Small Wars Journal

The Case for Cyber

Thu, 09/13/2012 - 5:30am

Cyber warfare isn’t hype; it’s real.  America’s decisive technological advantage now contains the seed of our undoing.  Our technological dependence is woven into the fabric of our way of life and our national defense.  GPS satellites guide troops and weapon systems, algorithms fly aircraft and allocate supplies, websites drive personnel assignments and promotion boards, and official and personal data and voice communications almost exclusively transit computer networks.  If these critical networks begin to fail, we aren’t a twenty-first century fighting force; we are a 1980-era military. This estimate is generous.  In 1980, we knew how to fight using face-to-face communications, manual land navigation, analog radios, and acetate overlays.  Today is different.  Information technology has largely kept its allure of dramatically increased efficiency at low cost.  Thus, we no longer have “stubby pencil” warfighting skills or the extra personnel to handle these myriad manual tasks. 

American society sits even more precariously.  Over the past twenty years, we have gradually discarded the manual systems that ran our infrastructure, replaced by fragile, but more efficient automated systems.  The lingering elements of our pre-Internet life—such as the Postal Service, paper currency, and land line telephones—are becoming extinct.  Our entire economy is comprised of data stored in financial systems, as are our identities and the nation’s crown jewel: intellectual capital.  We aggressively chase technology’s promised gains, such as smart electric grids, pilot-less aircraft, electronic voting, and cloud computing.   Technological dependence is ubiquitous.  Ironically, while the average teenager has matured in a country where “online" is as commonplace as hot water, technically-expert senior military leaders are scarce.

This paper will examine cyber warfare’s threat, clearly explain its import to the military professional, and suggest a way ahead.  Stories of isolated security incidents surface daily, but are quickly forgotten.  We thus seek to present a compelling case for cyber security that will garner informed support and motivate action within our military.  This isn’t just a problem for communications and intelligence specialists.  The cyber security problem we all face is unprecedented; we can only get it right through teamwork. 

Cyber operations will occur in cyberspace, but what is “cyberspace?”  We use the definition found in National Security Presidential Directive 54: the “interdependent network of information technology infrastructures, [including] the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”

The Threat Landscape

The following examples highlight the daily threat:

These events presage a devastating cyber security event that threatens our way of life.  An equally dangerous alternative is if thousands of cyber attacks sap American innovation and commerce without reaching the threshold to spur significant government response.   Technology enables us to defeat a numerically-superior enemy.  We have enjoyed information dominance since, at least, the Persian Gulf War.  However, our adversaries—from lone malicious hackers and terrorist groups to organized online crime rings and nation states—are active in cyberspace and turning this greatest strength against us.

The nationwide investment in cyber security and the formation of U.S. Cyber Command and service component cyber commands signal a national awakening to this threat.  In a 2009 address, President Obama argued that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.”  General Keith Alexander, Commander of U.S. Cyber Command, stated that current DoD networks are “not defensible.”  During his confirmation hearings, Secretary of Defense Leon Panetta stated, “There is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. This is a real possibility in today's world.”  We wholeheartedly agree. 

No Easy Solution

The best defensive techniques might slow a determined adversary, but will ultimately fail.  Ad hoc technical solutions aren’t the answer.  Consider the following:

  • Most military computing systems rely on distrusted components.  In particular, America possesses a very limited capability to manufacture advanced microchips; rigorously validating foreign manufactured circuitry is impossible, except in small numbers.  Additionally, adversaries can compromise a system anywhere along the supply chain.  Thus, many computing systems rest on a precarious foundation.
  • A single trusted insider, turned bad, can have devastating consequences, particularly when empowered by today’s technology which enables rapid and high volume collection and dissemination of sensitive data. Consider the recent WikiLeaks debacle.
  • Digital information is slippery.  Divulged sensitive data is likely permanently compromised.  For example, although Pentagon policies forbade DoD personnel from accessing WikiLeaks data, already widely available on the Internet, they did little to curb global access.
  • Antivirus systems are only a partial solution and cannot keep pace with rapidly evolving malicious software variations.  A determined attacker can easily bypass antivirus protections.  Powerful new exploits are available in underground markets for about $100,000, sometimes for much less.
  • A few vendors provide most of our hardware and software.  Thus, targeting a single flaw can compromise countless machines.
  • Isolated networks don’t guarantee security.  Attackers have developed weaponized software that hops networks and patiently awaits inevitable security lapses, like the Stuxnet virus, which used USB storage devices to access sensitive systems.
  • Security experts are in critically short supply. While initiatives to recruit, develop, utilize, and retain qualified personnel continue, the military’s kinetic warfighting culture may resist supporting these programs. 

Severely dangerous problems span the spectrum of cyber security and cyberspace operations and are compounded by laws and policies that lag behind rapid technological advancements. Often combat is fought on the seams between two adjoining maps; the same occurs in cyber warfare.  Political and legal seams between governmental organizations provide opportunities to exploit our bureaucratic rigidity.  One expert uses the following analogy: “Cyberspace is the only domain without a primary Service as lead and the only domain in which DOD will not defend the U.S. homeland.  For example, if DOD defended the land domain in the same manner as cyberspace, a Russian land invasion of New Jersey would be fought by U.S. citizens and commercial entities with whatever weapons they happened to possess. DOD would only defend Fort Monmouth and Fort Dix.”  Clearly we have a problem.

Three Facets of Military Vulnerability

Cyber warfare capabilities are quickly becoming a key weapon system–for us and for our adversaries. The popularity, effectiveness, and relatively-low cost of cyberspace weapon systems have spurred a silent cyber arms race.  To better understand the critical implications of cyber warfare specific to the military, we consider three areas:  personal computing devices, garrison computer systems, and deployed computing systems.

At Home

American service members have traditionally considered the homeland as safe.  However, we may be more vulnerable in the cyberspace domain when using personal electronic devices.  Personal computers don’t just contain personal information.  Many service members work on home systems rarely managed to the same standard as military platforms and networks.  Home devices are thus far softer targets.   While modern operating systems are notably more secure than their predecessors, and free antivirus software is available to service members, every system remains vulnerable. 

Social networking sites such as Facebook and LinkedIn compound this risk, as service members and their families disclose sensitive personal information useful for targeted attacks.  Home and public wireless hotspots are notoriously insecure; emerging commercial technologies, such as wireless capability for automobiles, provide new attack vectors.  The security lapses of family members, including web-surfing children, jeopardize entire households.  A service member’s typical home environment is thus easily targeted by even a poorly-resourced attacker, let alone skilled and determined adversaries.

In Garrison

Free from combat’s kinetic threats, garrison life involves training for and recovery from armed conflict.  Networks and workplace computers are professionally managed using baseline system configurations such as Army Golden Master and the Host Based Security System (HBSS).  But no computer system is hack-proof.  Phishing attacks are one viable threat.  For example, service members, their families, and veterans were recently subject to a phishing attack using fake emails purporting to come from a popular financial services company.  The emails tricked recipients into opening an attachment that would initiate malicious software.  An ongoing challenge is the widespread use of personal information to validate user access to official websites and as an easily accessible identifier on many military forms despite concerted efforts to curb the problem.  In 2011, TRICARE announced a massive breach of personally-identifiable and protected health information impacting nearly 5 million military medical patients.  Also in 2011,  Pentagon Federal Credit Union admitted that unauthorized access to members’ names, addresses, and account information occurred due to an infected laptop.  Gannett Government Media, publisher of the Army Times, was successfully attacked, compromising personal details of “some users.” Even the military’s CAC system, the backbone of authenticated access, is vulnerable.  In 2012, the Army Times reported a Chinese virus that specifically targeted DoD CAC card users to access “official use only” files.    Garrison systems present a more difficult, though surmountable, target for attackers.       

In Combat

In combat, the military takes extensive force protection measures to protect against kinetic and cyber attack.  However, the pressures of life in a combat zone inevitably force users to weigh the immediacy of mission accomplishment against far less concrete cyber risks.  For example, widespread use of USB thumb drives introduced malicious software into DoD systems and lost drives have surfaced in local bazaars.  Combat operations require access to sensitive data, and trust is implicit.  Unfortunately, the threat of a malicious or non-malicious insider threat remains present.  While malicious insiders are thankfully rare, myriad well-intentioned service members, contractors, and allies cut corners due to perceived need for expediency.

Malicious software is always pernicious, but deployed forces are particularly vulnerable.  MWR facilities risk hosting shared community computers.  Foreign shops offer cut-rate bootleg software and movies, sometimes with malicious surprises.  The intensity of deployment diverts service members’ attention away from personal matters back home, making them more vulnerable to identity theft and fraud.  Their families are likewise open to service-related scams, as criminals steal identities of deployed service members.

Ideal tools for information sharing, mobile devices also pose threats.  The Army intends to issue smart phones to soldiers for use on the battlefield.  While this initiative may have many benefits, these devices will pose a constant concern.  Consider the Abu Ghraib photographs or Marines’ urinating on a Taliban corpse: easily-accessible information technology can yield unintended consequences.    

Military robotic systems are also proliferating.  These systems depend on their command and control links and their associated algorithms and computers.    While hardened against attack, they still pose risks.  In this context, cyber security is increasingly critical lest our powerful weapon systems be turned against us.  Vulnerabilities may come from the myriad commercial off-the-shelf components comprising these systems, from designs stolen from defense contractors or from the failings of those working with these systems.                                    

Way Ahead

This article would be incomplete without solutions.  In this section we offer five objectives as a way to support both national and personal security.

Establish a Sense of Urgency

We must embark upon a major transformation to maintain technological supremacy. In effect, we are in step one of Kotter's eight-step change management process: “establishing a sense of urgency.” Therefore, we must identify and examine the challenges and encourage open communication.

The cyber threat is real; the potential impacts, omnipresent. To affect change, we must abandon the current lens we use to view cyber: many still see it as the IT department’s hobby horse. It is everyone’s responsibility because it affects not just our email or access to routine documents, but also our defense supply chain and weapon systems. It threatens our national security.

Fundamental change must be part of our daily discourse. We should discuss the protection of sensitive data at work and home, read privacy statements, and ask financial institutions about safeguarding personal data. We should ask questions about our most vital weapon systems’ vulnerabilities. When leaders show genuine concern for cyber issues, people will respond and change will begin.  Cyber security is fundamentally a leadership issue.

Understand Cyber Concepts and Challenges

Today’s youth will likely understand cyber concepts better than us—these digital natives already rely on technology for education, news, entertainment, transportation, and social satisfaction. Many senior leaders did not have personal computers until after college graduation.  Likewise, even some of our mid-grade officers lack a basic grasp of cyber concepts, despite their deeper exposure to technology.  A common lexicon and understanding of cyber challenges is crucial; we must develop ourselves and our subordinates to be cyber savvy.

We already implement risk management, so applying it to cyber is natural. Leaders should understand the vulnerabilities of, and the threats to, our networks and systems. We should also know when and how to apply technology; sometimes it’s better to use manual systems instead. Once we understand the risk, we can mitigate the threat. Everyone involved in defense needn’t have a graduate degree in cyber security; but we critically need more than two hours of annual training.

Likewise, we must incorporate cyber threats into training exercises. Commanders and exercise planners have been previously reluctant to insert cyber play because the effects might disrupt an exercise’s kinetic objectives.  As leaders, however, we must ensure our military is trained to operate with varying degrees of degraded network functionality. Though the most technologically-advanced military in the world, can we operate without our gadgets? We should candidly assess our limitations, however painful, and then minimize them. Cyber is an inherent component of warfighting; failing to train as we fight puts us all at risk.

Defend Against Cyber Threats

Cyber defense is inherently problematic because the Internet operates on the principle of openness. Organizational tension always exists between information accessibility and security. We should expect intrusions and learn to respond decisively by isolating breaches and recovering quickly. This requires constant monitoring and coordination at all command levels.  Responses to cyber threats may need to occur at speeds beyond human capacity; thus, automated defensive systems are crucial.

We must also support our unit-level defenders by cooperating with requests for information and not circumventing security mechanisms. Most cyber-related intelligence is highly-classified, so we are rarely privy to the whole story.  Everyone must know cyber-attack symptoms and understand incident response procedures, so cyber battle drills must be published and rehearsed. Mistakes will happen, but when we find malicious insiders intentionally perpetrating cybercrimes, we must police our own.  We should likewise underwrite honest mistakes and use such occurrences to better educate our organizations.

Defending home computers can be improved, but not guaranteed, by following a few simple rules.  We recommend NSA’s “Best Practices for Keeping Your Home Network Secure.” Additionally, since malicious hackers exploit human weaknesses, they will use social engineering to dupe their targets. We must protect our personal information. Keep life stories off social networking sites lest attackers obtain the information needed to guess passwords, gain access to important accounts, or employ targeted phishing or social engineering attacks.

Shape the Development of Military Doctrine, Organizations, and Strategies

Cyber Operations is in its infancy. We all can shape our future organization.  There’s much work to be done nationally to identify appropriate organizational constructs across the federal government, with state and local partners, and with private industry. Some military organizations responsible for operating and defending the cyberspace domain have barely articulated their mission statements, so we should collectively discuss structures, doctrine, and strategies crucial for success.

We should smartly leverage existing talent found in academia, industry, non-profits, and the hacker community, remembering the multifaceted nature of the cyberspace domain. Improving the processes and technology to defend our networks won’t suffice. We must better understand how weapon systems—tanks, airplanes, ships, and satellites—think and function, which requires cooperation with organizations and people outside the usual defense industrial base.

Manage the Cyber Workforce

People are the key, so we must define and cultivate an elite cyber workforce.  Fortunately, progress is ongoing.  As an example, the National Initiative for Cybersecurity Education (NICE) leadership plan identifies 43 different skills in seven cyber-related areas. Human resource professionals should recognize these newly-defined skills and create new military and civilian career paths. 

Our existing workforce can learn new skills, but our future rests with tomorrow’s leaders. In raw numbers, we are demographically and culturally disadvantaged: China has more honors students than we have students, and America’s youth rank dismally low in math and science compared to other industrialized countries.  Our schools must revitalize Science, Technology, Engineering, and Math (STEM) programs.  We must foster the emerging cyber warrior’s lifespan, from early identification and nurturing to career-long professional development in the military and through post-military service. As we nurture this cyber workforce, we must incentivize existing talent to support our national objectives.

Conclusions

We have become desensitized to daily news of computer security lapses.  Today we witness an increase in attacks ranging from minor inconveniences to cyber events arguably akin to acts of war.  Whether these battles are fought through proxies or by nation-states, cyber warfare escalation is here, and we must take it seriously.  But cyberspace operations can also provide us unprecedented advantage.  Leaders of all military ranks must facilitate the necessary change forced upon us by this man-made operational domain.  Our nation’s landscape and modern warfighting have fundamentally changed.

We have painted a candid picture of the challenges we face in the cyberspace domain.  The promise, potential, and ever-presence of cyber are undeniable: it touches nearly every facet of our lives.  Today’s decisions will shape our nation’s prosperity, our military’s strength, and the quality of our children’s lives.  Cyber is not simply a one-off problem, like the Y2K bug, but instead represents a fundamental shift in warfighting.  We have the opportunity to do it right, but the change required will take considerable debate, cooperation, and ultimately, decisive action.

 

The views expressed in this article are the authors’ and do not reflect the official policy or position of West Point, Army Cyber Command, Department of the Army, Department of Defense, or US Government.

About the Author(s)

Colonel Gregory Conti is a Military Intelligence Officer and Director of West Point's Cyber Research Center. He holds a Ph.D. from the Georgia Institute of Technology, an M.S. from Johns Hopkins University and B.S. from West Point. He has served as an advisor in US Cyber Command Commander’s Action Group (CAG), as Officer in Charge of US Cyber Command’s Expeditionary Cyber Support Element in support of Operation Iraqi Freedom, and co-developed US Cyber Command’s Joint Advanced Cyber Warfare Course.

Colonel John Nelson is a Signal Officer and an Academy Professor in the Department of English and Philosophy at West Point.  Colonel Nelson has a Ph.D. from the University of Washington, an M.A. from Oregon State University, and a B.S. from West Point.

Major Jacob Cox is a Telecommunications Engineering Officer and Information Technology Instructor for West Point’s Department of Electrical Engineering and Computer Science. He holds an M.S. from Duke University and a B.S. from Clemson University. He has served in communication-related positions in U.S. Army Training Command and 2nd Infantry Division.   

Lieutenant Colonel Jon Brickey is an Information Systems Officer and the Army Cyber Command Fellow at the Combating Terrorism Center, West Point. He holds a B.S. from West Point, an M.S. from the Naval Postgraduate School, and a Ph.D. from the University of Colorado Denver. He has held leadership positions in cyber-related programs at the National Security Agency, USNORTHCOM, and USARCENT.

Comments

meanwhile

Wed, 09/19/2012 - 2:44pm

I also want to add that I'm terrified by the apparent fact that the US's cyberwarfare experts aren't smart enough to verify in any way whatever that the US isn't receiving CPUs etc that aren't compromised at the hardware level. It's not like a first pass solution is hard to come up with: how a chip behaves is dependant on the arrangement of transistor gates upon it, and this can be inspected with an electron microscope. So you randomly take chips being delivered, em scan them, and then probably hand the task of comparison over to a piece of software. This will probably be a job for a decent computer cluster with specially written software - but we're talking less than a paintjob for an F22, not a justification for cyber WW3.

meanwhile

Wed, 09/19/2012 - 2:37pm

Gandhi -

There are 3 responses to that:

1. A journal article should not be a marketing piece; if a figure is dubious, then the authors should be honest about it

2. Using a debunking of an impossibly high figure as a source for a high figure is simply risible and reflects poorly on both the competence and honesty of the authors

3. Politicians and their aides do a lot of stupid and dishonest things.

meanwhile

Sun, 09/16/2012 - 11:54am

As for the two of the other attacks mentioned, sheer stupidity does not equal a vast cyberthreat requiring cyberwar and cyberpork - its just stupidity, and requires the usual response, which is that you stop being stupid. And, yes, transmitting TV feed from a drone in unecrypted form is extremely stupid. Ditto the complete lack of common sense in the design of the software that let the Iranians spoof the drone they brought down.

And that really is all that is being used to justify the cyberwarfare hype:

- The inappropriate use of OS's with poor security

- Some faked figures for damages

- Some easily prevented minor incidents that would more aptly justify a "Think!" campaign than hundreds of billions of dollars of pork.

meanwhile

Sun, 09/16/2012 - 11:15am

Remember those Marine officers who lied about the Osprey? Or that kid in Gulf 1 who lied on camera and claimed that his squadron's gunships were at an unbelieveable +90% availability? Well, I just checked a second link. According to paper's authors this link is supposed to prove that cybercrime does one trillion dollars worth of damage a year. But when you read it you get this:

>>>>>>>
http://www.economist.com/node/21532263

BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice round number is the $1 trillion-worth of intellectual property that, one senator claimed earlier this year, cybercriminals snaffle annually.

It is hard to know what to make of these numbers. Online crooks, like their real-world brethren, do not file quarterly reports. In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.

A paper by two researchers at Microsoft, Dinei Florencio and Cormac Herley, shows why: because losses are unevenly distributed. Most people never have their bank accounts raided by cyber criminals, but an unfortunate few do, and lose a lot. This means that per capita losses, which the surveys calculate before extrapolating to a national figure, are dominated by a handful of big online heists. Errors in the reporting of such infrequent crimes have a huge effect on the headline figure. In a 1,000-person survey in America, for example, exaggerating the impact of a single crime by $50,000 would add $10 billion to the national figure.

...Such hauls fall well short of extravagant claims from the security industry that some spammers make millions every day. Stefan Savage, Mr Kanich's PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.

None of this means that the threat of cybercrime can be written off as pure invention, or that people should turn off their spam filters. But in the grand scheme of criminal threats, hacker kingpins do not appear to be on a par with Colombian drug lords—even if the security industry would wish it otherwise
<<<<<<<

I.e. their respectable looking source for their one trillion dollar figure is one that DEBUNKS that figure as a hoax.

PeteEllis

Wed, 09/19/2012 - 9:32pm

In reply to by meanwhile

I concur with everything you said. Whenever I read one of these articles it always seems like they avoid discussing the obvious things that could be done to stop an enemy from infiltrating computer networks. One suggestion is to make Deep Packet Inspection (DPI) ubiquitous on all our networks, civilian and military! Given our advancing ability to use pattern matching techniques to find packets that contain things we do not want them to contain and build hardware that is fast enough so that the inspection goes unnoticed I am perplexed as to why this is not being done already. DPI networks could be built that use operating systems and network protocols that are not used anyplace else. The DPI network would act a sentry system for the internet and military networks and theoretically prevent most of the problems we are now experiencing. Expensive but fairly straight forward to implement.

meanwhile

Sun, 09/16/2012 - 11:08am

From virtually the first link these shills give:

"the article still doesn’t uncover anything that justifies the hyperbole that the government has used for this breach since it was first uncovered."

The truth is that these people are not seriously interested in defending against a cyberthreat, only in spending money. Because if they were genuinely concerned then Windows, with its inherently poor security model, would be banned for military use - and probably banned for use by ISPs.

Explaining the technical problems with Windows would require several pages, but the difference in security outcome between it and even standard Linux is easily explained:

- The most valuable hacker targets are ISP servers, because of their huge bandwidth and consequent ability to attack other machines. These hijacked servers are the backbone of the botnets used for DoS attacks, password cracking, and data theft.

- Most of these machines, the most valuable targets there are, run Linux. But not one Linux server has ever been taken by malware - compared to literally thousands of Windows servers. Malware isn't magic; it has to go through holes that exist inside the OS. By design Windows is full of these holes. For example:

>>>>>>>>
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linu…

RPC stands for Remote Procedure Call. Simply put, an RPC is what happens when one program sends a message over a network to tell another program to do something. For example, one program can use an RPC to tell another program to calculate the average cost of tea in China and return the answer. The reason it’s called a remote procedure call is because it doesn’t matter if the other program is running on the same machine, another machine in the next cube, or somewhere on the Internet.

RPCs are potential security risks because they are designed to let other computers somewhere on a network to tell your computer what to do. Whenever someone discovers a flaw in an RPC-enabled program, there is the potential for someone with a network-connected computer to exploit the flaw in order to tell your computer what to do. Unfortunately, Windows users cannot disable RPC because Windows depends upon it, even if your computer is not connected to a network. Many Windows services are simply designed that way. In some cases, you can block an RPC port at your firewall, but Windows often depends so heavily on RPC mechanisms for basic functions that this is not always possible. Ironically, some of the most serious vulnerabilities in Windows Server 2003 (see table in section below) are due to flaws in the Windows RPC functions themselves, rather than the applications that use them. The most common way to exploit an RPC-related vulnerability is to attack the service that uses RPC, not RPC itself...
<<<<<<<<<<<<<

SELinux is more secure again, and an even more secure version of Linux could be written that runs the OS and apps entirely from ROM. But no one in the military shows any interest in this - it would mean annoying the Microsoft lobbyists (and I have nothing against Microsoft - many of their technologies are excellent, they just don't fit into a high security environment) and losing an excuse for the modern US military's main activity - i.e. spending enormous amounts of money for no sane reason.