Navy Deputy CIO: Zero Trust Boosts Navy Cyber Defenses

The Department of the Navy operates in an increasingly dangerous cyber domain and must juggle supply chain security, data integrity and advanced cybersecurity to bolster defenses.

Navy Deputy CIO Barry Tanner spoke to GovCIO Media & Research about his vision for cybersecurity, what threats worry him most and progress on zero-trust implementation.

How is the Navy building a safer cyber environment for military personnel?

We are implementing zero trust, focusing on increased operational resilience and ensuring we can deliver data securely to our warfighters anywhere, anytime.

The Navy is at the leading edge of efforts across the Defense Department to implement zero trust to support warfighter needs in the most secure way possible. To date, the CIO team has assisted in standing up the DOD Zero Trust Portfolio Management Office, built and deployed a zero-trust environment that underpins Navy operations in flank speed, supported the buildout of a similar architecture by the Marine Corps and supported ongoing assessments of those environments by both internal and external teams to ensure that they continue to meet the highest levels of security.

Going forward, we will continue to improve our cyber resiliency, ensuring our ability to anticipate, withstand, recover from and adapt to adverse conditions, attacks or compromises on systems. The goal is to ensure that critical systems have the ability to deliver capabilities and execute supported missions in a contested cyber environment. By improving our resiliency, we are improving our readiness.

Data integrity is critical in the cybersecurity supply chain. How are you dealing with that connection?

We are working with our primary Defense Industrial Base (DIB) partners to illuminate the supply chain in order to evaluate the cybersecurity practices of all those involved in the supply chain. 

Together, we need to check the data for accuracy and consistency throughout the supply chain and respond to any noted irregularities or violations discovered through that process. We need to implement strong encryption and access controls, as well as conduct regular security assessments across the entire supply chain to actively validate our posture rather than simply focus on compliance.

Cybersecurity is often compared to a wall or rampart. How does the Navy both build good ramparts, but also keep malevolent actors far from the ramparts?

The traditional “walled garden” approach to cybersecurity simply does not work, so we need to think differently. By implementing the principles of zero trust, we keep what is good about the “ramparts,” while also putting in place robust real-time access and data controls, ensuring that only approved users can access our networks and data.

To keep malevolent actors far from these ramparts, our users and system owners are the first line of defense against cyber threats, making their vigilance and practices paramount. Strong cyber hygiene prevents breaches, reduces vulnerabilities and ensures compliance with regulatory standards, but these aren’t enough. By actively assessing who is requesting to access a piece of data, from what device, in what location and with what application, we can make deliberate decisions and manage risk more effectively. In this way, we strive to keep the malevolent actors away but are ready and able to protect our data even if the ramparts aren’t enough.

Cybersecurity is a shared responsibility. Everyone from leadership to the newest recruit has a role to play in maintaining a secure environment. By fostering a culture of vigilance, continuous learning and proactive defense, we can collectively enhance our security posture. The strength of our defenses is only as strong as the weakest link.

How can leadership address cybersecurity challenges across partners?

Leaders throughout the chain of command need to embrace their role in achieving the organizational climate required to unleash the collective power of our workforce and industry partners.

Specifically, we are:

• Coordinating Department of the Navy DIB Cybersecurity Advisory Board efforts to identify, share and synchronize DIB-related actions across the Secretary of the Navy, Navy and Marine Corps.
• Maintaining a Department of the Navy DIB site highlighting cybersecurity resources available for DIB partners.
• Advocating no-cost cybersecurity services available from National Security Agency (NSA) and Naval Criminal Investigative Service to DIB partners to improve the protection of our data and/or innovation stored on our DIB partners’ infrastructures.
• Increasing the number of industry partners participating in the NSA DIB Adversarial Assessment Pilot using commercial platforms to improve overall attack surface management efforts.
• Leading publication of a DIB cyber incident notification policy to ensure reported incident information is internally shared in a timely and effective manner to senior leadership and stakeholders.

Successful execution of this approach depends on strong, focused partnerships between the Department of the Navy, DOD, NSA and our industry partners.

What cybersecurity threats worry you the most?

The rise of supply chain attacks poses a significant risk where attackers target third-party vendors to infiltrate larger networks. These attackers can bypass the aforementioned ramparts.  These attacks can result in widespread operational disruptions and financial losses. The SolarWinds incident, for example, demonstrated how a single compromised vendor can impact significant numbers of companies simultaneously.

Another threat that worries me is the rapid growth and proliferation of AI. This technology is rapidly evolving, allowing adversaries to automate and scale their attacks in unprecedented ways. While AI offers many benefits, its dual-use nature means it can be weaponized, leading to sophisticated, adaptive threats that outpace traditional defense mechanisms. We must focus on understanding and countering AI-driven threats by developing advanced detection methods and fostering AI literacy across our cybersecurity teams.

The final threat that comes to mind is quantum computing. Quantum poses a significant threat to current encryption methods as it could potentially break widely used encryption algorithms like Rivest–Shamir–Adleman and elliptic-curve cryptography. To counter this, developing quantum-resistant encryption technologies must be prioritized to ensure the continued security of sensitive data in the post-quantum era.