US Navy’s top cyber adviser on why the service ‘fell behind’ and how it’s catching up

SAN FRANCISCO — Chris Cleary’s tenure as the Department of the Navy’s principal cyber advisor (PCA) got off to an awkward start.

The post, created by the fiscal 2020 National Defense Authorization to give each military department a single voice on cyber, came after the Navy revamped its chief information officer and its portfolio of responsibilities.

“When the PCA showed up in the beginning, most people might have looked at it as a redundancy,” according to Cleary, who previously worked as the service’s CISO.

“Trust me, that was not lost on me.”

Today, the position is “a lot better established” and helmed the rollout of the department’s Cyberspace Superiority Vision, a two-page preamble to its forthcoming cyber strategy that stresses the principles of “Secure, Survive, and Strike.”

The Record interviewed Cleary on the sidelines of the RSA Conference in San Francisco to discuss the new mantra, how Congress has pushed the department to step up its cyber game and the future of warfare. This transcript has been edited for length and clarity.

The Record: Let’s start with the Cyberspace Superiority Vision. What is its importance?

Chris Cleary: The Cyberspace Superiority Vision was built off the idea that, when we talked about cybersecurity, that's typically where the conversation ended.

But, as a military warfighting organization, there are a few other facets we had to begin to consider. Ideas of how to make defense critical infrastructure and weapons systems more survivable to adversity activity, we had to learn to fight hurt.

We are a military organization. It shouldn't be a surprise for anyone to learn that we are doing offensive things in cyber, which is part of the professionalization of the force.

The Cyberspace Superiority Vision of Secure, Survive and Strike was the document to begin to tie those things together and explain they all need to live in concert.

TR: The department’s cyber strategy is still forthcoming. When will it be released?

CC: In good order and discipline of the department, you shouldn't get ahead of your boss. The Office of the Secretary of Defense has a cyber strategy they've been working on. I've read it.

We are ensuring that our strategy, although it's been written for a while, is in alignment with the OSD strategy. They are, for the most part.

We're in a respectful holding pattern.

TR: You participated in a panel here with your fellow PCAs where you had a lot of good things to say about the Army and its approach to cyber. What is that department doing better?

CC: It's not that the Army is better at cyber. The quality of our individual components, I would say, are on par with each other.

What the Army did, that the Navy struggled with, is they very quickly incorporated cyber culturally into the department. They wrote doctrine, they established the Army Cyber Center of Excellence, they created a cyber community. They really marshaled around this idea of what cyber meant to the service.

The Navy, we always saw cyber as something that lived within the cryptologic warfare community. We'd traditionally supported the National Security Agency, which is where a lot of cyber was born out of. The Navy, naturally, thought, ‘No, wait a minute. We've already done all this.’

What we learned in the last couple years is that cryptologic warfare [and] signals intelligence is not necessarily cyber.

Through that we have come to the conclusion, in the Navy — through NDAA language — has created a cyber career path. That's imminent. The cryptologic technician networks, that whole enlisted community is going to become cyber warfare technicians. They have and always been cyber operators. We're now just going to recognize that.

TR: You mentioned the defense policy bill. The last few have been blunt with the Navy on cyber, requiring a career designation, reports about how the service is supporting U.S. Cyber Command and other forcing actions.

CC: Yes.

We are all ears on this. What the Navy's position on that would have been is, when we created Fleet Cyber back in 2012 — the Navy was the first service out of the gate to establish that headquarters element — we very, very aggressively followed the lead of Cyber Command.

We always acknowledged that there was more work to be done. The other services just moved more aggressively out on their own plans.

TR: You fell behind.

CC: We fell behind. That’s fair. The Navy is still struggling a little bit with what cyber completely means to the Department of the Navy.

TR: Do you need more prodding from Capitol Hill?

CC: No, I think the prodding is all there. Now it's a resourcing game.

Here's where the PCA comes into the equation. We acknowledge we've got to do more cyber at sea. But with that comes the requirements for resources, capabilities, people, training.

I'm a true believer that we are witnessing the fundamental shift in what warfare of the future looks like. It's much more of a non-kinetic fight. All of our services have traditionally been kinetically focused organizations. Now we're embracing not just cyber but space, electronic warfare, information operations — the cognitive side of warfare.

TR: How long until the Navy catches up?

CC: That's a hard question to answer.

I would say that what you are going to see — very aggressively, starting in 2024 — the cyber career path. You're going to see both the officer and enlisted career paths. You will see that midshipmen directly commissioned out of the Naval Academy into these communities.

You will see the beginning of non-kinetic effects teams incorporated into afloat strike groups, cyber will not just be a Joint requirement but a fleet one as well

How long is the hard part. I don't know if i can give you an answer on how long, that said leadership is fully engaged and moving out aggressively.

But culturally, what that community needs to do is continue to make itself relevant to the overall warfighting effect that a Navy or a Marine Corps brings to the theater.

When we talk about traditional means and methods of warfare for the Navy, how does non- kinetic activity enable all of that? What you're going to see is those traditional warfighting communities — over the next couple of years — coming to the conclusion that we can't do what we do if they don't do what they do.

I need those other organizations to support my logistics, defend my comms channels, understand the electromagnetic spectrum and deliver effects. All of those things ensure my traditional combat power can show up on time, target what it's supposed to and achieve its missions.

TR: It sounds like you’re talking about more than the Department of the Navy.

CC: I continue to say this is a warfighting discipline. It's not just a cybersecurity problem.

We have to professionalize in this as an art, a means and methods of warfare that our adversaries are professionalizing and fully embracing. We have to do the same.

We have to figure out a way to talk about it more openly. We're not going to get into methods. We're not going to talk about particular capabilities. But to have this conversation in an open way is important for us to figure out how to engage with industry.

We figured it out in the defensive world. This is why we're at RSA. There's a million vendors out on the floor trying to demonstrate to the government, the commercial world, why they're here, how they've invested their own resources, to build capabilities to sell back to the commercial world and the government world to protect not only our intellectual property but to ensure the availability of key services and resources as well.