Federal News Radio reports on the US Navy’s attempt to remove a management bureaucracy layer by eliminating the previous executive-level Navy Chief Information Officer position:

A memo signed last Friday by Thomas Modly, the new undersecretary of the Navy, effectively eliminates the office of the Department of the Navy chief information officer, formerly an influential, separate position within the Secretary of the Navy’s organizational chart.

Going forward, Modly himself will take over the pro-forma title of DON CIO along with all of its responsibilities and authorities. A handful of staff will remain assigned to a restructured and downsized office, but only to handle the IT duties that federal law explicitly requires the secretaries of the military departments to perform.

The changes to the CIO role come as part of a broader management restructuring Modly directed just a few months after his confirmation as the Navy’s number-two civilian official.

The memo fully eliminates the deputy undersecretary of the Navy for management, the organization that, until last week, oversaw the DON CIO and some other functions, including its Office of Strategy and Innovation.

On the surface this sounds like a really bad idea(tm). There needs to be some senior executive leadership overseeing how the Department of the Navy handles not just information technology assets, but the associated cyber security requirements to adequately defend Navy networks.

The new arrangement appears to de-emphasize the notion that the two sea services should operate under one set of IT policies, but also reflects the realities of the different directions the Navy and Marine Corps have taken. The split was noticeable after a 2013 restructuring of what had previously been a single contract for a fully-outsourced Navy-Marine Corps Intranet (NMCI).

In the intervening years, the Navy and Marine Corps have chosen to pursue different models under the Navy’s Next Generation Enterprise Network (NGEN) contract.

The Marines have opted for a fully government owned-and-operated network known as the Marine Corps Enterprise Network (MCEN), including a cloud computing strategy that relies largely on a Marine-operated cloud computing center in Kansas City (MCEITS).

Meanwhile, the Navy has leaned toward an operating model in which it owns most of its infrastructure, but relies on the NGEN contract to perform most of the day-to-day labor involved in running its IT networks in the continental U.S.

Modly’s decision to devolve more control to the services also potentially reduces confusion about the various positions in the Navy that can lay claim to the title of CIO.

NMCI has nothing been short of an utter train wreck. It is no surprise the Marine Corp pulled out of that disaster to go their own separate, more agile way of handling IT. Not only are the Marines doing it for less cost, but the service levels have dramatically increased. I never heard a single person who was happy with NMCI.

Government owned, government operated is a far better model than allowing a contractor to come in and nickel and dime the Navy for every little thing they do. NMCI, and by extension the Overseas Navy Enterprise Network (ONE-NET), have never been truly successful. I foresee NGEN turning into the same type of disaster ONE-NET was unless there are some major modifications made to the way the contract is executed.

The Navy has, and continues, to do things its own way compared to the rest of the US military. After all, this is the department still paying Microsoft to support Windows XP because there are too many outstanding deployments of the operating system in mission critical areas. Rather than paying to upgrade those systems, the Navy is paying for security patches. This is just outright unfathomable. So maybe its makes sense the Navy has opted to eliminate the CIO position because, it could be argued, they were not doing their job to begin with.

Bottom line, removing the CIO position demonstrates a lack of understanding of what role a CIO should play in a major organization like the Department of the Navy. I am extremely concerned about the direction the Navy is going and wonder what unintended consequences there will be from this change.

Why is a Hewlett Packard Enterprise Services Contractor carrying a laptop with sensitive information on 130,000+ current and former U.S. Navy Sailors? Just another in a series of embarrasing NMCI blunders for HPE:

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy said on Wednesday.

It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.

There is no valid reason for an HPE Services employee to be running around with this type of data stored locally on a laptop. Why does a contractor even have access to PII data of this nature?

Okinawan prosecutors seek four year prison term for US Navy sailor who raped local woman in a hotel:

The prosecutors said in their closing arguments Monday at the Naha District Court that the actions of 24-year-old Justin Castellanos were “selfish and absolutely despicable,” and sought a harsh punishment.

The sailor, based at Camp Schwab, was indicted for raping a woman at a hotel in Naha on March 13. The victim, a woman in her 40s from Fukuoka Prefecture, was in Okinawa on holiday.

While the prosecutors said Castellanos took advantage of the state of the woman, who was asleep in a hotel corridor, his lawyers are seeking a lenient term, saying he had initially planned to take care of the woman after finding her.

I cannot comprehend “harsh punishment” and “four year prison term” existing in the same breath.

DISA has finally realized everyone is responsible for DoD cyber security rather than just the professionals:

As the pace of connectivity spurs forward, the job of protecting the networks has also expanded, often beyond the resources of the people meant to protect them. DISA Chief Technology Officer David Mihelcic said that because of the speed and adaptability of bad actors, cybersecurity has now moved to a kind of horizontal altruism that affects multiple elements of the information technology industry.

“Security cannot be the sole domain of cybersecurity specialists,” he said. “It has to be owned by everyone, to include the program managers and engineers who are developing and acquiring the system, the system administrators charged with operating the systems.

“We are going to have specialists. We’re going to have the CPTs — the cyber protection teams. We’re going to have offensive information and our cybersecurity forces as well, but cybersecurity cannot be the sole domain. We, the developers, the technologists and you, our mission partners, need to ensure that the [whole thing] is secure.

After reading a story of a man who seduced the United States Navy’s Seventh Fleet I cannot help but feel this is unsurprising:

The target was not a terrorist, nor a spy for a foreign power, nor the kingpin of a drug cartel. But rather a 350-pound defense contractor nicknamed Fat Leonard, who had befriended a generation of Navy leaders with cigars and liquor whenever they made port calls in Asia.

Leonard Glenn Francis was legendary on the high seas for his charm and his appetite for excess. For years, the Singapore-based businessman had showered Navy officers with gifts, epicurean dinners, prostitutes and, if necessary, cash bribes so they would look the other way while he swindled the Navy to refuel and resupply its ships.

The downfall of the mighty United States military will not come about because of another major military player, but sadly, by imploding due to an entitlement and “look the other way” culture.

DoD has tasked the Navy with finding a contractor capable of protecting OPM hack victims from identity theft (emphasis added):

NAVSEA expects to award the immediate contract for protection services related to the hack of background investigations data by the end of August, Leshak said. GSA originally planned on selecting a contractor by Aug. 21, though an OPM spokesman has said that schedule was “notional.”

The delays in finding a contractor to deliver protection services to hack victims has angered potential bidders and hack victims, with the latter group complaining members of the federal and contractor community are anxiously awaiting information if they were affected.

Even after the contracting process is finalized and all the notifications are sent out, Congress could further complicate the situation through its own intervention. A Senate committee has unanimously backed a provision to give hack victims 10 years of credit monitoring and identity theft protection services. A bipartisan pair of House lawmakers introduced a similar measure last week, while a Democratic leader in the lower chamber has endorsed lifetime credit monitoring.

Always remember: DoD uses lowest bidder.

As if having personally identifiable information stolen was not bad enough, the US Navy now says fingerprint records were also compromised in the recent devastating OPM breach:

The Department of the Navy (DON) has sent a notice to more than 436,000 active duty personnel and reservists, as well as over 195,000 civilian employees, warning that data compromised in the recent breach at the Office of Personnel Management (OPM) also included fingerprint records.

“The interagency team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases,” said Thomas W. Hicks in performing the duties of the Under Secretary of the Navy.

“This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants. Some records also include findings from interviews conducted by background investigators and approximately 1.1 million included fingerprints.”

Late last week, OPM announced the results of the interagency forensics investigation into the second known security breach at the agency involving federal background investigation data, increasing the confirmed number of current, former, and prospective federal employees, military members, and contractors impacted by the breach.

“If an individual underwent a background investigation through OPM in 2000 or afterwards, it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely,” Hicks said.

As more forensics and analysis is completed on this attack, expect further bad news before we start hearing anything good come out of this breach.

FCW on Navy cyber security challenges posed by spear-phishing and software patching:

“Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”

The broader act of phishing, which is less discriminate in its target, is apparently a Defense Department-wide problem, judging by a memo DOD Chief Information Officer Terry Halvorsen sent Pentagon employees in March. “Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey,” the memo said.

The Navy has a sprawling IT footprint. Securing all of it, absolutely, from cyber threats may be infeasible, so the service has set about prioritizing threats via a five-year plan it released in May. That plan drew on lessons learned from “Operation Rolling Tide,” a months-long operation begun in August 2013 to drive Iranian hackers off of the Navy Marine Corps Intranet, the service’s massive internal computer network.

Phishing is the most popular attack vector for malicious actors simply because humans are the weakest link in the cyber defense chain. It is so easy to fool unsuspecting users, especially with the increasing sophistication attackers use these days, there is no need to use cliche hacking methods to compromise networks.

All it takes is for one user to open up that malicious PDF attachments exploiting any of the myriad Adobe Acrobat vulnerabilities and your network is now phoning home to a potential nation-state command-and-control server without your knowledge. This is the type of problem not only the Navy faces, but every network. Better cyber defense tools are not the answer; increased cyber security awareness and user accountability are necessary to help mitigate this problem.

NextGov reports about how the US Navy is looking for industry assistance to locate strong measures to protect its drones against enemy hacking attempts:

The Navy says it’s not sure what kind of cyber threats its drones, sensors and missiles are up against. That’s because aerial weapons systems were not expected to become part of the so-called Internet of Things, the present-day entanglement of networked appliances, transportation systems and other data-infused objects.

So, the Navy has kicked off a project to collaborate with outside scientists on research and development that will help protect the branch’s flying munitions from hackers, according to the agency. A key aim is to ensure assets can bounce back in the event of a cyber strike.

As the military becomes more and more educated on the need to build security from the inception of a new capability, we will see bids and requirements like this. It only makes sense to integrate security from the very beginning rather than duct-taping it on later.

Mark Pomerleau from DefenseSystems on NAVAIR bolstering cyber defenses for weapons systems:

In a recent Broad Agency Announcement, NAVAIR’s Cyber Warfare Detachment (CWD) it is interested in research and development efforts “to fill the gaps in cyber warfare capabilities for NAVAIR weapon systems to achieve the CWD strategy,” described as “secur[ing] weapon systems able to survive and exploit cyber warfare.”

CWD—which develops and assesses cyber warfare capabilities—is mainly interested in the connectivity vulnerabilities from system to system. “[T]his BAA solicits R&D, not to simply apply IT solutions, concepts and underlying business environment assumptions, but to address cyber issues for weapon systems in a system of systems warfare environment with often intermittent or indirect ‘connectivity’ to other systems,” the request states.

Weapons systems are an often overlooked area for cyber security control sets. While technologies such as application white-listing are employed as part of HBSS, there is only limited use because the general thought is if the weapons system is not connected to the network then it is not vulnerable.

That thought could not be farther from the truth. It is vulnerable, but the risk is low compared to a device connected to a network.

Sean Lyngaas of FCW reports the DoD CIO is finally coming to the realization there is a need to start cracking down on poor cyber hygiene of all DoD employees:

Defense Department Chief Information Officer Terry Halvorsen is taking a no-holds-barred approach to DOD network users with sloppy cyber habits.

The Pentagon’s top IT official “is drawing a line in the sand and saying enough is enough. If you don’t comply, you are not on the network, you are off,” David Cotton, deputy CIO for information enterprise, said at a May 20 cybersecurity symposium at George Mason University.

The DOD CIO’s office is developing a more data-rich template for assessing “cyber hygiene” – the prevalence of basic security practices such as decent passwords – across the department, Cotton said. The goal is to give department leadership a consolidated view of basic network vulnerabilities.

According to Cotton, various components of the department are currently graded on criteria that include the security compliance of operating systems and responses to data breaches. Halvorsen gets weekly briefings on those assessments, Cotton added.

The new approach is designed to meet a cyber hygiene challenge that is “just eating our shorts,” said the retired brigadier general.

In my experience, the worst offenders – those with the so-called worst cyber hygiene – are the senior military leaders. They have this sense of entitlement, believing they are above the law and should be able to do whatever they want on the network simply because of their status and position. While potentially true to some extent, it does not excuse the additional, unnecessary risk to an increasingly dangerous cyberspace, especially with China reportedly compromising military networks.

In one instance, I worked for a USMC General who wanted his personal iPod connected to a military computer attached to an unclassified military network. He directed the IT team to download videos of BYU football games – his alma mater – and sync them to his personal iPod connected to his government computer with iTunes installed. Someone signed off on this as an acceptable risk, not because it was acceptable but because the authorizing official did not have the cajones to explain to the General about the risk.

Hopefully DoD CIO Terry Halvorsen’s initiative here can change this mindset.

Acting as if this is something new, Reuters reports the Secretary of the Navy is paying attention to cyber threats:

The U.S. Navy is working hard to improve the cyber security of its computer networks and weapon and communications systems, while bracing for potential attacks on power grids and fuel supplies, Navy Secretary Ray Mabus said Wednesday.

Mabus said cyber warfare was a clear threat given Russia’s use of cyber attacks before its physical invasions of Crimea and Georgia.

“We’ve got to pay a whole lot of attention to this,” Mabus said at an event sponsored by Defense One media group. “Cyber is in everything now. It’s not just weapons systems. It’s in every system because we are so networked.”

Mabus confirmed recent media reports that the Navy was looking at replacing IBM servers used for its Aegis combat system after International Business Machines Corp’s $2.1 billion sale of its server division to China’s Lenovo Group Ltd last year.

“If there’s a danger or potential danger with a platform, you’ve got to take a look at that,” he said.

The Secretary of the Navy should not even have to mention something as obvious as the need to pay strict attention to cyber threats. This should be day-to-day standard operating procedure for the entire military, not something that just dawned upon them last night while drinking at the local bar with their buddies.

What is important here is the Secretary of the Navy – and most of the top leadership in the Navy – has visibility on cyber security and understands the consequences poor practices will have on the service. It has taken years to get to this point, but military senior leaders are finally realizing what DoD cyber security professionals have been telling them for years: take cyber security seriously or else.

AP on the USS George Washington, the US Navy’s Japan-based aircraft carrier heading home and set to be relieved by the USS Ronald Reagan:

China’s aircraft carrier ambitions demonstrate the continuing importance of the mammoth ships in the western Pacific, a senior U.S. Navy officer said Monday, as America’s Japan-based carrier began a long journey home.

A symbol of American power in the Pacific, the USS George Washington left the U.S. naval base in Yokosuka, south of Tokyo, its home port for the past seven years. It will be replaced by the USS Ronald Reagan, a newer version of the same ship.

“Everybody asks whether the aircraft carriers are obsolete,” Navy Rear Admiral John Alexander said at a dockside news conference before the ship departed. “I would say when other countries are building an aircraft carrier, they’re doing it for a reason, and the fact is you can actually have a bigger influence in the region.”

The USS Ronald Reagan will arrive in its new homeport in Yokosuka, Japan later this year, sometime in Autumn, and will become the flagship for Carrier Strike Group Five.

Navy Public Affairs on Commander Tenth Fleet releasing its updated strategic plan for 2015-2020 outlining its goals for leveraging cyberspace as an operational war-fighting domain:

U.S. 10th Fleet (FCC/C10F) released its updated strategic plan, May 6, during a media roundtable at the Pentagon.

Vice Adm. Jan E. Tighe, commander, FCC/C10F, met with members of the media to discuss the plan and the Navy’s way forward in the cyberspace domain.

“A lot of work had been done since our inception in 2010 and the world has changed – gotten a lot more dangerous. The cyberspace domain is changing on a daily basis,” said Tighe in explaining the reason for the update. “First and foremost [the plan is] a way to organize our mission and to begin to measure if we’re making sufficient progress in each of our goal areas.”

Tighe outlined her five strategic goals: operate the network as a warfighting platform, conduct tailored signals intelligence, deliver warfighting effects through cyberspace, create shared cyber situational awareness, and establish and mature the Navy’s Cyber Mission Force.

The FCC/C10F Strategic Plan 2015-2020 (Warning: PDF link) is a 28 page PDF file covering the goals, the planning for achieving the goals, FCC/C10F’s vision and mission, and how the organization will execute this plan. The document is fairly comprehensive and demonstrates that the Navy is taking cyber operations seriously.

In the coming days I plan to read through this thoroughly and offer some analysis on the strategy.