A senior scientist and technical manager, Rebecca Chhim has been named director of Cybersecurity Undersea Warfare Combat System Integration for Submarines and Undersea Warfare Systems with the Naval Undersea Warfare Center Division Newport. In her new role, she will be tasked with changing up how each segment of the entity considers cybersecurity.
PBN: What do you anticipate will be your biggest challenge in your new role?
CHHIM: My biggest challenge will most definitely be changing the culture. With cybersecurity, the focus has always been on compliance. It was, and in most cases is still today, considered an unfunded mandate without clear requirements that is addressed too late in the life cycle.
Systems and programs think of cybersecurity as the process to follow to receive an authority to operate so they can meet their operational milestones. Cybersecurity will completely impact every part of the system engineering life cycle and to ensure a seamless and transparent cybersecurity solution, it needs to be integrated early in the SE process. On the flip side, the accreditation processes provide programs a false sense of security – a check-the-box mentality – with a heavy focus on documentation and checklists … with no added value to cybersecurity.
If we truly want to do cybersecurity, securing systems, we need to get aggressive in changing the conversation and processes that surround it. The focus has to be on securing systems and those associated requirements based on system attributes and mission, and not just planning for an ATO to do live testing or operations. This is a culture change – not only for programs and engineers but for accreditation authorities and the Department of Defense as a whole.
PBN: As deputy head for cybersecurity, you were able to see cybersecurity solutions being implemented by crews but sometimes with a disconnect of sorts. Can you tell us what you learned from that experience?
CHHIM: I remember this experience like it happened just yesterday and it still resonates with me today and how I approach professional decisions. To answer the call for cybersecurity on operational platforms, a sophisticated cybersecurity toolkit suite of centralized solutions was developed for the tactical systems and networks. It was and still is very impressive.
I was fortunate to have the opportunity to participate in a fleet evolution and observe and interview the crew during the test event. What I saw was not only alarming but eye-opening. We had engineered a sophisticated toolkit, forgetting the end user. They have the hardest jobs already and providing them with manual processes and “fire hose” training had made it too difficult to administer and manage the cybersecurity solution. What gets lost is they have a job to do and administering cybersecurity is not the only thing they are responsible for. We had not provided them the tools or knowledge to be successful, to the point they had started developing their own workarounds; maintenance activities were unknown to them and not being performed.
Also, adding new capability at the time seemed logical and great, but did they ask for it? During another evolution, a new technology we had added was not translating to the crew or their mission the way we had assumed and designed for. We had to manually disable and then physically remove the capability.
We can design the next big technology or solution, but it holds no value if our end user is an afterthought. What do they need, how does it impact their operations, and what is the value to the mission? Those key questions have to be in the forefront of our designs and decisions. Our customer is unique and very important, so we have to get it right on the first try.
PBN: You have said that you have workforce engagements planned within your new role that will bring cyber requirements to engineers early in the life cycle. Can you explain what that means in terms of process and effect?
CHHIM: We need to change the focus from compliance to securing systems early. Cybersecurity needs to be finally integrated and part of the SE discipline. If we want to build secure systems, we need to start with the requirements. We need to get clear-cut requirements to the system developers and engineers early. It cannot be a “you shall do cybersecurity and receive an ATO to meet operational testing milestones” situation.
If we start from the beginning, the effect will be a secure system based on the mission and attributes of the system. We need to identify the requirements much sooner, based on the mission and threats. It cannot be blanket requirements with a subjective assessment at the end. Cybersecurity is not a one-size-fits-all.
We would have cyber-resilient architectures if done early. Cybersecurity upfront would also reduce its impact to the system cost and schedule. We would not be delivering systems with manual cybersecurity processes that are bolted on that add burden to the crew.
PBN: Does working with issues of cybersecurity vulnerability take on additional purpose in a role with an organization such as NUWC Division Newport?
CHHIM: Absolutely! At the end of the day, it comes down to two words: warfighting capability. We cannot compromise the mission and operations. The impact of vulnerability exploitation on our systems and networks can be catastrophic. Cybersecurity in the Department of Defense plays a critical role.
PBN: Is an organization’s cybersecurity architecture ever done?
CHHIM: Absolutely not. I once heard the saying: “Cybersecurity is the horizon we are all chasing but will never reach.” That one statement could not be more powerful or true. There will always be new threats and vulnerabilities, as well as the need and call for technology insertion. We must keep pace, be adaptable and remain diligent.
Susan Shalhoub is a PBN contributing writer.
