A Navy cyber competition in 2019.

A Navy cyber competition in 2019. U.S. Navy / Mass Communication Specialist 2nd Class William Sykes

US Navy: ‘Non-kinetic effects’ will likely decide the next war

The service’s new cyber strategy lays out lines of effort for a new era of warfare.

What is seapower’s decisive weapon? Not missiles or torpedoes, declares the U.S. Navy’s new cyber strategy.

“The next fight against our major adversary will be like no other,” the 14-page document begins. “The use of non-kinetic effects and defense against those effects prior to and during kinetic exchanges will likely be the deciding factor in who prevails.”

It’s a bold statement, and meant to be, says the Navy’s first, and now former, principal cyber advisor. Chris Cleary, who stepped down on Tuesday, said it’s imperative that the Navy see cyber warfare as far more than networks and cybersecurity.

“It's a warfighting discipline that we should consider a core competency, and, more importantly, professionalize around,” Cleary said in an interview on his last day at the Pentagon.

Tuesday’s release of the Navy’s first cyber strategy is the capstone of Cleary’s three-year effort to unite the service’s cyber efforts—and get the rest of the service to understand their key role in modern warfare. He had been hinting at the document for months, saying that the service had put itself in “a respectful holding pattern” to make way for and align with the National Defense Strategy and other cyber strategies from the White House and, more recently, the Pentagon.

The document details seven lines of effort to help the Navy improve its cyber workforce and readiness, defend enterprise IT, data, and networks, protect critical infrastructure and weapon systems, conduct cyber operations, secure the defense industrial base, and enhance cooperation.

The following interview has been edited for clarity and length. 

How is this strategy different from earlier network-related documents?

I can't overemphasize that this is not a cybersecurity strategy. This is a cyber strategy. This is a strategy that, when you look at the different lines of effort within it, goes well beyond the blocking and tackling of what the [chief information officer] is responsible for.

And let me pause there just for a moment. The CIO was equally as engaged in writing the strategy. Some of the lines of effort were really their responsibilities…like “shift to cyber readiness” and defend the IT enterprises—those are very, very heavily weighted CIO sort of functions. 

Then you get into the next two: the infrastructure, the weapons systems, the warfighting. These are kind of new things that I've never seen, we've never seen, how these lines of effort have been incorporated into a larger document that get beyond just cybersecurity and this is just “warfighting.” 

And then this idea of conducting and facilitating cyber operations. That's a new one. We are a warfighting organization. It's not a secret that we will professionalize and develop capabilities and are obligated to present forces to the joint force and then sort of work through the ways that we're going to do what we would affectionately refer to as service-retained cyber operations—cyber you're gonna see from the fleet or cyber you're gonna see through a Marine Expeditionary Unit. Those are things that we never really talked about before. 

So when you take the whole thing of cyber—again, it covers that spectrum of “everything you need to fix my computer” to “deliver effects when directed in a time of place of our choosing to degrade adversaries’ freedom of maneuver.” And then it gives the folks in the department the ability to point back at something and say, “The secretary signed this out.” Some of these things we were struggling with, but now we have something to map back to. So this is not just good ideas anymore. It's based all the way up to the present United States direction through the National Security Strategy, mapping all the way down to how we're going to try and do it as a department.

How does this relate to last year’s Cyber Ready guidance?

Directly. The Line of Effort No. 2 is completely mapping to cyber readiness—that is, the Cyber Ready initiative…overseeing the implementation of that throughout the department, and now it's incorporated into a larger strategy.

Are there goals and milestones to make sure the Navy gets there? 

All of these strategies are as good as the implementation plans that come after them. The Department of Defense just released their cyber strategy not too long ago, and we are in the process now of working through the implementation plan at the OSD level to get after that strategy. Now, the good news is: lots of things of that strategy are sort of backed up by what we're doing. So it's not at all redundant; it's very cooperative.

That said, one of the things I was stressing with the secretary on my way out is, you know, cyber, up until recently…it hasn't been solidified as a core competency of the Department of the Navy. That's not to say there are not things that we are aggressively getting after through Fleet Cyber and Naval Information Forces and contributing components to the cyber mission force. Zero trust, identity management Cyber Ready…artificial intelligence, machine learning, our own data initiatives. Those are all now being brought into one thing, but it's still a little messy right now.

Once we embrace cyber as a core competency alongside surface warfare, subsurface warfare, Marine expeditionary warfare, Navy Special Warfare—once cyber is seen in that lens as equal to the rest of these, things will then naturally begin to fall into place. All indications are we're moving in that direction. 

How has the principal cyber advisor, or PCA, job changed in the past three years?

In the Navy specifically, we very quickly came to an agreement. You can't do anything in the Navy without a truly empowered CIO. That is table stakes now. Where the PCA really came in, we focused on the operational significance of that, the warfighting side. Bringing attention to things that we haven't traditionally focused on: defense critical infrastructure, the cyber survivability and resiliency of weapons systems, the readiness of the mission force, the advocacy for resourcing for things like offensive cyber capabilities because we're a warfighting function—that's what the Navy does. 

Mission force readiness…in years one and two was a big topic of conversation at the time, and how the Navy was going to improve its readiness standards. And now we've moved beyond that with the creation of the cyber warfare engineer and the maritime cyber warfare officer, and Vice Adm. [Kelly] Aeschbach being completely empowered as the sole provider of the manning and force presentation back to the joint force. So we worked a lot of things out in the beginning, but it was not an easy thing to do, you know, in the first 18 months, because you're trying to deal with some really challenging issues at the same time you're trying to build an office.

The Navy built a lot of networked weapons before much consideration was given to hacking.

Once we came to the realization that these things all do have vulnerabilities, there were efforts put in place to sort of get after the remediation of those. There's two programs of note: the SABER program, which is this initiative to get after the cyber survivability and resiliency of things at sea, and the MOSAICS effort, which sits ashore. Some things are so old…you have to come up with new capabilities to secure them. Other things that are brand new should be built with cyber survivability and resiliency as a key performance parameter right out of the gate. 

The Constellation-class frigate is a perfect example of this. That is a brand-new ship and cyber survivability is something that is being designed right as we lay the keel down. They understand that it has to be watertight, it has to float, and it has to be cyber-secure right out of the gate. It doesn't mean the adversary is not going to figure out ways to do that and get around it. It doesn't mean that you don't need to build boundary defense around these things, but they're going to be built better than they were built 20 or 30 years ago. 

Working with the [Pentagon’s acquisition and sustainment organization] through the cyber strategic cybersecurity program is one of the ways we get after that. As that program got online, the PCAs were sort of seen as the cheerleaders within the departments to help A&S do what they needed to go to. Because the weapons systems they were looking at covered all the services. Everybody had some weapon system that was designated as a strategic weapon system. Because ultimately, it's the joint force that requires these things to be delivered and delivered securely. The services required to man, train, and equip these things.

The PCA was really in the middle of making a lot of that happen across all the services: Wanda Jones-Heath for the Department of the Air Force, Michael Sulmeyer and before him Terry Mitchell, for the Department of the Army. We've all really always gotten along very, very well. We all contribute to these programs. We all think these things are important. And I think that was one of the good stories about the PCA organization. Because we started kind of as a joint community and ensured that we maintain those relationships the whole time.

What are you most proud of and what advice do you have for your successor?

The creation of the cyberspace superiority vision followed by the cyberspace strategy. Some of these things have never existed and it was really taking this discussion well beyond cybersecurity and really making it cyber—warfighting, resiliency. In doing that, we were able to elevate things like weapons systems and defense critical infrastructure security. Because those things have always been done, but they've sort of never bubbled to a level where it got the attention of the Secretary of the Navy. These have the Secretary of the Navy's attention now and I think the PCA helped connect those. We didn't do the work; there's offices within NAVSEA, NAVAIR, and NAVFAC that are doing the work. We just helped connect the efforts of these organizations to the real decision-makers…and champion their causes. 

For whoever comes in, you know, behind this behind me…you gotta be a true believer. Because there's still some questioning on its relevancy and its capabilities and its credibility within the space. But the more true believers there are that understand that the very nature of warfare is changing and you know, the non-kinetic side of this is more and more important moving forward. You really need somebody to kind of go to the mat to advocate a champion for these things. And that's what I'm hoping for the person that comes in behind me.