Joseph Marks, Politico
26 May 2015
Today’s question for the Navy’s budding cyber warriors: What’s the easiest way for someone to fake an identity – online or in person?
“Online,” the 15 students in Lt. Augustine Marinelli’s cyber operations class respond, almost in unison. But the U.S. Naval Academy instructor pokes holes in that theory: What if someone sees you in uniform at a bar, tells you he’s a Navy SEAL and spins an incredible story? Won’t you face more social pressure to go along when you’re face to face?
One midshipman quickly agrees that hoaxes may be easier to pull off in real life: “You can fact check so quickly online” he says. “You doubt people more. You can verify things through social media ... It’s actually a ton of work to have a believable [phony] profile.”
The lesson is clear: In the new world of hybrid warfare, first impressions – whether of people or ideas – can’t be trusted.
Deception has always been a part of war. And figuring out whether the stranger in the bar claiming to be a SEAL is just a boastful drunk, or perhaps something more sinister, is far from a new problem. But in 21st century conflicts like Ukraine, where deniable cyberattacks and viral misinformation campaigns on social media are tactics in Russia’s hybrid warfare campaign, “pretexting” can be a weapon of war.
Next year, most of Marinelli’s students will be among the first cyber operations majors to graduate from the academy, having received training that includes attacking and defending computer systems through information warfare or social engineering, along with law, ethics and policy.
They will one day be responsible for protecting the Navy’s computers, ships and planes from some of the most technically proficient digital con artists on the planet. And because there are no real frontlines in hybrid warfare, they‘ll need to be able to out-think their enemies as effectively in a bar or online as on the high seas.
Beyond the new major, the academy is taking steps to elevate computer-savviness among the Navy’s young officers – reflecting the reality that any officer can fall victim to a phishing attack that infects a vital network. All students now must take an introductory cyber course that mixes technology with policy and theory, plus a more advanced class targeted at defending computer and physical systems.
The goal of that universal class is to create a generation of officers for whom cyber defense and offense is a fundamental part of their thinking – something they notice each time they sit down in a ship or plane, said Mark Hagerott, deputy director of the academy’s Center for Cyber Studies. It should be something they discuss among themselves just as they’d discus naval warfare strategy and tactics.
“They’ll be attuned to what a computer intrusion looks like,” said Hagerott, who iw set to leave soon to become chancellor of the North Dakota University System. “When they see something, they’ll know to ask: ‘Is the firewall running? When was it last updated?’ ... To me, it’s about raising the baseline throughout the Navy.”
The academy’s program mirrors a seismic shift across the military. Computers have become central to every aspect of warfare, and that makes every seaman or soldier a potential vulnerability.
“The Navy has begun to understand that cyberspace is far more than the technology that gave rise to it,” said Chris Inglis, a former deputy director at the NSA who’s now a
visiting processor teaching Naval Academy cyber courses. “It is really about the marriage of technology and people and critical process, and unless you understand what those relationships are and what the dependencies are that come out of that, then no matter what you do, whether it’s driving a plane, driving a ship ... it’s going to be held at risk.”
The mix of disciplines in Marinelli’s class responds to the changing nature of modern warfare, in which psychological operations are increasingly conducted in cyberspace. Part of the Russian strategy in Ukraine has been a splintering of Internet misinformation campaigns, creating a “wilderness of mirrors” for people attempting to find out what’s happening on the ground.
But cyberspace can also be the venue for more conventional warfare. Adversaries might spend years worming into U.S. computer systems before firing a single shot, hoping to steal tactical information or even gain remote control of navigation, communication and radar systems to thwart a real-world attack. Because attacking is easier in cyberspace than defense, this state of affairs has made the hyper-connected U.S. military more vulnerable.
A five-year strategic plan for Navy Fleet Cyber Command, released earlier this month, notes that “America’s long-enjoyed military superiority does not extend automatically to cyberspace,” adding “we will have to earn it.”
The new cyber operations major is part of a Naval Academy-wide push, dating back to 2009, to re-earn that superiority.
The academy is putting substantial resources behind the program, with a five-story, $120 million Cyber Center scheduled to be operational in 2019. The center will include a “Secure Compartmented Information Facility,” where students can receive classified briefings. All Naval Academy midshipmen receive security clearances at the “secret” level by the end of their freshman year. Most cyber operations majors have “top secret” clearances to take internships, an academy spokeswoman said.
Hagerott describes the academy’s cyber plan as “the all, the many and the few.” The “few” are the roughly 80 cyber operations majors in the classes graduating in 2016 and 2017, who will use their skills directly in the Cyber Mission Forces or indirectly as resident cyber experts among their cadres of pilots, ship drivers, submariners or SEALs. The “many” are the computer science and engineering majors who load up on cyber electives. The “all” are the entire class of academy midshipmen.
To make room for the two cyber classes that all students must now take, the academy jettisoned a second electrical engineering course that was once a required part of the curriculum.
The demand for cyber talent in the Navy is strong. Across the military, the Defense Department plans to stand up 133 teams of highly skilled Cyber Mission Force troops by 2018, comprising 6,200 troops altogether. The Navy will be responsible for creating and maintaining 40 of those teams. The department’s top cyber official, Eric Rosenbach, testified in April that Defense may need even more cyber troops to fully protect the nation but won’t know until the current round is up and running.
To date, the Cyber Mission Forces have taken on a shadowy air, fighting battles that often seem incomprehensible to their non-cyber colleagues. Training like the Naval Academy program is meant to bridge that divide.
“One thing we have to do as operators in cyberspace is understand the things we do on a daily basis are not necessarily something the other warfare areas understand, the language we’re using or whatever,” said Vice Admiral Jan Tighe, commander of U.S. Fleet Cyber Command, the Navy’s portion of Cyber Mission Forces.
“So the onus is on us, to some extent,” she said, “to be able to communicate what we’re doing in joint war-fighting terms, to make it clear to others.”
Third-year student Erin Devivies is set to be one of those translators. She shunned computer coding during high school, describing that world as “nerdy kids locked away in their parent’s basement playing World of Warcraft.” The professor in her first-year cyber class was impressed with how quickly she grasped cyber concepts, however, and recommended she pursue the major.
Now, she’s double majoring in cyber operations and Chinese and will intern in NSA’s General Counsel’s office this summer.
Part of Devivies’ drive comes from a growing love of the field. “The sense of accomplishment you get when you write a program and it does what you want it to do is just incredible,” she says.
She’s also driven, though, by the opportunities in an emerging field. Interning for the NSA’s legal shop is “not an opportunity a normal 20 year old has,” she’s quick to point out. After her commitment to the Navy, Devivies said, she plans to go to law school, then work in the financial sector.
The opportunity for rapid advancement in cyber is a pitch Hagerott often makes to students.
“I don’t want to be flippant, but I try to recruit some majors [and] they say, ‘Well, I think I want to be a mechanical engineer,’” he said. “I say, ‘I’m here to tell you, the president isn’t getting briefed on any mechanical engineering issues ... but the president is getting frequent briefs on cybersecurity.’”