Introduction

I am currently a rising second-year Cyber Operations major at Old Dominion University. This summer, I interned as a government contractor at Saxman One, LLC’s Naval Research Enterprise Internship Program working for Naval Information Warfare Center Atlantic (NIWC Atlantic) in Norfolk, VA. The project I worked on placed me on NIWC’s Network Security team to secure systems aboard US Naval vessels. I chose to participate in this program because I wanted to network with peers in the Hampton Roads area, learn technical and soft skills applicable to my career after graduation, and explore the public sector of the cybersecurity industry.
My objectives for this internship were to:

  1. Understand and configure networks aboard US Naval vessels and in-land installments.
  2. Identify and defend against threats to US Naval Afloat networks and systems.
  3. Explore the tactics, techniques, and procedures (TTP) used by the Network Security Integrated Project Team (IPT).

Background

NIWC Atlantic is the Atlantic subset of the Naval Information Warfare Systems Command (NAVWAR) which is part of the Department of the Navy. According to the NAVWAR website, NAVWAR was formerly known as the Space and Naval Warfare Command (SPAWAR) and can trace its roots to the 1960s and 70s. It is an amalgamation of several IT and electronics departments created at the end of the Second World War. In 1997, its headquarters moved from Crystal City, VA to San Diego, CA. Outside of NIWC Atlantic, the command is also made up of four other organizations: NIWC Pacific, Program Executive Office Command, Control, Communications, Computers and Intelligence (PEO C4I), Program Executive Office Digital and Enterprise Services (PEO Digital), and Program Executive Office Manpower Logistics and Business (PEO MLB) (Naval Information Warfare… 2023).

The primary purpose of NAVWAR is to create and ensure a secure systems and communications network across the U.S. Navy. This is accomplished through various research and maintenance teams, including Radio and Satellite Communications, Wide and Local Area Network Security, and Mobile Applications. NIWC Atlantic supports this mission by handling operations in the Atlantic Ocean and on the East Coast.

Management Structure and Initial Impressions

The internship program is managed by two general mentors; they provide logistic and professional support in the form of training, professional development, and AWS cloud training. They also organize events on the base, such as orientations and ship tours. In addition, all interns are placed on a team that aligns with their academic and professional interests and assigned a mentor on that team to guide them and assign them tasks. While some tasks are specific, others were vague and required the intern to conduct research and produce creative solutions to unique problems. This structure proved to be very efficient for the program as it delegated management to several individuals.

Most of the first week consisted of gaining access to various systems and assets. I attended an orientation and several security briefs and gained access to the base. I was very excited to begin the program, as it would give me insight into the defensive security workplace and the public sector. The Integrated Project Team (IPT) I was placed with was focused on maintaining and ensuring Network Security, especially on Naval ships. Our objectives were to:

  1. Evaluate the current security postures of US Naval ships and installations, primarily through vulnerability assessments.
  2. Provide guidance and recommendations to improve the security postures of ships and installations.

Duties, Projects, and Responsibilities

NOTE: There are no real-life images included in this paper as physical work completed may be considered sensitive. Likewise, some details regarding specific tasks and work had to be omitted.

Suggesting Improvements to Current Security Procedures

One of my first projects was to review a security brief created some time ago and identify areas of improvement. This brief detailed recommendations to improve a security posture through the implementation of basic cybersecurity principles, including changing default passwords and disabling unused accounts. As a result, I had to think deeper than the lowest-level security policies we learned in class to provide value to the team. I suggested using website whitelists to ensure only those that were approved were available to shipmen. This was a teaching moment, however, as this is not feasible. It is difficult to maintain a single whitelist or blacklist for any kind of technology across an organization as large as the US Navy

NCDOC/NIWC Technical Exchange Meeting

I also observed a Technical Exchange Meeting (TEM) between NIWC and the Naval Cyber Defense Operations Command (NCDOC), which exposed me to the project management aspect of networking in the Navy. The primary objective of the TEM was to provide a space where network engineering and security teams across the various commands of the Navy could meet and outline their plans for the next year or so. While there were some points of contention, the teamwork exhibited was inspiring to watch. As this occurred about a quarter of the way through my internship, I was also able to see how some of the projects discussed were implemented through sensor installations and SOTs.

System Operability Tests (SOT)

System Operability Tests, better known as SOTs, are tests consisting of various checks where a ship or installation’s network is tested for adherence to Naval guidelines. The Network Security IPT focused on maintaining the cybersecurity of the site’s networks and systems. This mainly consisted of checking firewall and router configurations, performing vulnerability scans, and ensuring proper access control measures were in place. We also worked hand-in-hand with the network administration team in the case of any connectivity or access issues to ensure that the network was configured properly.

SCHEDULING

I attended a series of scheduling meetings where team members met to coordinate future SOTs. These tests must be planned in advance because ship movements must align with team member movements. Certain scans and technical actions must also be performed by the ship’s force. My role in these meetings was primarily to observe, but it allowed me to learn some about project management from a technical perspective. All those involved are very aware of what these tests entail and the amount of manpower that must be employed to make them successful. Completing as many of them as possible within a given timeframe is difficult but allows the Navy to function efficiently.

TESTING

I was allowed to participate in a week-long SOT with the IPT. As mentioned above, I was involved in assessing the network configurations for a ship. While I was familiar with some of the tools used in the test, such as the Nessus Vulnerability Scanner, others were entirely new to me. My coworkers were very willing to help me understand the process of checking each system for compliance with DoD guidelines. I got hands-on with the systems afloat. I also got to ask questions of those working on other parts of the SOT, like the SATCOM test lead. I found it very useful to have a base-level understanding of how all the Test Event systems worked together.
The actual process I used was to go through a checklist we had and check for certain things in each application. For example, the firewalls and routers had to be checked for certain rules on a variety of interfaces and networks. Each of 4/5 different networks needed to be checked for different access controls, which meant that the access control lists (ACLs) would first need to be extracted from the firewall interface, then analyzed for proper configuration. I also performed several general updates to remedy vulnerabilities and provided the shipmen with guidance to remedy other, long-term security issues.

One of the most important things I learned was the difference between public and private sector systems. Because ships are out of contact with the shore for many weeks or months at a time, it can be difficult for them to always utilize updated technology. This is especially true when one considers the scope of the US fleet; there are hundreds of ships and not enough piers to support them all getting overhauled IT systems at the same time. This means that several versions of the software packages must be supported at the same time. Keeping track of all updates and adhering to the DoD’s policies and requirements means that it can be very difficult to maintain a good security posture both afloat and ashore.

REPORTING

Perhaps the largest portion of my internship was spent working on the reporting aspect of SOTs. First, my mentor asked me to look through our current reporting methods and identify areas of improvement or enhancement. I suggested the addition of graphics to ensure that those reading the reports could make informed decisions on how to improve their systems. I worked to implement these by first creating complex array formulas, then converting them to charts and tables.

My work with the reports in Microsoft Excel was made easier by my previous internship experience with Synack, Inc., and my classwork in high school. I was able to create more complex and efficient formulas and solutions as a result. That being said, I did still learn more about Microsoft Excel that I was previously not experienced in, primarily relating to PivotTables/PivotCharts and array formulas.

Network Installations

The reports for certain network installations also needed to be reworked. I used Microsoft Excel’s form controls to recreate a Word Document report in a different format. This allows installations to be completed more efficiently and clearly for all involved. Additionally, while I had used form controls briefly in the past, this gave me more experience with their functionality and features.
AWS Coursework
This internship also provided the opportunity to take the AWS Cloud Practitioner certification exam at a discounted rate. We were provided with weekly, guided instruction and a Canvas course to ensure we learned the material. The Canvas course also contained sandboxes and labs so we could put the knowledge we learned each week into practice. While I have yet to take the exam, I plan to do so before returning to university for the Fall 2023 semester. For me, this was one of the highlights of the internship as it allowed me to understand the merits of cloud technology while also seeing the associated costs in a production environment.

Briefs

Finally, I had the opportunity to present my experiences in a series of weekly briefs with my fellow interns. This mainly consisted of summarizing my work into a single slide and giving a five-minute presentation on my objectives, the work completed, the material I learned, and any advice or feedback I had.

In the final few weeks, this culminated in an Ignite Brief, where I presented my work for the entire summer to organizational leadership and fellow interns from across the country.

Classroom vs. Internship

CYSE 301 (Cybersecurity Techniques & Operations) was the primary source of my classroom-learned knowledge for this internship. Its inclusion of the Nessus vulnerability scanner and firewall configuration with pfSense was especially helpful in the SOT. Even though pfSense wasn’t the technology used aboard the ships, the concepts I learned while using it were still applicable, especially when checking for compliance with DoD configuration requirements.

Additionally, CYSE 200T (Cybersecurity, Technology, and Society) was also somewhat useful. The general cybersecurity principles I learned there and in my high school coursework were extremely applicable to my analysis of the Navy’s “current security procedures.” This is particularly inclusive of the way businesses are run with cybersecurity in mind. Cybersecurity must be integrated into every part of the engineering and development processes; otherwise, any products created will have inherent flaws that could lead to major system and network intrusions. When applied to the high-stakes, international scope of US Naval operations, these principles and processes only become even more vital.

The Dual Enrollment English classes I took in high school were also useful in forming reports and emails. Being able to communicate through text is very useful for a command that primarily does remote information technology work.

Finally, COMM 101R (Introduction to Public Speaking) was instrumental in completing my assigned briefs every week and communicating with my colleagues. I was able to articulate my work in both a technical and non-technical manner to ensure all members of the audience understood the subject matter. The skills I learned in this course also helped me create my PowerPoint brief presentations each week. I understood the necessity of keeping slides brief but informative and expanding upon them in my speech.

I do wish my coursework had placed more emphasis on more in-depth cybersecurity techniques before I was faced with them in the field, however, I expect I may encounter them in later courses.

Objective Fulfillment

  1. Understand and configure networks aboard US Naval vessels and in-land installments.
    This objective was mainly met through my participation in the SOT procedure. I was able to understand the logistical work that goes into performing a SOT and understand where the US Navy may need to improve. I was also introduced to the problems involved in maintaining a proper security posture. Because of the complex nature of these networks, a myriad of different technologies is employed to secure them. This could also be the case in large-scale corporate environments.
  2. Identify and defend against threats to US Naval Afloat networks and systems.
    This objective was focused on less than the first one, but I still learned quite a bit about it. It was met through both my work viewing and improving the Navy’s current security posture and through the SOT. After the checklist was completed in the SOT, the Subject Matter Experts (SMEs) recommended further steps for shipmen to improve their posture. Sometimes, these were items that were immediately actionable. Other times, this may have included making a ticket to the proper help center.
  3. Explore the tactics, techniques, and procedures (TTP) used by the Network Security Integrated Project Team (IPT).
    The Technical Exchange Meeting and various other planning meetings were instrumental in my completion of this objective. While I was not always actively involved in this process, it was very valuable for me to observe it. The TTP may change from ship to ship or system to system. Every part of the network is working in tandem in a delicate balance, so it is important to use the TTP that is best fitted to the system. I got hands-on with some of these procedures both in the SOT and in my first two weeks of the internship, where I was able to practice using the IPT’s tools on public machines. This practice allowed me to be better prepared for the SOT so I could ask more specific questions and add value to the team.

Reflection

Overall, I was very inspired by this internship. It is important to me that we are working towards a goal that has clear effects on the world around us. I can see the inherent security issues present aboard Naval vessels and view the improvements being made in our nation’s general security posture. It was also very exciting to step foot on the ship and get hands-on with networking equipment that I have only read about in books or online, especially when I was able to apply my previous knowledge and experience by asking valuable questions.

Unfortunately, some aspects of the public sector are less than desirable. For example, the speed at which the bureaucracy operates, and the decisions made by some commanders are very discouraging. While the government has made great strides in recent years to improve its security posture and cyber awareness, there are still some that do not see the value in using resources on cybersecurity. As such, it is the job of teams like the Network Security IPT to impart as much guidance and information as possible to improve the overall security posture of the fleet and its supporting installations. Additionally, the systems used aboard these vessels are very specific. It is not easy to drag a brand-new server onto a Naval ship, and updating software is a massive undertaking for a fleet as large as ours.

This internship was very fun and enlightening, and I would highly recommend it to those interested in joining the workforce after graduation. I would even recommend it if they had no interest in the public sector whatsoever as knowledge of governmental systems can be very useful and impressive. For those interested in a similar internship or participating in this program, I would recommend the following:

Ask questions. There are very knowledgeable and experienced professionals from all walks of life in the Navy, both as civilians and enlisted.
• Be a self-starter. There will be times when you are asked to complete a task that you have no experience with. Understanding how to identify what needs to happen, conduct research, and decide on a course of action can be the difference between impressing your mentor and giving a mediocre performance.
The public sector and the private sector operate very differently. The “freedom” of development found in the private sector is not as prevalent in the public sector. There are many more restrictions and policies to be aware of when operating in the public sector, especially as it relates to the handling of sensitive information. As I mentioned in the Duties, Projects, & Responsibilities section, you must spend time understanding the differences between the two to do your job well.
• Understand your audience and project environment. To create and protect systems aboard ships, you need to understand how they function, and the constraints present in the environment. You can make software that works ashore perfectly, but it could be completely useless on Naval vessels.
• Be a sponge. The Navy operates very differently than every other organization or company. The abbreviations alone take up pages and pages, so it is important to absorb as much information as possible. This will improve your experience and allow you to understand the process of maintaining Naval systems. You may even be able to apply some concepts to private companies/organizations.
• Be adaptable. Given the nature of working with the Navy, things can be somewhat reactive. It is important to be able to complete tasks on time and switch to other areas as needed. Teams typically value your ability to do so regardless of the industry or organization.

Conclusion

Going forward, I am more heavily considering working in the public sector. Previously, I was certain that I wanted to work in the private sector due to the higher pay. Now, however, I enjoy the meaning behind the work completed for the Navy. The people being protected by the work I did with NIWC Atlantic are my age. They are going out to protect our country and need the proper tools to do so. My work is having an actual impact on the real world, and that is more fulfilling than most things I’ve experienced.
I’ve also discovered a larger interest in network security and administration because of this internship. I enjoy configuring and reconfiguring the networks to ensure that they provide the highest level of operability and protection for those using them. For the rest of my time at college, I will focus more on learning about networking and the best way these systems can be protected. Likewise, the trajectory of my career, in general, has shifted. While I remain interested in red teaming and penetration testing, I also want to pursue avenues of network security. I am especially excited to see the intersection of the two fields, where the importance of malware analysis is paramount.
I am more excited than ever for the future, and I will be forever grateful for this opportunity. I look forward to what the next years of my career will bring.

References

Naval Information Warfare Systems Command. (2023). About. https://www.navwar.navy.mil/about/