Every new Navy warfare community initially has struggled to be accepted by the “Real Navy.” Culturally, naval officers of all stripes have had to prove their worth during engagements at sea, but today’s approximately 70 Navy cyber warfare engineers (CWEs) have not yet done so. While CWEs are restricted-line officers like their counterparts in the other Navy information warfare communities, there are no CWE sea-duty billets.
Some creativity will be required to carve out sea-duty roles for CWEs. Fleet employment of CWEs will be an incremental progression from limited at-sea applications to broader, more complex missions. Absent this progression, the Navy risks underusing these few skilled personnel. CWEs should be conducting impactful naval cyber operations, even if that means embarking them in places in which traditional unrestricted line officers are not currently operating. As such, the perfect place to start sending CWEs to sea is on board Military Sealift Command (MSC) ships.
They Hack, Build, and Fight
Currently, Navy CWEs perform a range of cyber operations and engineering disciplines, including research and development, vulnerability analysis, testing, software engineering, network engineering, malware analysis, and cyber operations. While it is hard to compare CWE cyber expertise with that of other Navy cyber professionals, CWEs’ unique accession pipeline and training set them apart.
The CWE accession process involves coding and solving cybersecurity challenges in addition to technical interviews. While these are common practices for similar civilian roles, the exercise-based screening process is exceptional within the Navy. CWEs are sent through a training curriculum focused on high-end coding skills before tours with cyber research-and-development teams. Their operational accomplishments are notable—albeit largely non-public—despite fewer than a hundred CWEs having served over the community’s decade of existence.
CWEs are capable of coding or modifying software and hardware in a tailored, risk-controlled manner. These coding and “hacking” skills are fundamentally agnostic to “defensive” or “offensive” applications, and—if expertly applied—provide strategic benefit to joint and Navy forces alike.
Senior CWEs advise Navy leaders about the platform-level risks of adversary cyber actions and capabilities. This requires both providing risk assessments regarding the operational technology (OT)-related cyber impacts and developing mitigation and recovery plans for sophisticated cyberattacks.1
Such cyber capabilities, operations, and advice usually are the products of lab-based research. As such, labs have thus far been the primary CWE operating environment. While it is not impossible—and sometimes better—to conduct this testing in the real world, lab-based development and mission rehearsals remain standard CWE practices.
Why Not on Navy Ships?
Cyber warfare engineers have been employed at sea on rare occasions, typically in support of exercises or capability demonstrations. A principal challenge in employing CWEs afloat is that on most Navy platforms authorizing even minor hardware or software modification involves complex bureaucratic approval processes. For example, in the case of passive monitoring of an existing shipboard network device, the Navy program office responsible for the device will likely require the respective system command (SysCom) warfare center to issue a study, which will then be reviewed by the respective type commanders (often more than one), and by at least the fleet N-6 staffs as well as Fleet Cyber Command in Fort Meade, Maryland.
In practice, each staff element has pocket veto power, with no single commander able to approve on-platform cyber actions outright. Thus, a preparatory, low-to-no-risk action for a notional CWE mission on a Navy warship—the operational risk equivalent of merely manning a boat deck prior to small-boat operations—involves navigating a monstrous bureaucratic labyrinth involving no less than ten stars worth of flag officer approvals. Such a process can take nine months, even if the preparatory cyber action itself lasts only seconds.
Furthermore, cyber actions involving meaningful degrees of risk to OT or cyber-fragile systems likely will necessitate lab-based testing and rehearsals to satisfy the concerns of these organizations. This testing ideally is performed at the few SysCom warfare center labs or defense contractor-owned facilities operated on a fee-for-service or contract basis in support of normal life-cycle sustainment tasks. Cyber testing supporting afloat cyber operations is not what these facilities are intended to do. As a result, proving that a proposed cyber action will not have unintended consequences when executed afloat requires months of additional operational lead time and significant funding.
Therefore, CWEs bring stand-alone systems to most afloat exercises and remain completely disconnected from a ship’s actual systems and networks. These systems are “hacked” and then removed following exercise completion. During a portion of Trident Spectre 2020, for example—the first afloat exercise in which a CWE was the officer conducting the exercise—stand-alone bridge systems and engineering control components were temporarily installed on the M80 Stiletto and subsequently cyber attacked by shore- and sea-based forces. Cyber operations on in-service systems and networks were expressly forbidden in this and nearly every other Navy afloat cyber exercise.
There exists no viable approval path allowing CWEs to exercise their unique skills on Navy combatants. The Navy is not organized or equipped to enable “hacking” from its ships, aircraft, or submarines, regardless of purpose and lack of risk. Sending CWEs to sea on Navy ships before first resolving these impediments would be of little use.
The Broader Maritime Cyber Battlefield
As far as great power competition cyber battlefields go, MSC ships and networks are effectively the front lines. For 21st-century Navy operations, the risk of ceding MSC’s cyber terrain to adversaries is existential. MSC’s employment of commercial-grade operational technologies allows for ready interoperability with international ports and a civilian merchant marine and reduces shipbuilding and operational costs. But, its commonality with commercial platforms and operational practices also means it inherits their cyber vulnerability.
The rise in cyberattacks against the maritime transportation sector has been significant. As a recent maritime logistics publication noted, “A spike in malware, ransomware, and phishing emails during the pandemic helped drive a 400 percent increase in attempted cyberattacks against shipping companies through the first months of 2020.”2 MSC’s alignment to U.S. Transportation Command underscores this challenge.
Despite these challenges, CWEs are the perfect experts to defend strategic sealift, combat logistics, and MSC’s other priority missions. CWEs on board MSC ships and delegated a sufficient degree of latitude to conduct shipboard cyber operations in coordination with ship crews—with a priority on OT cyber defense—is both possible and advisable. The MSC commander, currently Rear Admiral Michael A. Wettlaufer, could approve cyber operations on board MSC ships, without the Navy’s byzantine approval process.
Real Cyber Operations
Frequent, sustained CWE operations on board MSC vessels would both enhance cyber operators’ terrain familiarity and routinize the injection of tailored cyber expertise into operational decision-making. At secure OT environments ashore, cybersecurity professionals conduct hardening operations in close coordination with industrial operators, continually hardening systems. This type of cyber defense is distinct from policy-driven periodic inspections and patching. Most maritime-specific software and equipment is built on obsolete operating systems, often exempted from Department of Defense cybersecurity standards. Embarked CWEs would support operational readiness and cyber hardening absent relevant guidance.
Furthermore, a standard defensive cyber “hunting” tactic is comparing software found on a platform with “known-good” versions of that software. This often is not possible, however, for maritime control systems and niche maritime software unique to a given ship. The potential volume of false positives—software that requires further analysis to determine whether it is benign—on a single vessel requires both expert cybersecurity triage and advanced skills, such as software reverse engineering.
Shoreside best practices involve sending suspicious software to dedicated labs for analysis, while suspending or restricting operations until analysis is completed. When suspicious software is discovered at sea, however, limited bandwidth, operational security, and operational needs favor analyzing suspicious software on board. Within the Navy, only CWEs can do so in a deployed setting.
CWEs on MSC ships also could establish and enhance the security baseline of shipboard systems and networks. This type of operational preparation of the environment (OPE) ensures advantage through conflict phase transitions, from cyber shaping to cyber effects. In the case of ships, cyber OPE includes developing platform-tailored cyber response and recovery plans. Whereas enterprise network environments—such as the Navy and Marine Corps Intranet—are characterized by common configuration guidance, common hardware builds, and (relatively) tight configuration controls that allow for common defensive cyber “playbooks,” shipboard systems and networks—especially the OT varieties—tend to evolve into unique “snowflakes” over time. This means that cyber response and recovery plans must be specific to each vessel, as well as consider the capabilities of ships’ crews. For example, vessels with larger crews may overcome some cyberattacks by shifting to manual processes requiring additional manned watches, while newer ships with more automation and smaller crews may not have this option. MSC-embedded CWEs could consider a vessel’s technical and manpower circumstances and tailor its cyber “battle plans” accordingly.
Initially, the MSC should consider funding mid-grade CWE billets at the logistics task force staffs, such as at Commander, Task Force 73 in Singapore. From there, CWEs can be embarked on auxiliary and special-mission ships according to task force commander priorities, either individually or as part of small tactical advisory teams. A senior CWE billet should be funded at both the task force and MSC headquarters as a chief cyber engineer, to vet tactical-level decisions and recommendations from the more junior, embarked CWEs and be the in-house cyber warfare advisor to their respective commanders.
In the near term, CWEs operating on board MSC vessels is the best opportunity for their at-sea employment. It was once acceptable for a naval aviator to fling himself off a cruiser while strapped into a flying machine made of linen, wood, and motorcycle parts. Luckily for those early naval aviators, they had a far less onerous approval process for building and testing catapults than what is required to install a shipboard network switch today. The 20th-century Navy benefited from nearly 30 years of at-sea aviation development, experimentation, and operations before being war-tested by Japanese forces in the Pacific. Unfortunately for the 21st-century Navy, three decades will not pass before it is cyberwar-tested.
1. Also known as “industrial control systems” or “cyber-physical technologies.” In DoD-speak, these systems are often called “platform IT.”
2. Andrew Kinsey, “Cyber Security Threats Challenge International Shipping Industry,” Maritime Logistics Professional, 11 August 2021.