In an exclusive interview with ExecutiveBiz, Richard Etter, the Navy's Senior Information Assurance Officer, discusses the future of US Navy cyber security. With an increase of focus on green IT and cybersecurity by the new administration, the Navy is attempting to virtualize and update its equipment to perform in real-time. Etter also discusses what the Navy needs from the private sector as well as his prediction for US cyber security in the next two years.
ExecutiveBiz: What cybersecurity capabilities is the Navy working on?
Richard Etter: In the Department of the Navy we're working on many cybersecurity initiatives. One example is we're looking at how we might re-engineer our demilitarized zones (DMZs) to improve our layered protection on our unclassified networks and leverage the DoD DMZs. Another example is we're working with DoD to implement stronger logon functionality by introducing cryptographic logon, or CLO, for classified networks. We want to work our way toward more advanced capabilities and these initiatives are fundamental to the future. We are making progress with the Navy Marine Corps Intranet because it is our most structured and disciplined environment. Some of the future capabilities we are looking at for the Department of the Navy include advanced network access control; the capability we have today for network access control is not proactive and we must become more proactive. Being more proactive means we have to be able to act/react more real time. Our network access control must be integrated with other capabilities like enhanced antivirus and antispyware technology and next generation intrusion protection systems. Additionally, we must recognize the impact of the virtual environment. Going virtual is one way we are achieving green IT, but we have to better understand inherent risks with virtualization. Another area that we are looking at is advanced forensics capabilities, looking at user behavior and determining the distinction between “normal“ and “abnormal“ behavior on the network, and establishing trends that would tell us when we're trending toward abnormal behavior and enable us to be more proactive about it. It is important to complete these initiatives so that we can build toward future capabilities that give us a more holistic real-time, proactive capability in defending the networks within the Department of the Navy.
“For there to be significant change within the next twenty-four months there needs to be significant change in the degree of awareness across the leadership within the Department of Defense and the Department of the Navy. Cybersecurity may have more attention and it may be in a higher priority status but I'm not certain that it is getting due consideration in spite of the fact that we are at war.” -Richard Etter
ExecutiveBiz: What Information Security advice would you give the government contracting community?
Richard Etter: The best advice I can give would be to understand the challenges facing specific departments and agencies. For instance in the Navy one of our challenges is the difference between the ashore and the afloat: it's a lot easier to roll out capability ashore than it is afloat. IT infrastructure afloat is not as uniform and contemporary as you might find in a shore facility for a range of 300 platforms, 300 ships, so contractors must recognize that there is a different set of challenges for the Navy. Understanding not only the needs but the environmental or practical challenges is essential in implementing a solution for that particular environment.
ExecutiveBiz: What's the balance between privacy and national security in cyberspace from the Navy's perspective?
Richard Etter: Our goal is maximum appropriate sharing and appropriate use of information, with the appropriate security associated with that information in order to assure the privacy of the information. In the Department of the Navy, we've learned a lot from Barry Johnson's book Polarity Management. It's about identifying and managing what some would consider unsolvable problems. As opposed to saying you have to have complete sharing at the sacrifice of security or security at the sacrifice of sharing, the idea is that we get the maximum benefit of doing both, and in this case we will benefit from secure sharing of information.
ExecutiveBiz: What will the future look like in cyber security two years from now?
Richard Etter: I believe it won't look much different. For there to be significant change within the next twenty-four months there needs to be significant change in the degree of awareness across the leadership within the Department of Defense and the Department of the Navy. Cybersecurity may have more attention and it may be in a higher priority status but I'm not certain that it is getting due consideration in spite of the fact that we are at war. The onus is on the cybersecurity community to explain and justify the fact that cybersecurity warrants more resources, otherwise we are going to have much slower progress than necessary, given the importance and the ties to our national and economic security.
ExecutiveBiz: What is something most people don't know or realize about cyber security that surprises you or should be well known?
Richard Etter: Outside the discipline, there is the lack of understanding about what constitutes adequate security for cyber assets and information. This happened just a couple of weeks ago in a meeting: a senior person says “˜Why don't we just put a password on it and then that will be secure?' This person sincerely thought that was sufficient and did not comprehend that a password was essentially of no value. When we were talking about a higher degree of protection and security for the particular subject matter they did not realize that something as trivial as a password was useless, hence my belief that two years from now we'll be in the right direction but I don't think that we will be much further downstream than we are. I hope I'm wrong, and if I am it will be because the decision makers making resource tradeoff decisions understand the cybersecurity issues we're facing. If I'm not wrong, it will be because we've not been successful making our case. Human nature is such that we sometimes tend to trade off that which we are less comfortable with and cybersecurity might be that uncomfortable issue.