Defensive and offensive cyber warfare capabilities are growing to meet dangerous new cyber threats from national adversaries and shadowy terrorist groups, as military command structure evolves to meet tomorrow's cyber challenges.
By J.R. Wilson
Cyber not only is the global fifth domain of war, but it also is the newest and most difficult to define, track, keep ahead of, or defend against, as well as the easiest to enter. All this makes crafting strategies and developing enabling technologies infinitely more difficult for next-generation cyber warfare than doing the same for the air, land, sea, and space domains.
Cyber's pervasiveness across air, land, sea, and space warfare elevates it to a level of discussion, development, threat, and counter-threat previously unseen in military and law enforcement planning. For the past 15 years, virtually every military, government, and industry entity has created dedicated cyber commands, subcommands, offices, agencies, units, and departments - mandated by the inexorable digitization of every aspect of life on Earth.
"Beyond impacting data, systems, and networks, adversarial operations in the fifth domain have the potential to negatively affect operations in the other four domains," notes Troy Johnson, director of the U.S. Navy Cybersecurity Division. "As a result, the Navy is committed to improving its cyber security. Toward this end, the Navy established Task Force Cyber Awakening [TFCA] in 2014 to improve cyber security after its network was compromised the previous year. The mission of the task force was to take a comprehensive look at the Navy's cyber security and make changes to improve its defenses.
"TFCA established priorities for protecting the Navy based on recommendations from industry, the cyber security community, and stakeholders. Using these priorities, the task force evaluated hundreds of funding requests for addressing vulnerabilities, which resulted in $300 million being set aside in 2016 for solutions that strengthened the Navy's defenses and improved awareness of its cyber security posture."
The Navy Cybersecurity Division was created by the Chief of Naval Operations in September 2015 to continue the transformation started by TFCA. The new division oversees the Navy's approach to cyber security by developing strategy, ensuring compliance with cyber security policy, and advocating for cyber security requirements. One TFCA-identified funding priority is for control points that allow the Navy to isolate portions of the network after a breach is detected. Johnson compares it to watertight compartments on a ship, with cyber control points allowing the Navy to limit the impact of a compromise and keep adversaries from moving to other targets in the network.
Limiting connectivity
"These control points will also allow the Navy to selectively limit connectivity for parts of the network if increased cyber activity from adversaries is expected, similar to how ships set different material conditions of readiness," Johnson adds. "The task force also formed a Navy-wide group to implement the CYBERSAFE Program, which is modeled after SUBSAFE, the rigorous submarine safety program begun after the loss of the Permit-class fast-attack submarine USS Thresher in 1963.
"CYBERSAFE will harden a critical subset of warfighting components, which could be certain computer systems or parts of the network. [It also] will apply more stringent requirements to these components before and after fielding to ensure they can better withstand attempted compromises. CYBERSAFE will also require changes in crew proficiency and culture to implement these requirements."
The Navy also maintains technical solutions alone cannot provide complete protection. Key contributors to naval defense in the future include the cyber security, professional and general workforce.
"I still use the term 'defense-in-depth' - there is no single technology that provides holistic defense-in-depth," says Ralph Havens, president of Infoblox Federal. "Infoblox specifically addresses DNS [Domain Name System] security on the network, that known hole where information can provide internal and external threat detection and prevention on that service as part of a much larger defense-in-depth effort on your network.
"Is the global enterprise more at risk tomorrow than it was yesterday? Certainly. With the evolution of our military capabilities, the pervasiveness of global growth has opened up the number of entry points. The more bandwidth, devices, and mobility, the greater the offensive threat and need for defense against those threats. Anybody with a computer and an intent can present an offensive threat in cyber warfare."
According to the "2014 National Intelligence Strategy Roadmap," cyber is one of four primary missions of the U.S. Intelligence Community (IC). At the core is cyber intelligence: the collection, processing, analysis and dissemination of information from all sources of intelligence on foreign actors' cyber programs, intentions, capabilities, research and development, tactics, and operational activities and indicators - all of which potentially impact national security, information systems, infrastructure, and data. On the offensive side, they can provide insight into the components, structures, use, and vulnerabilities of foreign information systems.
Cyber primary mission
"State and non-state actors use digital technologies to achieve economic and military advantage, foment instability, increase control over content in cyberspace, and achieve other strategic goals - often faster than our ability to understand the security implications and mitigate potential risks. To advance national objectives, customers increasingly rely upon the IC to provide timely, actionable intelligence and deeper insights into current and potential cyber threats and intentions," the Roadmap says.
"The IC also provides needed expertise to defend U.S. government networks along with other critical communications networks and national infrastructure. To be more effective, the IC will evolve its cyber capabilities, including our ability to attribute attacks. The IC will focus on identifying trends and providing the context to improve our customers' understanding of threats, vulnerabilities, and impact."
Vice Adm. Jan E. Tighe, commander of the U.S. Fleet Cyber Command and Tenth Fleet, says recent world events have underscored the two-edged quality of cyberspace. "Our adversaries are flexing their muscles and have proven the vulnerability of our assets - governmental, commercial, academic and military - posing serious risks to our nation's security and missions that we as a navy are executing around the globe every day. Because of these facts, this strategic plan emphasizes the warfighting aspects of this command, offensive and defensive, while still recognizing the significant ways in which other warfighters rely on our effectiveness in the confluence of cyberspace, the electromagnetic spectrum and space," she wrote in the foreword to the "10th Fleet/NavCyberCom Strategic Plan 2015-2020."
"New warfighting platforms do not spring full-grown from their technical roots. They may appear initially as interesting oddities, such as the first submarines. They may even start as enablers, such as aviation's early reconnaissance balloons. Eventually, though, in the hands of innovative operators, they turn a corner to realize their full potential: They become formidable warfighting platforms, which must be vigorously defended, as well as employed to strike adversaries when needed. The military that grasps this turning point soonest is the one that seizes the advantage."
Strategic goals
The strategic goals outlined in the plan, while designed for the Navy, are generally applicable across the services:
Goal 1: Operate the network as a warfighting platform
Goal 2: Conduct tailored signals intelligence
Goal 3: Deliver warfighting effects through cyberspace
Goal 4: Create shared cyber situational awareness
Goal 5: Establish and mature Navy's cyber mission forces
As described by the Navy's Strate-gic Plan: "With the advent of cyberspace as an operational domain of war, it is insufficient to focus solely on peer nation-state competitors - those simple days are no longer with us. Current and evolving threats now extend from a growing grab bag of bad guys that include criminal organizations, lone wolves, surrogates, research entities, front companies, insiders, and nation-states. The sheer number of these actors, and the increasing blur between them, presents a complex challenge. Not only is attribution harder, but also potential loss of control of malware by one cyber actor becomes an opportunity for another.
"These factors combine to increase the fog and friction in cyberwar and lead to mistakes that could result in uncontrolled or unintended escalation of hostilities. The threats that concern us aren't mere 'cyber-mischief' or pesky 'spy vs. spy' activity. As recent events have made clear, the rising tide of information technology propels unpredictable world events. Data compromise and information loss - military, government, industrial, and academic - threaten our economy and our way of life, directly and through the danger they pose to international security, thereby affecting U.S. interests worldwide."
Acknowledging that, Lockheed Martin Cyber Solutions (LMCS) terms its approach to advanced global cyber security as "full spectrum cyber capability", designed to address asymetric and advanced persistence threats from defensive to exploitive to attack.
"To address offensive and defensive [requirements] across all five domains, we integrate the full spectrum of cyber capability into everything we do as we develop platforms and systems for our customers, from the kinetic to the non-kinetic, the advanced persistent threat piece," says LMCS Vice President Deon Viergutz. "Customers are moving to what we call intelligence-driven defense, the cyber kill chain - a 7-step approach to identify, track, and thwart threats." Key to that is providing COCOMs and deployed units with dual purpose tool kits that can address offensive and defensive requirements, rather than mission-specific tools for each.
Convergence of systems
"We look at the convergence of systems, the way in which information is gathered, where you take traditional SIGINT, cyber, and so on and converge those into a single set of capabilities. And that, we believe, is the future of cyber warfare," Viergutz says. "As we develop capabilities, from a cyber perspective, we're building weapons and launchers, as well as cyber control and situational awareness tools to do BDA in a cyberspace environment.
"When cyber was declared a fifth domain, giving DOD responsibility to train, plan, and equip brought additional need for capabilities. The defensive state-of-the-art, in which Lockheed Martin has invested for some time, is cyber protection of platforms and systems. As we develop SOTA aircraft and ships and missile systems, we also integrate into those what we call 'cyber inside'. From a defensive perspective, protecting against potential attack vulnerabilities, but also, where there is a need, to enable offensive capability as well."
Infoblox Federal's Havens agrees: "It is tremendously important that all aspects of the network be secured to the best of anybody's ability. Offensive cyber threats change and evolve on a very rapid basis and our ability to defend against them needs to evolve ahead of those. In a forward deployed state, you often don't have redundant systems, so it is extremely important to have defense in depth and ensure all your assets are secure."
In many respects, cyber has been around a long time and under different names - information assurance, electronic warfare, etc. Cyber is an integral part of the 21st Century national fabric and culture, from how systems are engineered, developed, deployed, and sustained to how they can be enabled by cyber capability to project power and to defend against cyber threats.
In addition to U.S. CYBERCOM's 6200 cyber warriors, the defense industry is a force multiplier, developing required capabilities and transferring innovative capabilities developed to defend its own networks as well as those of commercial interests.
"Going forward, it will be important that the technologies warfighters have are multipurpose, converged, enable situational awareness of the battlespace on a more global scale. We like to say we no longer fight in only one domain; we now fight in a multi-domain environment. Those capabilities have to be delivered quickly. You can't wait five years - cyber capabilities need to arrive tomorrow," Viergutz says. "When warfighters are called into future conflicts, I think they will go with an integrated toolset and capabilities, and will need systems that can go from defense to offense. Envision signals warfare, cyber, and EW converged into a single capability, operating in a multi-domain space."
Cyber as part of warfare
The use of cyberspace to pursue political goals and seek geostrategic advantage is rapidly increasing worldwide, according to Jarno Limnéll, director of cyber security at McAfee, in the August 2014 online issue of Breaking Defense. However, he warns, as the U.S. and NATO look to next-generation cyber warfare systems, they cannot risk misconstruing it as an independent and separate form of war.
"Nation-states are pouring massive amounts of money into developing technological capabilities and hiring skilled people. There are already about 35 countries with the capabilities and doctrines to conduct offensive cyber operations. The world is moving toward a greater strategic use of cyber weapons. The reality is if you want to be a credible player in world politics, in economics, and on the battlefield, you must possess strong cyber capabilities," Limnéll wrote.
"The increasing importance of cyber is a phase in normal evolution. Societies, in their daily activities as well as in warfare, are ever more dependent on digitally connected infrastructure. NATO operations rely heavily on cyber-enabled networks. Therefore, cyber needs to be taken seriously as a strategic issue, but not exaggerated as revolutionary.
"Cyber is understood too often as a standalone approach to security and warfare, unconnected to traditional means of defense. The primary challenge is to integrate cyber into a broader strategic and operational concept, for defense and offense. It is a challenge more cultural than technical. We have to keep in mind that there will never be a 'pure cyberwar' and cyber operations should not be separated from the broader context of war. Cyber will be a significant part of all wars and conflicts."
Unlike all previous advances in military technologies, private industry, not governments or the military, is at the core of investment, research, and development, says Daniel Goure, vice president at the public-policy research organization Lexington Institute. It requires a new strategy to counter the use of cyber weapons by state and non-state actors.
Private sector takes the lead
"First, the rate of change in cyber security technology and methods is concentrated in the private sector. Second, most of the critical infrastructure that requires protection from cyber attacks is in private hands, too. Third, military institutions, actually governments in general, are just too slow at understanding the rapidly changing state-of-the-art technologies and acquiring cyber capabilities. Finally, many of the people who make the best cyber warriors are the least suitable for membership in a hierarchical, rules, and tradition-driven organization - even if they could pass the physical," Goure maintains.
Private companies in the United States, Israel, the United Kingdom, Sweden, and Finland are at the forefront of developing the technologies, organizations, trained personnel, and strategies for engaging on this new battlefield, Goure says. Those companies fall into a variety of niches - major defense contractors, such as Lockheed Martin, BAE Systems, and General Dynamics; smaller, more specialized defense-oriented operations, such as ManTech and Kingfisher Systems; and primarily commercial cyber security software and service entities, such as McAfee.
"In this field, these companies have proven to be agile and innova- tive. They have a vast array of tools, methods and strategies for dealing not only with external attacks but the more insidious and probably more dangerous insider threat. Because no single technique, program, or data base will provide a complete solution to the cyber threat, there is a need for an array of solutions that can provide a layered defense capability," Goure says. "There are also policy, strategy, and legal issues regarding cyber warfare to be addressed with U.S. allies. If Russia moves against Ukraine, NATO may find itself under cyber attack from shadowy groups. Can the Alliance defend itself against such attacks and how will it respond? It would be wise to know the answers before the next war starts."
Crippling disruption
As stated in the Navy's cyber strategic plan: "In all senses, information disruption is crippling. Whether it stems from malfunction or malevolence is moot. The results are the same: loss of freedom of action, loss of prosperity, increased operational risk and, at worst, damage to property, injury, or death. In this environment, we face paradoxical challenges. Explosive advances in technology and complex systems of trade, information, and security force us to confront an old problem: how to drink from a fire hose. The volume of data and the speed at which we receive it can be overwhelming. And empowering.
"Success in the cyber domain requires vigilance; it requires that we constantly monitor and analyze Navy information systems, their availability and vulnerabilities, and any suspicious or malicious activity on these systems. In the next five years, we will expand our current capabilities to include a more robust, globally populated, and mission-tailorable cyber common operating picture (COP)."
In 2009, the DOD responded to the growing cyber challenge by establishing the joint-service U.S. Cyber Command, co-commanded by the Director of the National Security Agency. USCYBERCOM quickly determined the need for a Cyber Mission Force (CMF) to complement existing defensive and cyber operational forces. By 2018, the developing CMF will consist of 133 manned, trained and equipped elite cyber teams: 13 National Mission Teams, 68 Cyber Protection Teams, 27 Combat Mission Teams, and 25 Cyber Support Teams.
The National Mission Forces are tasked with defending the nation's infrastructure from cyber attacks by seeing adversary activity, blocking attacks, and maneuvering to defeat threats. The Protection Forces will defend and secure the DOD Information Networks (DODIN) and, when authorized, other infrastructure. The Combat Mission Forces will support combat commanders' planning and, when authorized, deliver cyber effects. The Support Teams provide analytic and planning support to the National Mission and Combat Mission teams.
Military cyber commands
USCYBERCOM Deputy Commander Air Force Lt. Gen. James McLaughlin says all teams will be at initial operating capability by the end of 2016 and at full operational capability by the end of 2018.
USCYBERCOM has directed each of its service components - Army Cyber Command, Fleet Cyber Command, Air Force Cyber Command, Marine Forces Cyber Command, and Coast Guard Cyber Command - to establish the teams that will compose the CMF. Although subordinate to the Department of Homeland Security, CGCYBER has a direct support relationship to USCYBERCOM.
"What's really driving companies and the government is that cyber has to be a key part of their missions. Companies and government agencies now accept that they are susceptible to cyber attacks, which will come - they need to be ready for those," Viergutz says. "As we recognize the threat to our global supply chain, it's critical that we drive a lot of our best practices in cyber protection into that supply chain. New rules are being established, with the intent of bringing everyone up to a level of at least minimal capability."