Can a New Information-Security Approach Save the Navy $1B a Year?

SAN DIEGO—The Navy and Marine Corps have been experimenting with a new cyber approach in hopes of tightening defenses, delivering services faster, and saving money.

Currently, certifying a system ready to go—what’s called the authority to operate process—takes an average of 17 months, costs the service $1.1 billion annually, and doesn’t even ensure tight security, said Aaron Weis, the Navy Department’s chief information officer.

“I could tell you things that we can talk about here that have led to programs of national importance that were horrific in cybersecurity, some of the worst cybersecurity I have ever seen in my 32 years of doing this. And when confronted, a program office says, ‘But I have an ATO',” Weis said during a presentation at the AFCEA West Conference. 

The Navy CIO recently released a Cyber Ready plan, based on the 2020 information-superiority strategy, to harden defenses in six ways: using cloud platforms and services, implementing a zero-trust security framework, making data ready-to-use for analytics and decision support, monitoring cybersecurity daily, and consolidating redundant IT systems and applications.

The key is introducing continuous monitoring for cyber vulnerabilities, Weis said.

That will “put people on a path where they're attaining and retaining the equivalency of an ATO on an ongoing basis,” Weis said. 

The plan will start with pilot programs for new Navy and Marine Corps capabilities.

“We're going to be learning on an ongoing basis. So as we put a platform into a Cyber Ready ATO, especially these first several, we're going to learn a lot and we might have to go back and re-swizzle how we think about some of the things in practice,” Weis said. “Eventually we have to identify a path for how a legacy three-year ATO makes a transition to becoming a Cyber Ready ATO.”

“This is something that we're going to grow through. But if we do this, I'll tell you what. We're going to put the Department of Navy head and shoulders above” the federal government in its approach. 

Weis said operational technology, such as weapons and logistics and industrial control systems, could also benefit from continuous cybersecurity monitoring. But such a change will take time. 

“There are people who sit in buildings at major defense suppliers who have ATO in their job title. That's an entire construct that we're going to have to channel and…it is a process that we have to take people through to help understand how they're going to be useful in this different way,” he said.

Weis said his organization has been communicating with the Navy secretary and undersecretary, Fleet Cyber Command, and Marine Corps Forces Cyber Command; they also plan to talk with leaders at the DOD’s chief information office, National Security Agency, and U.S. Cyber Command “to update them on where we are.”

But the Navy CIO said he’s worried that Cyber Ready could die “by a thousand cuts” because it  requires sustained, complex coordination.

“It's easy to drag down good ideas, you know, into the water. And so keeping the momentum keeping the, kind of, the dream alive around Cyber Ready,” he said. “The other thing I worry about is that we'll get help. And sometimes, help is not always useful.” 

Weis said that while he’s briefing the necessary stakeholders, he doesn’t want help from Congress or the Pentagon: “What we're looking for is to continue to move, agilely, to iterate, to learn.”