JESSUP, Md. — On the borderlands of Fort Meade, the U.S. Navy is taking a tandem approach to cyber defense and talent development.
Inside an unassuming office building, a few floors up and tucked into a spread of austere rooms, is Operation Cyber Dragon. The brainchild of Chief Warrant Officer Scott Bryson, the hands-on endeavor authorized by U.S. Fleet Cyber Command aims to fix virtual vulnerabilities — shoring up systems bit by bit — while also fostering a new wave of cybersecurity expertise.
“We’re doing it so that we can continue to mitigate and fortify our attack vectors and secure our networks even better,” Bryson told reporters July 22, while standing among computers, cubicles and colleagues.
Cyber Dragon kicked off in March, with the second phase of the program now underway. In its current form, the operation is focused on fortifying unclassified networks and rooting out common, widespread digital weaknesses: lax security settings, easily guessed credentials, unpatched software and more.
Doing so, officials said, makes its more difficult for hackers to break in and wreak havoc. According to the Navy, some 14,500 issues were initially identified on service networks as in need of addressing. Each could be a foothold for an adversary, especially at a time of heightened cyber conflict. Deputy Chief of Naval Operations for Information Warfare Vice Adm. Jeffrey Trussler in a February memo warned sailors that “cyberattacks against businesses and U.S. infrastructure are increasing in frequency and complexity.”
To tackle such a large and evolving workload, manpower was needed. So Bryson turned to the reserves, including to people not necessarily cyber fluent.
“I went to the reserve forces that we have at 10th Fleet, and I requested some bodies, and I came up with a training plan. And I said, ‘Well, if you give me X amount of sailors for X amount of days, I think that we can get after a percentage of our vulnerabilities, patching and scanning.’ The reserve force came through with the manning, they came through with the space,” Bryson said.
“When we did the posting, it wasn’t limited,” he added. “I said I’ll take anybody.”
Among the dozens of participants were, by day, a long-haul truck driver, a banker and a small-business owner. The operation offers reservists the chance to fulfill annual training requirements while also making a tangible difference.
Cyber Dragon teams have thus far identified and remediated thousands of issues — everything from several “high-profile exposures” to default usernames and passwords to discovering “data where we didn’t want data to be,” according to officials involved with the effort.
“A default username and password means that anybody could could log in and execute on here, on these particular machines. Now, they weren’t national security-related. There was no major issue directly to national security,” said Rear Adm. Steve Donald, the deputy commander of Fleet Cyber Command/U.S. 10th Fleet. “But in some cases, it could have caused harm to individuals, identity theft or something of that nature. We were able to shut that down.”
Teams have also zeroed in on potential spoofing certificates, risky software use and cloud management hiccups. Some 50 sailors have been trained on state-of-the-art attack surface management software, used to discover, classify and assess the security of an organization’s assets, with 100 more expected to undergo the same education in the coming months.
Lt. Blake Blaze, a reservist with a cyber and tech background, said the operation has improved both his understanding of the field and the cybersecurity of the Navy.
“My biggest motivation for staying in the reserves was I wanted to be close to the fight in case things get interesting with some of our near-peer adversaries,” Blaze said. “We’re not directly engaging with the enemy, so to speak, but we are trying to prevent their avenues of access to our networks.”
Both Bryson and Donald said they foresee a bright future for Cyber Dragon. As long as there are bugs to fix and the will to fix them, they said, the operation is viable. And Cyber Dragon’s format makes it mobile and replicable, appealing to workspaces and workforces of all sizes across the U.S.
All that’s really needed is floor space, network connectivity and a few tools from third-party vendors.
“The interesting thing in the IT world or the network world is what’s patched and 100% compliant today might not be patched tomorrow, because vulnerabilities ebb and flow,” Bryson said. “So do I think that this has legs to continue on? Absolutely.”
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its NNSA — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.