SAN DIEGO — When the Ivanti virtual private network vulnerability came to light in January, the Department of the Navy had an answer.
The DoN expanded its virtual desktop interface to 110,000 users from 25,000 in less than a week, moving them off of the risky VPN product.
Jane Rathbun, the Department of the Navy chief information officer, said the forced move to VDI opens the door wider to more secure capabilities, especially around the idea of bring-your-own-device.
“This was somewhat of a forcing function for us, but really it always was part of our plan to move away from VPN dependency and give more flexibilities to our workforce using the Nautilus virtual desktop because of its great flexibilities,” Rathbun said in an interview with Federal News Network at the AFCEA West conference. “We always wondered what scaling would look like and whether or not there would be a stress to the infrastructure in doing that. And I have to say, we didn’t miss a beat. I’m really proud of the team for being able to rally. The other thing it did for us and allowed us to strategically communicate, ‘hey, remote workers, you have other options, here they are.’ People have just been amazed at how the capability works and how quick it is, and that they really have not missed a beat.”
The Department of the Navy, like many federal agencies, faced a short timeline to move off of Ivanti’s Connect Secure and Ivanti Policy Secure VPN products after the company revealed vulnerabilities that would let attackers bypass the authentication requirement and access restricted resources by bypassing control checks.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive on Jan. 19 requiring all civilian agencies to move off the products and/or mitigate the vulnerabilities. CISA then issued a supplemental emergency directive on Feb. 1 requiring further action by agencies.
The cybersecurity threat gave the DoN a perfect opportunity to accelerate the expansion of its VDI software, which it was planning on doing anyways.
Rathbun said a big benefit of the move to the virtual desktop is letting users access Navy applications and data from a personal device. She said the VDI software reduces the need for a government furnished device.
“We have put protections in place for security purposes so you can’t download things on your personal device. But you’ve got access to all the things that would have been available to you on your VPN connection,” she said. “Our two goals [with the VDI software] are customer service and customer experience, and operational resiliency. For me, operational resiliency is cybersecurity and redundant paths so that you can be productive 24/7/365 from anywhere in the world. Our plan has always been to offer, as we learned about the capability when we moved to our Operation Flank Speed platform, this as a good tool to meet our workforce needs where our workforce is.”
Rathbun said the DoN can’t quite fully abandon the VPN because some applications are not accessible through the virtual desktop interface. Until those applications are updated to work with a VDI, the DoN, and really others across the Defense Department, will continue to have both access approaches.
Navy moving away from the RMF
The VDI, however, is part of the broader move to zero trust. Rathbun said using a VDI helps focus protections on the device, the person and data, which is part of the principles around zero trust.
Underlying the Department of the Navy’s move to zero trust is its move away from the Risk Management Framework (RMF) and toward the “Cyber Ready” approach, which focuses instead on continuous monitoring and ongoing risk assessments. Navy Secretary Carlos Del Toro announced the “Cyber Ready” initiative in August 2022 in a memo outlining its principles of pre-emptive cyber defense.
“With ‘Cyber Ready,’ we see us evolving away from the checklist mentality, the compliance mentality to processes that are established at the enclave or platform layer level. We understand that not every platform needs the same type of cybersecurity tooling and end-to-end approach,” Rathbun said. “We want to make sure that in our ‘Cyber Ready’ that from design all the way to operate to sustain, that we have built cyber capabilities, cybersecurity capabilities into every phase of that ecosystem.”
The Navy has been testing out the concepts that make up “Cyber Ready” with the Naval Air Systems Command and with the Program Executive Office Integrated Warfare Systems (PEO IWS) over the last year.
Rathbun said each of the organizations is looking at the approach a little differently.
“NAVAIR is thinking about it holistically. What would it look like to give NAVAIR a ‘Cyber Ready’ designation built into their whole process? These are the things we need to see, that you’re producing the telemetry that the cyber operators need, that you can assess threats, that you can give us a risk score,” she said. “We’re building a set of criteria that allows us to feel good about the level of risk you’re accepting in your systems and so they’re looking at the whole process.”
‘Cyber Ready’ pilots progressing
PEO-IWS, Rathbun said, is looking at three programs in various stages of the lifecycle. One is a new start. One is modernizing its technology, and the third is just on their three-year cycle for a new authority to operate (ATO).
She said the third program is looking at how they can incorporate some of these “Cyber Ready” approaches like continuous monitoring into their current cyber posture.
“Ultimately, what we’ll be doing with PEO-IWS is looking at combat weapons system because it is an enclave unto itself. They will go through the same approach that NAVAIR is going through for their enclave and get a ‘Cyber Ready’ designation for their process,” Rathbun said. “The ‘Cyber Ready’ pilots are helping us evolve to this state where we believe the answer is going to be, in the future, at a system command via an enclave, they’re going to tell us what the ‘Cyber Ready’ process looks like. We’re going to evaluate that process along with our Cyber Command leadership and say, ‘yep, you are cyber ready. Anything you run through this meets the requirements and you will get an authority to operate.’ Then, we will do spot checking. We’re going to do scorecards to do all the same things we do today, but as long as you are continuously running this process and running a ‘Cyber Ready’ approach, then you can move things through.”