Navy begins routine cybersecurity inspections

Monday - 6/13/2011, 7:36am EDT

WFED's Jared Serbu

Click below to hear the report

Download mp3

By Jared Serbu
Reporter
Federal News Radio

Naval personnel who have long been accustomed to the idea of being regularly examined on physical security, training, safety and a host of other issues will soon have to get used to "stem to stern" inspections in one more category: cybersecurity.

While the notion of defending data and the systems that contain it is not new in the military services, a regime of inspections focused specifically on IT security is, said Rear Admiral Ned Deets, commander of the Naval Network Warfare Command.

He said it's a program the Navy simply has not invested in until recently.

"We've never had an inspection force. We do now—nascent, but growing," he said. "We've built an inspection plan that will eventually inspect, on a three year cycle, 900 command units across the Navy. It looks a lot like a lot of the other inspection programs we have across the Navy, like INSURV and things of that nature."

Each year, Deets said, every one of the 900 commands should expect to be subjected to some sort of cybersecurity inspection.

"We'll do an administrative inspection to take a look at your program first," he said. "Second will be unit-level training and advice and assistance to ensure that you're ready to operate in your unit, and third will be a stem-to-stern inspection of everything associated with your networks and long-haul communications, physical security included. In the Navy, we expect what we inspect, and we have never inspected in this area before."

Deets, who spoke last week at AFCEA Northern Virginia's Naval IT day, said the inspections are one step the Navy is taking to try to get its personnel to think of the service's IT systems as warfighting tools, and to treat them accordingly.

Admiral Jonathan Greenert, the Navy's vice chief of naval operations, said that mindset is still not prevalent enough in the Navy. He said while the service has no shortage of good security hygiene procedures in its rulebooks, they're too often ignored.

"The network security posture is still not on a lot of commanders' daily reports, and it really needs to be," Greenert said. "The workforce awareness is pretty low on information assurance. We still need to go in and slap people's hands, because they want to plug things like thumb drive into our computers or they want to charge their iPads. We're not really complying yet with the existing security directives, and up to nine out of ten of the exploits that we've had have been known vulnerabilities. They could have been cut off."

But even if the vast majority of the IT security problems the Navy has identified are related to conduct and culture, those two factors alone don't account for all the service's weaknesses, according to Deets. He said the Navy lacks the ability to oversee and defend its networks to the degree it would like to, in part, because there are so many of them.

To deal with that, the Navy is in the process of weeding through older legacy networks, and either shutting them down or folding them into one of the Navy's three primary and more modern IT networks.

Deets says they began the project with about 1,000 networks, which they have reduced to 348.

"That will go down further," he said. "This is one of those areas where we have to succeed. The fewer number of networks that we're attempting to manage and secure out there, the better. I don't want it down to a single network. That becomes way too easy to predict and attack. But I've got to get it down below 348. That's a hard number to manage."

(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.