSCOM or a PEO.

Cryptology, IO and EW should be led by the Fleet Commanders providing policies and procedures, which are executed by Numbered Fleet Commanders and assigned tactical commanders, and supported by the TYCOMs. It used to be that way and it worked well. Changes a little over a decade ago reduced Fleet staff cryptologic, IO and EW responsibilities, moving them to NETWARCOM and subsequently to FCC when it was established.

As the SCC, FCC is the primary Service authority for all operations, programming, budgeting, training, policy, doctrine, and foreign relationships for cryptologic activities, and has the administrative and logistical responsibility for the cryptologic workforce assigned to NSA. The majority of the responsibilities of the SCC are TYCOM-related functions. As it was with NETWARCOM, Navy SCC assignment should be aligned to NAVIFOR so FCC can be lean and operationally focused.

Michael Junge said...

"Unlike it's parallel phrase - watertight - all hands can't contribute to the fight during a cyber attack to make your system cyber-tight. The skills are far too specialized - as is the access to the cyber tools."

Completely disagree. If anything, it's entirely the other way around. All Hands are as much if not more critical to cybertight than watertight. Cyber has more accesses, more vulnerabilities than a ship hull.

Just like we train people to close and dog water tight doors, we need to train people the close and dog cybertight accesses. The problem is for watertight, or properly called damage control, fittings we have multiple classifications for multiple reasons. Cyber all too often just wants to make everything Zebra and keep us at General Quarters. Because.

Cybertight will work when we relax things a little. When we stop requiring superlong passwords for things that don't really need protections (command slates...instructions...) we might be headed there.

What should Cyber X-Ray be? Dog Zebra? Yoke? Circle William?

Until someone puts together a system of classifications that are vetted and approved by users 'cybertight' will be just another lost concept.

Anonymous said...

Michael Junge....I like what you're saying with the different readiness levels...Infocon may not be the answer and the CyberCon that was tested may be a better step. If we are talking Mission Networks we need to ensure we don't just take the NIPR/SIPR example and go from there.
What I talked to my Net Defenders to talk to CYBERCOM about was to stop using one-off terms. If Cyber is a warfare area (I believe it is)...then treat it as such and use terms that Warfighters use.
Example: Cyber Warning and Weapon Status:
Cyber Warning Yellow / Weapons Tight. In a couple of words, I've told the Operational Commander a general idea of the threat and what my defensive posture is. Warning stands somewhat on its own but the Weapon Status would need more definition. Example: Weapons Tight is Personnel with Administrator Rights have been re-verified and their accesses reduced to the minimum number of systems. Personnel with User Rights have been re-verified and access may be switched on and off depending on time on watch, etc. On NIPR, all emails with attachments/links are quarantined until verified by the user that they are authentic and needed for operations.
Bottom Line: Operational Commanders need to be able to quickly understand their threat and operational system posture and be able to justify operationally any exceptions to the ordered status. Additionally, we need to ensure the CND Service Providers...regardless of Tier (1, 2 or 3) have a formal relationship to the operational chain of command...not truly the case today.

BMD_SWO

Anonymous said...

Agree with Captain Michael Junge - another lost concept.

andrea chiu said...

I really love your blog there's a lot to share. Keep it up.Visit my site too.

n8fan.net

www.n8fan.net

Nathalie Uy said...

Good vibes. Everyday, all day.
imarksweb.net. God Bless :)

Cynthia D. Fagan said...

Educators should raise the benchmarks of instruction and take into account the requirements of dear youngsters. They ought to understand their commitment to the general public, and ought to play out their occupation with sincerity and stir to the awareness of other's expectations.more

Thomas Venney said...

Thanks for sharing.

Thomas Venney said...

The very first step to writing an article would be to Choose a theme. You can talk about the qualities that you need which may create You currently a thriving healthcare professional later on. uc application help is the best one statement writing servie provider and I highly recommended this servie to my friends.

SK Jennifer said...

Awesome writing.

SK Jennifer said...

We won't going to get the well done as examination with different nations that have more alternatives and procedures of current instruction so we should need to proceed onward and receive the true and mechanical ways.I found good information from this site. Thanks for this post.

Joe Trull said...

You will never really going to see the congratulations simply because visit through distinctive areas which use a lot more selections and even operations in up-to-date guidance as a result we've got to want to go forward forward and even receive the authentic and even foot orthodontics options. I noticed decent tips click here created by blog. Bless you for this purpose blog post.

Bryan Turberville said...

These are the moments when everybody wants and it is really so bright moments of this organization. Everyone dream for this day and read more when it comes they did not control the tear of the happiness. This is so beautiful article.