Senate Armed Services Committee
Advance Policy Questions for Mr. Carlos Del Toro
Nominee to be Secretary of the Navy
Cyber and Electronic Warfare
Section 1657 of the FY 2020 National Defense Authorization Act (NDAA) directed the appointment of an independent Principal Cyber Advisor (PCA) for each Military Department, to act as the principal advisor to the Secretary concerned on all cyber matters affecting that Department.
142. What do you see as the role of this position in the Department of the Navy?
I am overall supportive and appreciative of the initiative to standup a PCA within each military department. I agree a dedicated office to coordinate cyber requirements and resources seems prudent given the complexity of fully integrating all facets of cyber within the Department of the Navy. It is my understanding the PCA will oversee the execution of Departmental policies and programs including: (1) the recruitment, resourcing, and training of military cyberspace operations forces, (2) acquisition of cybersecurity tools and capabilities, and (3) cybersecurity and related supply chain risk management of the industrial base. I also understand, the PCA will advise senior leadership on the full spectrum of cyberspace activities and information operations and the threat from adversary activities.
143. If confirmed, how would you plan to utilize the Navy PCA as part of your
If I am confirmed, the PCA would be part of my direct leadership team to keep me informed on cyber issues and threats that may affect the Department and the ability to meet obligations in defending the homeland or competing with adversaries. In addition, the PCA would be integral in developing, monitoring, and executing the Department’s implementation of the DOD Cyber Strategy. I would also look to work with the PCA to determine how to integrate cyber as a warfighting domain, with the more traditional means and methods of warfare.
144. What are the Department of the Navy’s top 3 Cyber Challenges, and how will you use the Principal Cyber Advisor to address them?
I believe the top three cyber challenges with the Department of the Navy are: (1) embracing Zero Trust principles across our traditional information technology, critical infrastructure and weapon systems, and the Defense Industrial Base (DIB); (2) truly embracing cyber as a warfighting domain and expanding our scope of thinking well beyond simply cybersecurity to ensuring we can credibly deliver effects against adversary information systems, critical infrastructure and weapons systems; and finally, (3) the readiness of the Department’s cyber mission forces entrusted with not only the protection of DON systems but holding adversary systems at risk with organic non-kinetic cyber capabilities. If confirmed, I would empower the PCA to engage with the organization responsible for acquiring and delivering these capabilities, and recruiting and training the workforce, to ensure our cyber ecosystem is adequately resourced and supported.
In May 2018, the Cyber Mission Force achieved full operational capability. In September, DOD released its 2018 Cyber Strategy.
145. In your view, how well postured are the Navy and the Marine Corps to meet the goals outlined in the 2018 DOD Cyber Strategy?
It is my understanding that Navy and Marine Corps activities and investments have improved the Department’s cybersecurity and cyber resiliency posture while also supporting the DoD Cyber Strategy objective to “secure DoD information and systems against malicious cyber activities, including such activity on non-DoD-owned networks.” The Department of the Navy continues to pursue initiatives to improve our cyber defense posture and increase resilience through the DON Information Superiority Vision “Defend” line of effort including: (1) measuring cyber risk, (2) driving active monitoring, (3) promoting a cybersecurity culture, and (4) securing the Defense Industrial Base (DIB). These strategic objectives are aligned to the DoD Cyber Strategy. If confirmed, I will continue to ensure the Navy and Marine Corps are postured correctly to detect, protect, and respond to cyberattacks and intrusions. I will also integrate cyber operations into operations to build a lethal joint force to deter and defeat adversaries in cyberspace.
146. What actions would you take, if confirmed, to remediate any gaps between Navy and Marine Corps capacity and capability and Cyber Strategy goals?
If confirmed, full spectrum cyber operations will be an area of priority for me. The Department must not only fully embrace cybersecurity and cyber resiliency principles but it must also fully embrace cyber as a means of warfare integrated with how it will project power from the sea as a combined Navy and Marine Corps team. I support the creation of the Joint Cyber Warfighting Architecture (JCWA) to ensure Navy and Marine Corps equities are addressed and incorporated into the DOD future warfighting construct. Also, as identified in the Department’s 2019 Cybersecurity Readiness Review, there is an urgent need to improve Defense Industrial Base (DIB) cybersecurity for the protection of Controlled Unclassified
Information (CUI). I will emphasize efforts to increase accountability and accelerate the pace at which we attain complete cyber integration with our warfighting capabilities.
147. In your view, should the Navy and Marie Corps expand acceptable professional qualifications for their cyber workforces to include non-traditional professional credentialing and schooling from so-called technology boot camps and massive online open courses (MOOCs) as an alternative to traditional education, provided candidates meet the necessary technical standards?
The Department should look for innovative ways to train a highly skilled workforce shaped for today, but prepared for tomorrow’s needs. Technology boot camps prepare attendees for industry certifications, some of which are accepted qualifications for certain cyber workforce roles. However, I would need to conduct further review to determine if non-traditional credentialing can replace the foundational requirements currently provided by formal education or professional certification. If confirmed, I will look into the educational and technical standards required to determine if non-traditional forms of credentialing can reduce barriers to entry into this work space.
148. If confirmed, what will you do to enhance Navy and Marine Corps information dominance capabilities?
If confirmed, I will continue support for the Department of the Navy’s Information Superiority Vision, which aims to securely move information from anywhere to anywhere when needed, resulting in improved readiness and our ability to observe, orient, decide, and act faster than our adversaries. Guided by this vision, I understand that the Department will build information superiority by modernizing infrastructure, innovating and deploying new capabilities, and defending networks, systems and data.
149. Given the difficulty in defining where cyber operations and electronic warfare merge, if confirmed, how you would organize, train, and equip the Navy to minimize gaps and seams in these two critical mission areas?
If confirmed, I will commit to refining how our Naval forces approach the convergence of not just cyberspace operations and electronic warfare but also space and operations in the information environment. It is imperative that the Navy and Marine Corps must implement the right technologies in these mission areas. The Department must also organize and train with the other Services, including allies and partners, to operate in the multi-domain environment of tomorrow, while staying aligned with DOD regarding organizing, training, and equipping Naval cyber and electronic warfare forces.
150. What progress has the Department of the Navy made in implementing the recommendation of the “Cyber Readiness Review” it conducted 2019?
As I understand, the Department’s 2019 Cybersecurity Readiness Review (CRR) highlighted the need to treat data and information as a strategic asset and warfighting capability. The report organized recommendations into five key areas: structure, culture, people, process, and resources. In response to findings in the CRR, the Secretary of the Navy established an empowered CIO responsible for closing a 10-15 year technology gap, leveraging emerging technology to deliver transformative capability, and securing Department of the Navy data regardless of where it resides. I also understand that in the last two years, the Department of the Navy has made substantial progress in modernizing our infrastructure and securing our information for competitive advantage. If confirmed, I will look to understand how the Department is implementing the recommendations, and if any adjustments are required.