By Lieutenant Commander Derek Bernsen, U.S. Navy
August 2022 Proceedings Vol. 148/8/1,434
The Navy is currently the least capable military service for cyber operations and security. While the first computer network attack capabilitiesoriginated from the Navy in the 1970s and 80s, the service has since backslid into mediocrity. Even the House Armed Services Committee (HASC) has noticedand included provisions in the draft 2023 National Defense Authorization Act to force an overhaul of Navy cyber.
The problems in Navy cyber communities and commands—and with its cyber concepts—result in a negative feedback loop. The Navy does not have sufficient cyber capabilities and forces, and instead relies on joint and other services. The Navy is also the only military branch without service-retained offensive cyber units—without which cyber personnel have limited ability to show their value to the fleet. Because of this, Navy leaders are left wondering why cyber is important to Navy missions, and how to integrate cyber into existing capabilities. This leaves Navy cyber sidelined, unsupported, and unable to directly integrate into Navy warfighting capabilities beyond joint operations. Our maritime adversaries understand cyber as a key component in warfare, so it is imperative the Navy fix the feedback loop stemming from these areas.
Problems with the Cyber Community
The Navy’s undervaluation of and apathetic approach to cyber has created a negative feedback loop within its community. Structural community issues (as I explained in my earlier article here) showcase a community struggling to grow.
Recent naval investments in cyber have been theater at best. For example, creating the cyber operations major at the U.S. Naval Academy (along with a $143 million cyber building), while preventing midshipman completing the cyber operations major from commissioning as cyber warfare engineers (CWEs). In 2022, the Academy only graduated four midshipmen skilled enough to be selected as CWEs—all computer science majors. Only two of those four were permitted to become CWEs. The others two were initially forced into surface warfare and aviation communities. A third was later allowed to become a CWE due to a medical disqualification. Meanwhile, the Marine Corps selected seven Naval Academy graduates for its cyber community, and the Army selected 40 West Point graduates for its cyber community. This was after Congress was told in 2018 that the Navy’s investment at the Academy would yield 30 CWEs each year. Thus far, there have only been six.
The Navy’s actions have made it clear that it would prefer to have computer science and cyber operations majors fill arbitrary billets in warfare communities unable to meet their retention requirementsrather than do what they were trained for—protect U.S. interests in cyberspace. While not all graduates would want a cyber career over another operational community, clearly those that endure the rigorous CWE accessions process desire such a career and are placed elsewhere.
No Real Cyber Commands
Compounding personnel problems, Navy information warfare community (IWC) commands are not structured to support cyber. Unlike their counterparts in the other services, such as the Army’s 915th Cyber Warfare Battalion, Navy units do not conduct offensive cyber operations. While Chief of Naval Operations Admiral Michael Gilday recognized this discrepancy and called for service-retained cyber forces and capabilities in the form of tactical cyber units, the Navy has yet to establish one. While the Navy does have a few dedicated cyber protection teams conducting defensive operations, it lacks any Navy personnel conducting offensive cyber operations for Navy missions. This feeds a perception among Navy leaders that cyber is a joint mission and that the service gets little to no benefit for supporting joint offensive cyber operations. Anything the Navy does to improve its cyber training and manning pipeline will not contribute to the Navy’s mission.
Navy Cyber Warfare Development Group (NCWDG) appears to be the exception, but it is plagued by similar joint issues. The name “Cyber Warfare Development Group” may lead readers to believe that NCWDG is solely cyber focused. But NCWDG is a multifaceted monster. Its components have competing responsibilities including research and development, acquisitions, special technical capabilities, and coordinating work with all national level agencies for not just cyber, but for all cryptologic functions. Additionally, NCWDG is responsible for planning and executing U.S. Title 10 (defense) and Title 50 (intelligence) information warfare and cyber operations, is a force provider to the cyber mission force, and operates the Navy’s signals analysis labs.1 It is simply doing too much to focus on cyber. On top of this, because the NCWDG commander must be an acquisitions professional, it is rarely led by someone with relevant cyber operations expertise. NCWDG is good despite its structure, not because of it.
Problems with the Navy’s Cyber Concept
Navy strategy on cyber is shortsighted, and Navy leaders are ill equipped to develop a more forward-looking strategy. This is because the Navy has no command with a single cyber focus contributing directly to a Navy mission.
The Navy has always been slow to adapt because of deeply ingrained cultural issues, stubborn adherence to outdated traditions, and a refusal to advance its thinking. Rear Admiral William S. Sims explained this in a 1921 addresson military conservatism to that year’s Naval War College graduates. He states, “arguments in favor of fundamentally new weapons have failed except those that resulted in shedding the blood of the unbelievers; that defeat alone has been accepted as a final demonstration.” For a domain that evolves as quickly as cyber does, this culture is doubly concerning.
In addition, Navy leaders lack technical depth in the cyber arena. It has become acceptable for leaders to say “I don’t understand cyber” in Congressional hearings. In addition, because few commands contribute cyber capabilities directly to Navy missions or focus solely on cyber, few Navy leaders see the true benefits of cyber or understand how cyber operations work in a military context. Thus, Navy leaders either get their understanding of cyber operations from hacker movie stereotypes, or do not think cyber adds any value to warfighting. Clearly Navy leaders have recognized this as they recently selected yet another aviator to lead Fleet Cyber Command rather than a flag officer from the cryptologic warfare communities, despite the fact that these communities notionally lead the Navy’s cyber missions.
The 2023 Draft NDAA Proposal
Congress is clearly frustrated and has recently stepped in via provisions in the draft 2023 NDAA to force change in Navy cyber. Specifically, HASC has included language to “establish a cyber warfare operations designator . . . separate from the [CWO],” “establish cyberspace operations as a military discipline that is a separate community from the [IWC],” and prohibit non-cyber personnel from working in cyber fields. These provisions, if passed, will make a huge impact, but there is still room for interpretation on implementation. The Navy must consider how it implements these carefully or risk continuing stagnation.
If the NDAA passes with its current or similar language, the Navy must remove cyber tasks from the CWO and IP communities, allowing them to refocus on their traditional areas of expertise. While the IP community has traditionally filled cyber roles (e.g., red/blue teams, computer network defense, etc) and non-cyber IT roles (e.g. system/network administration, infrastructure maintenance, IT account management, etc), the establishment of a cyber designator, as described in the NDAA, necessitates consolidating all cyber roles in one community. The next step is to deliberately nurture its technical communities, and this can be done in one of two ways. The Navy can either make the CWE community responsible for everything cyber, or split cyber to empower the CWE community while also establishing a cyber operations officer (COO) community for less technical roles.
The all-CWE option ensures the Navy has the best cyber personnel in every role. Expanding the CWE community to take full control, responsibility, and accountability for cyber operations ensures that every CWE officer has a deep technical understanding and cyber-focused experiences, making it the best long-term solution. All cyber jobs benefit from a technical background, even if they are less technically demanding. Growing a community with a deep technical foundation will enable the Navy to conduct maritime cyber operations and develop concepts to bring it back to the cutting edge and lead in the cyber domain.
A COO community would, unlike the current cryptologic warfare community, be wholly focused on cyber and receive technical training, but would focus on the less technically demanding roles in cyber. This community would fill a large portion of cyber roles while allowing the CWEs to modestly expand, remaining an elite and lean community. This builds two communities with technical backgrounds—one focused on pushing the cutting edge and another on the less-technical day-to-day cyber work (e.g., system administration) and community management (e.g. detailing). The Navy would still need to grow the CWE community and foster a relationship between CWEs and COOs. While COOs may get enough focus to be capable in cyber, they would need to know when to call on CWEs for their technical insight. Leadership roles must be shared by the two communities. For example, a COO leadership role must be accompanied by a CWE deputy and vice versa to take advantage of their complementary skills. Failure to align these two communities would result in short-term improvement but long-term stagnation.
If given the choice, the Navy should opt for growing the CWE community and include their rigorous accessions process and strict technical depth. The potential pitfalls of a less technical COO community are too great and would result in Congress being forced to take another heavy-handed move to solve a problem the Navy will not address on its own.
New Cyber Commands
The Navy should establish new commands that focus solely on cyber. Creating service-retained cyber units whose sole responsibility is some aspect of cyberspace operations creates a foundation to build genuine expertise. Commands that already exist in this space, such as NCWDG, should split themselves into more focused commands. There is even precedent for this given Navy Information Operations Command Maryland’s split in 2017. Navy units whose sole mission is cyber are required to develop concepts and capabilities for maritime cyber—something joint and other service units have no reason to prioritize.
Eventually, cyber will need to be integrated with units across the various other Navy warfare domains (surface, subsurface, special warfare, etc.) to maximize the cross-over advantages of cyber effects. Doing so before building dedicated cyber units that regularly produce experts will not be successful. Instead, dedicated cyber units should be where cyber professionals first cut their teeth before being attached to other units to employ their expertise.
Just as the Navy does not request the Air Force’s permission to fly planes, the Navy needs its own capabilities to operate without requesting to use joint or other service capabilities and personnel. Dedicated Navy defenders will be more experienced with the Navy networks and systems. Similarly, offensive professionals would be intimately familiar with the intricacies of maritime cyber and be able to develop capabilities and conduct tailored cyberspace operations. Dedicated cyber units enable cyber professionals to command and lead these units. Placing talented cyber leaders in charge of these units will set conditions for greater capability and community growth than allowing non-cyber personnel to command.
Alternate Concept Solutions
Time is needed to grow and refine concepts. It is understandable for national and naval leaders to demand to be shown why they should invest in cyber. Yet there is a chicken-and-egg problem without the correct alignment of personnel, structures, and concepts. The Navy needs to rethink the timeline it expects to see results outside of classified spaces and what it can do to support those results. Special operations forces (SOF) are beginning to see the benefits because they have begun to invest in cyber. CWEs have already proven their potential impact with SOF at demonstrations. The impact can go beyond demonstrations, but the Navy must set conditions for it to happen.
Correctly aligning cyber communities and commands will help the Navy develop new concepts for employing maritime cyber operations. Though most cyber operations will continue to be conducted remotely, there are opportunities for conducting close-access cyber operationsthrough working with SOF or from various naval platforms. The cryptologic warfare community has had decades to develop these concepts but has failed to do so. The fewadvancements in the past decade have been led by CWEs, though naturally most are classified.
The Navy’s ability to go anywhere and maintain a significant dwell time poses a great opportunity for initial access, which is the largest obstacle to offensive operations. The Navy must embrace cyber as a domain and capability to be used against maritime targets, such as hacking enemy warships and forcing their engines to seize up or hacking foreign antiship cruise missile systems preventing them from being launched as a strike group conducts operations. Defensively, concepts for maritime cyber that must be expanded include protectingwarships from cyber attacks, decoupled and modular systems so the Navy can get rid of its Windows XP machines, and inter-ship network defenses. The Navy—and much of the government—has a scarcity mindset that regards cyber capabilities as too expensive and sensitive to ever be used. This mindset must change to empower the people tasked with developing and operating these capabilities. The Navy needs to shift its Overton window to align with the realities of cyber and embrace lower equity cyber capabilities.
Finally, the Navy must hold its civilian and uniformed cyber personnel accountable for results. It must send the message that cyber is important enough that if you fail, you will get fired.
Consequences of Inaction
If the Navy cannot prioritize cyber, then it must divest itself entirely of cyber warfare. Maintaining a mediocre cyber force is a waste, so the Navy must choose to go all-in or all-out. Divesting may force the DoD to create an independent U.S. cyber force, but that would mean the Navy would forever lack the ability to conduct maritime cyber or develop tailored cyber concepts and capabilities.
No Admiral Sims is coming to save Navy cyber. The Navy must make tough decisions to create an environment in which it can again be a top cyber player. Overhauling the responsible communities, reorganizing commands so cyber is not an after-thought, and setting conditions for refreshed concepts of maritime cyber are all critical. If the Navy does not follow this path, then it must exercise a truly drastic plan: sacrifice any opportunity to ever again be a capable cyber player and give its full support to the creation of an independent cyber service. The one thing truly unacceptable is to stay the course and accept mediocrity in cyber.
1. U.S. Navy, Navy Cyber Warfare Development Group Instruction 3120.1C, NCWDG Standard Organization and Regulations Manual (18 February 2021).
Lieutenant Commander Bernsen is a cyber warfare engineer officer who recently transferred to the U.S. Navy Reserve. He has a master’s degree in computer science from Georgia Tech and is a graduate of The Citadel.