The Task Force Cyber Awakening. If you know what that is, you probably understand the grand potential in terms of impact, and if you don't know what it is, you are probably intrigued by the name alone. Matthew Swartz led the effort, which sought to nail down the true state of the Navy's cyber posture and now — eight months after the initiative wrapped — is putting those lessons learned into practice.
Defense News sat down with Swartz after he delivered a keynote address at the C4ISR & Networks conference in Arlington, Virginia, to hear more.
Q. About eight months ago you wrapped up your stint leading the Navy's Task Force Cyber Awakening, a yearlong exercise. Can you explain the goals of that exercise?
A. Task Force Cyber Awakening started off with a simple email. It was an email from the [chief of naval operations that] asked this question: If anybody could characterize the cyber posture across all of our tactical platforms. And when we look to try to answer that question, we realized that we were unable to. We could characterize cyber risk across specific domains, and we could characterize cyber specifically for IT and traditional cyber areas pretty well. But when we started to look across all of our enterprise, we were unable to understand what the total risk was across an enterprise. Understanding that cyber presented a challenge and a risk to our capabilities, we wanted to make sure that as an organization we are working together to solve that problem, and that we needed to look at this through unity of effort and an enterprise perspective.
The goals were three. The first goal was to identify what did we need to do immediately, based on the threats that we saw, based on what we understood our vulnerabilities to be; to identify the things that we need to fix today. And we evaluated several items — almost 800 items valued in excess of several hundreds of million dollars of requirements that we needed to address — and then we applied a prioritization method to determine what were the things that we need to do right now that were most critical. Then we worked with our other partners in the acquisition world and through our budget shop to make sure that we could execute those quickly and rapidly. And we did that.
The next [goal] was CYBERSAFE. CYBERSAFE is a spin or an extension of the SUBSAFE program. But what it was looking at is our enterprise. What were the things that we needed to protect at all cost from a war-fighting perspective? So as we went forward, maintain a process and a program that could evaluate all of our capabilities to determine what were the things that we had to protect and that we need to assure through a process of procedural compliance to make sure that those things were protected at all times and that we could report on them.
We looked at that through three lenses: making sure that the acquisition community understood the requirements that we wanted to procure against, making sure that when we did buy them that we had the right assessment mechanism to make sure that they aligned to those standards and those specifications, and then making sure that we could operate them going forward. The third piece [required] looking at cyber holistically. Did we have the right organizational construct in place, should cyber and cybersecurity be an organizing principle for the Navy? If it's a new war-fighting domain and just not an enabler, did we need to look at it differently and did we need to organize around cyber and specifically cybersecurity.
The answer to that question became yes. After the 12-month task force we determined that we probably did need to look at cybersecurity, and at least for the immediate future we need to organize around this problem to make sure that we had unity of effort and that we're solving cyber problems as an enterprise and not as individual systems or programs. And then as a foundation for that what we also realized is we had a lot of great talent and expertise across the Navy enterprise and we wanted to bring them together, bring the best minds that we had together across the Navy to work and solve this problem together. That's the IT/IA — information assurance — technical advisory board, where we bring the chief engineers together to make sure that when we identify issues or concerns in this space that we're developing standards that are common across all of our platforms and all of our capabilities. So we have that underlying engineering approach to solving this problem.
Q. You have transitioned to a more operational role at the Navy. How have you taken what you've learned from the task force and rolled out initiatives?
A. It's been an interesting journey. So, 12 months ago I found myself looking at this problem from a strategic lens, and trying to be the mechanism that brought together a lot of expertise across our Navy enterprise strategically, organizationally, culturally. So I was trying to manage that and bring that cohesion together.
After this event and after we put those mechanisms in place where we identified what we needed to do, and then identified what things we had to protect at all costs, and then making sure they were organized appropriately — I moved into this operational role. So now I'm no longer necessarily involved in the strategic discussion day to day, but I'm responsible for the operations in this domain; so, making sure that the capabilities that the task force identified as a need area, that operationally those things were transitioning to us and that we could have operational effectiveness with those capabilities.
What I've seen in the last eight months [since that change] is a cohesion across the Navy enterprise where we have the chief engineers, we have the systems commands, we have the acquisition folks talking to each other. And when we identify problems we find that those cybersecurity concerns or challenges are not unique to specific programs.
As we identify those we work as an enterprise to develop solutions together and then we're able to take those solutions and deploy them across enterprise as opposed to trying to solve every problem individually across each system. So we're starting to see the fruits of that labor and we're starting to see great progress in the space.
Q. You mentioned in your keynote the human element of cybersecurity. Talk to me about what that is exactly.
A. In this journey over the last 18 months or so I think what I realized is that cybersecurity is not an engineering challenge or a technology challenge. Although there are difficulties in that space and there are solutions that we have to develop, at the end of the day what we realized is that there was an organizational, cultural issue that we need to resolve; that we needed to come together as an enterprise. And as we discovered that, I think what we realized is that technology is the terrain in which we operate and that the people are the capability. In cybersecurity the human element is important. The human element is still part of that calculus. Every day it's still a man in the middle business.
You have to have the analysts to look at the information and inform and make recommendations or decisions on what to do against specific events. We need to make sure that as we buy technology that the people are trained and able to use that technology to solve the challenges. If we buy technology and we don't have the right training mechanisms behind it then we just have technology. We don't have capability. The person is what brings technology capability, so we can get the effectiveness out of those solutions. That is the most important piece in this journey as we move forward.