NIWC Atlantic cybersecurity engineers are working to ensure each person involved in the lifecycle of a system understands their role in cybersecurity and is executing their duties in that role to the best of their ability. They are doing that by building a method to share cybersecurity knowledge and expertise between their various projects and teams.
“We focused our fiscal year (FY) 19 Cyber Warfare Technical Growth Area (TGA) on shoring up our foundation with cybersecurity education, training, and mentorship of several pilot projects,” said NIWC Atlantic Lead Systems Engineer (LSE) Hank Osborne. “We intend to transition the TGA efforts into what we are calling the Cybersecurity Support Cell in FY20.”
According to Osborne, the support cell will operate much like a cybersecurity consulting force made up of subject matter experts who can share lessons learned and best practices across many projects and teams. The support cell can also provide a fresh set of eyes on a project to help identify any areas of improvement that might otherwise get overlooked or deemphasized.
Much more than preventing hacking, Osborne states the goal of cybersecurity, and the support cell, is to ensure confidentiality, integrity, and availability of information needed to accomplish a mission. It can provide the ability to detect attacks and respond to those attacks by hackers. There are areas of cybersecurity that focus on recovering a system regardless of whether there was a loss resulting from hackers, natural disasters, or even a system user's unintentional actions.
Cybersecurity is a full lifecycle concern for all products delivered to the warfighter. Even systems that are purely mechanical/kinetic are designed and modeled on computer systems that need to be secure.
“You may have noticed striking similarities of aircraft produced by our adversaries compared to those the DoD has developed,” said Osborne. “We need to begin protecting information and systems using cybersecurity principles as early as possible in the engineering lifecycle and continue through to the disposal of the systems. Anyone can affect the security of a system or information regardless of when and where they are involved in the lifecycle.”
Osborne added that actions and non-actions related to cybersecurity can happen during planning, design, procurement, contracting, building, integrating, testing, installing, operations and sustainment of the system. Non-action is a big concern within the DoD, he said, because many employees have never been trained to be concerned about security to the degree the DoD emphasizes for information and information systems.
“Yes, we all get our annual Cybersecurity Awareness training, but that training does not go into the details of what each employee's role is within their project or [team],” said Osborne. “For example, there is no formal required training on the subject of supply chain risk management concerns that affect procurement specialists and industry partners who supply the hardware and software for the systems we are building.
That’s where NIWC Atlantic Information Systems Security Officer Kaila Perry comes in. Perry works on a Program Management Office of Information Technology (PMOIT) team for Naval Sea Systems Command in Norfolk. She recently drafted a portable electronic devices (PEDs) restrictions policy for employees working in different classification areas, and she is currently working on drafting an incident response policy.
“We protect systems against threats,” said Perry. “Risks are inevitable, so we use the Risk Management Framework (RMF) tool to manage our risks in a way to be sure they’re not exploited, and our information is not compromised or lost. We set the foundation for the way things should be done here to ensure the security of the information, the facility, and the systems.”
Looking at the picture from the top down is Perry’s and Osborne’s boss, NIWC Atlantic’s Mission Assurance Senior Competency Manager Joe Henline, who emphasizes that good system security engineering and sustainment planning leads to healthier systems delivered to the warfighter.
“That helps make it easier to maintain a system's cyber hygiene/resiliency,” said Henline. “Just as it takes a community to raise a child, it also takes our community to develop and maintain healthy systems for our warfighters,” he said.
Still, as Osborne points out, formal education alone does not fully prepare graduates to the level of detail that is emphasized on cybersecurity within the DoD, which goes well beyond what is required by commercial industry.
“[That’s why] we have to be diligent and purposeful in identifying and delivering relevant cybersecurity education and training to employees in all roles throughout the engineering lifecycle, which is a primary goal that we are trying to achieve through the Cyber Warfare TGA and by standing up the Cybersecurity Support Cell,” said Osborne.