Cyber threats against federal agencies, including across the Department of Defense and the U.S. Navy, are increasing in frequency, sophistication and impact, opening to attack vast amounts of sensitive data housed on government information technology systems and the nation’s critical infrastructure. These can be incredibly difficult to identify and attribute to a nation, organization or person.

Every day, the DoD thwarts 36 million emails full of malware, viruses and phishing schemes from hackers, and terrorists and foreign adversaries trying to gain unauthorized access to military systems. As new cyber threats continue to emerge and adversaries regularly diversify their tactics, cyber attacks will most likely get worse before getting better.

Over the last two decades, The Non-classified Internet Protocol (IP) Router Network (NIPRNET) has grown at speeds faster than can be monitored. Further, its rapid adoption of encrypted web traffic protocols enables network traffic to traverse multiple network boundaries without adequate levels of inspection and monitoring. Unfortunately, these advancements also create expansive ways for adversaries to deliver potentially malicious software and compromise the network.

Every year, the Defense Information Systems Agency conducts an assessment of DoD web browsing practices to determine where bandwidth is being used. In 2015, at least 45 percent of Navy web browsing was considered as likely non-mission related. The same data showed that commercial streaming sites accounted for 41 percent of all Navy bandwidth. Since the Navy spends approximately $116 million on bandwidth every year, that means $47.5 million is spent on non-mission related browsing. The network’s exposure to this unmitigated traffic can lead to increased cyber infections, lost productivity, and higher clean-up costs.

It is estimated that the Navy spends approximately $160 million each year cleaning up cyber intrusions. This cost is a compilation of network downtime, production and manhour losses, and equipment expenses necessary to perform traffic analysis, forensic analysis, mitigation, and management oversight. It does not include the cost of the actual investigation of the event. The Navy spends about $70 million more cleaning up after negligent security practices on IT systems alone.

To reduce mission cyber risk, we must first disrupt the current culture of cybersecurity across the Navy. It's not a service provider. It's not a support capability. Cyberspace is a warfare domain and the Navy needs to approach operations in cyberspace as such.

Every command, ship, and aircraft across the Fleet must create cybersecurity cultural norms and practices as part of everyday behavior that [re]enforces cybersecurity. This begins with thinking about cybersecurity more than just during our annual cybersecurity awareness training and during Cybersecurity Awareness Month. We must truly think of and treat NIPRNET as one of the Navy’s weapons systems. We must all take responsibility. Own it. Secure it. Protect it. Hold each other accountable.

Since cybersecurity is an operational imperative and not merely an IT issue, we must also disrupt cyber operational norms. Our networks are integral to Navy operations, and when NIPRNET isn’t secure and the behaviors we conduct using this system are not secure, Navy operations are compromised and could cease due to a cyber-attack from our adversaries, an insider threat attack, or a negligent security practice. The Navy must operate the network as a warfighting platform. Every command, ship, and aircraft is connected to the warfighting platform – NIPRNET – in some form or fashion. We must treat it like the weapons system it is by:

1. IDENTIFYING the attack surface – All web browsing, communications (e.g. email, chat, digital telephone, etc.), machine-to-machine interaction, etc. must be identified in order to know and understand the landscape of which we are defending against our adversaries.

2. REDUCING the attack surface – Consider restricting the platform to only .gov and .mil domains or other websites that are mission critical, also known as whitelisting. This means separating mission activities from non-mission activities, then using NIPRNET for mission-only activities and browsing.

3. TRANSFERRING the risk – Consider transferring the risk off the network using a third-party provider, limiting the user’s exposure to cyber risks. The goal is not to limit access to necessary and needed web browsing or communications, but rather, transfer the potential cyber risks off the mission critical platform. Many providers offer a capability that allows a sandboxed web browsing experience in which end users interact with websites (not whitelisted) in a familiar way, but keeps the Navy’s mission-critical platform safe from potentially-malicious and uninspectable traffic.

Reducing mission cyber risk doesn’t come without disruption – specifically, disruption to the current cultural norms of cybersecurity. Everyone must think and treat NIPRNET like a mission critical platform. Cultural and structural changes will allow the Navy to reduce mission cyber risk by reducing the attack surface for which our adversaries continue to attack every day. It also protects the network from negligent cybersecurity practices that could lead to a cyber intrusion or incident.

Cyber threats are real, and cyber warfare continues to evolve and become more complex and challenging. The Navy has a cyber warfighting platform. We simply need to treat it like a weapons system in order to defend cyberspace and our Navy’s networks and systems effectively.