Cyber warfare isn’t hype; it’s real. America’s decisive technological advantage now contains the seed of our undoing. Our technological dependence is woven into the fabric of our way of life and our national defense. GPS satellites guide troops and weapon systems, algorithms fly aircraft and allocate supplies, websites drive personnel assignments and promotion boards, and official and personal data and voice communications almost exclusively transit computer networks. If these critical networks begin to fail, we aren’t a twenty-first century fighting force; we are a 1980-era military. This estimate is generous. In 1980, we knew how to fight using face-to-face communications, manual land navigation, analog radios, and acetate overlays. Today is different. Information technology has largely kept its allure of dramatically increased efficiency at low cost. Thus, we no longer have “stubby pencil” warfighting skills or the extra personnel to handle these myriad manual tasks.
American society sits even more precariously. Over the past twenty years, we have gradually discarded the manual systems that ran our infrastructure, replaced by fragile, but more efficient automated systems. The lingering elements of our pre-Internet life—such as the Postal Service, paper currency, and land line telephones—are becoming extinct. Our entire economy is comprised of data stored in financial systems, as are our identities and the nation’s crown jewel: intellectual capital. We aggressively chase technology’s promised gains, such as smart electric grids, pilot-less aircraft, electronic voting, and cloud computing. Technological dependence is ubiquitous. Ironically, while the average teenager has matured in a country where “online" is as commonplace as hot water, technically-expert senior military leaders are scarce.
This paper will examine cyber warfare’s threat, clearly explain its import to the military professional, and suggest a way ahead. Stories of isolated security incidents surface daily, but are quickly forgotten. We thus seek to present a compelling case for cyber security that will garner informed support and motivate action within our military. This isn’t just a problem for communications and intelligence specialists. The cyber security problem we all face is unprecedented; we can only get it right through teamwork.
Cyber operations will occur in cyberspace, but what is “cyberspace?” We use the definition found in National Security Presidential Directive 54: the “interdependent network of information technology infrastructures, [including] the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”
The Threat Landscape
The following examples highlight the daily threat:
- This year researchers discovered malicious software, circulating since 2011, that captures PIN numbers and hijacks DoD smart cards, allowing attackers access to CAC card protected systems.
- Disclosed in 2011, McAfee researchers uncovered a massive five-year hacking campaign, dubbed Operation Shady RAT, which infiltrated more than 70 companies, governments, and non-profit organizations in 14 countries.
- In 2011, NASDAQ officials discovered that their network contained software that spied on directors of publicly-held companies.
- Iran may have used cyber capabilities to capture a US drone by jamming its GPS guidance system and the Air Force recently discovered a virus in the remote cockpits of its drone fleet. In 2009, militants used a $26 software package to capture Predator surveillance video. Currently almost 1 in 3 U.S. warplanes is a robot.
- RSA Security, a leading provider of cryptographic systems, was attacked in 2011; extremely sensitive information regarding its SecurID system was stolen. This information likely facilitated successful follow-on attacks against major defense contractors. Next generation weapon system plans were a probable target.
- As much as $1 trillion of intellectual property is stolen each year; some experts claim online crime revenues may now exceed the global drug trade.
- Also in 2011, attackers infiltrated Sony’s massive online gaming network stealing personal information for approximately 100 million accounts.
- In 2009, Google disclosed it and at least 20 other companies were subject to a sophisticated attack targeting the source code that underpins many sensitive systems.
- In the 2009 GhostNet compromise, approximately 1,300 computers were infiltrated in 103 countries. Targets included embassies and government officials.
- In 2008, malicious software seriously compromised air-gapped classified military networks.
- In 2007, the Office of the Secretary of Defense’s email system was compromised and thus forced offline to stem the damage.
These events presage a devastating cyber security event that threatens our way of life. An equally dangerous alternative is if thousands of cyber attacks sap American innovation and commerce without reaching the threshold to spur significant government response. Technology enables us to defeat a numerically-superior enemy. We have enjoyed information dominance since, at least, the Persian Gulf War. However, our adversaries—from lone malicious hackers and terrorist groups to organized online crime rings and nation states—are active in cyberspace and turning this greatest strength against us.
The nationwide investment in cyber security and the formation of U.S. Cyber Command and service component cyber commands signal a national awakening to this threat. In a 2009 address, President Obama argued that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” General Keith Alexander, Commander of U.S. Cyber Command, stated that current DoD networks are “not defensible.” During his confirmation hearings, Secretary of Defense Leon Panetta stated, “There is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems. This is a real possibility in today's world.” We wholeheartedly agree.
No Easy Solution
The best defensive techniques might slow a determined adversary, but will ultimately fail. Ad hoc technical solutions aren’t the answer. Consider the following:
- Most military computing systems rely on distrusted components. In particular, America possesses a very limited capability to manufacture advanced microchips; rigorously validating foreign manufactured circuitry is impossible, except in small numbers. Additionally, adversaries can compromise a system anywhere along the supply chain. Thus, many computing systems rest on a precarious foundation.
- A single trusted insider, turned bad, can have devastating consequences, particularly when empowered by today’s technology which enables rapid and high volume collection and dissemination of sensitive data. Consider the recent WikiLeaks debacle.
- Digital information is slippery. Divulged sensitive data is likely permanently compromised. For example, although Pentagon policies forbade DoD personnel from accessing WikiLeaks data, already widely available on the Internet, they did little to curb global access.
- Antivirus systems are only a partial solution and cannot keep pace with rapidly evolving malicious software variations. A determined attacker can easily bypass antivirus protections. Powerful new exploits are available in underground markets for about $100,000, sometimes for much less.
- A few vendors provide most of our hardware and software. Thus, targeting a single flaw can compromise countless machines.
- Isolated networks don’t guarantee security. Attackers have developed weaponized software that hops networks and patiently awaits inevitable security lapses, like the Stuxnet virus, which used USB storage devices to access sensitive systems.
- Security experts are in critically short supply. While initiatives to recruit, develop, utilize, and retain qualified personnel continue, the military’s kinetic warfighting culture may resist supporting these programs.
Severely dangerous problems span the spectrum of cyber security and cyberspace operations and are compounded by laws and policies that lag behind rapid technological advancements. Often combat is fought on the seams between two adjoining maps; the same occurs in cyber warfare. Political and legal seams between governmental organizations provide opportunities to exploit our bureaucratic rigidity. One expert uses the following analogy: “Cyberspace is the only domain without a primary Service as lead and the only domain in which DOD will not defend the U.S. homeland. For example, if DOD defended the land domain in the same manner as cyberspace, a Russian land invasion of New Jersey would be fought by U.S. citizens and commercial entities with whatever weapons they happened to possess. DOD would only defend Fort Monmouth and Fort Dix.” Clearly we have a problem.
Three Facets of Military Vulnerability
Cyber warfare capabilities are quickly becoming a key weapon system–for us and for our adversaries. The popularity, effectiveness, and relatively-low cost of cyberspace weapon systems have spurred a silent cyber arms race. To better understand the critical implications of cyber warfare specific to the military, we consider three areas: personal computing devices, garrison computer systems, and deployed computing systems.
American service members have traditionally considered the homeland as safe. However, we may be more vulnerable in the cyberspace domain when using personal electronic devices. Personal computers don’t just contain personal information. Many service members work on home systems rarely managed to the same standard as military platforms and networks. Home devices are thus far softer targets. While modern operating systems are notably more secure than their predecessors, and free antivirus software is available to service members, every system remains vulnerable.
Social networking sites such as Facebook and LinkedIn compound this risk, as service members and their families disclose sensitive personal information useful for targeted attacks. Home and public wireless hotspots are notoriously insecure; emerging commercial technologies, such as wireless capability for automobiles, provide new attack vectors. The security lapses of family members, including web-surfing children, jeopardize entire households. A service member’s typical home environment is thus easily targeted by even a poorly-resourced attacker, let alone skilled and determined adversaries.
Free from combat’s kinetic threats, garrison life involves training for and recovery from armed conflict. Networks and workplace computers are professionally managed using baseline system configurations such as Army Golden Master and the Host Based Security System (HBSS). But no computer system is hack-proof. Phishing attacks are one viable threat. For example, service members, their families, and veterans were recently subject to a phishing attack using fake emails purporting to come from a popular financial services company. The emails tricked recipients into opening an attachment that would initiate malicious software. An ongoing challenge is the widespread use of personal information to validate user access to official websites and as an easily accessible identifier on many military forms despite concerted efforts to curb the problem. In 2011, TRICARE announced a massive breach of personally-identifiable and protected health information impacting nearly 5 million military medical patients. Also in 2011, Pentagon Federal Credit Union admitted that unauthorized access to members’ names, addresses, and account information occurred due to an infected laptop. Gannett Government Media, publisher of the Army Times, was successfully attacked, compromising personal details of “some users.” Even the military’s CAC system, the backbone of authenticated access, is vulnerable. In 2012, the Army Times reported a Chinese virus that specifically targeted DoD CAC card users to access “official use only” files. Garrison systems present a more difficult, though surmountable, target for attackers.
In combat, the military takes extensive force protection measures to protect against kinetic and cyber attack. However, the pressures of life in a combat zone inevitably force users to weigh the immediacy of mission accomplishment against far less concrete cyber risks. For example, widespread use of USB thumb drives introduced malicious software into DoD systems and lost drives have surfaced in local bazaars. Combat operations require access to sensitive data, and trust is implicit. Unfortunately, the threat of a malicious or non-malicious insider threat remains present. While malicious insiders are thankfully rare, myriad well-intentioned service members, contractors, and allies cut corners due to perceived need for expediency.
Malicious software is always pernicious, but deployed forces are particularly vulnerable. MWR facilities risk hosting shared community computers. Foreign shops offer cut-rate bootleg software and movies, sometimes with malicious surprises. The intensity of deployment diverts service members’ attention away from personal matters back home, making them more vulnerable to identity theft and fraud. Their families are likewise open to service-related scams, as criminals steal identities of deployed service members.
Ideal tools for information sharing, mobile devices also pose threats. The Army intends to issue smart phones to soldiers for use on the battlefield. While this initiative may have many benefits, these devices will pose a constant concern. Consider the Abu Ghraib photographs or Marines’ urinating on a Taliban corpse: easily-accessible information technology can yield unintended consequences.
Military robotic systems are also proliferating. These systems depend on their command and control links and their associated algorithms and computers. While hardened against attack, they still pose risks. In this context, cyber security is increasingly critical lest our powerful weapon systems be turned against us. Vulnerabilities may come from the myriad commercial off-the-shelf components comprising these systems, from designs stolen from defense contractors or from the failings of those working with these systems.
This article would be incomplete without solutions. In this section we offer five objectives as a way to support both national and personal security.
Establish a Sense of Urgency
We must embark upon a major transformation to maintain technological supremacy. In effect, we are in step one of Kotter's eight-step change management process: “establishing a sense of urgency.” Therefore, we must identify and examine the challenges and encourage open communication.
The cyber threat is real; the potential impacts, omnipresent. To affect change, we must abandon the current lens we use to view cyber: many still see it as the IT department’s hobby horse. It is everyone’s responsibility because it affects not just our email or access to routine documents, but also our defense supply chain and weapon systems. It threatens our national security.
Fundamental change must be part of our daily discourse. We should discuss the protection of sensitive data at work and home, read privacy statements, and ask financial institutions about safeguarding personal data. We should ask questions about our most vital weapon systems’ vulnerabilities. When leaders show genuine concern for cyber issues, people will respond and change will begin. Cyber security is fundamentally a leadership issue.
Understand Cyber Concepts and Challenges
Today’s youth will likely understand cyber concepts better than us—these digital natives already rely on technology for education, news, entertainment, transportation, and social satisfaction. Many senior leaders did not have personal computers until after college graduation. Likewise, even some of our mid-grade officers lack a basic grasp of cyber concepts, despite their deeper exposure to technology. A common lexicon and understanding of cyber challenges is crucial; we must develop ourselves and our subordinates to be cyber savvy.
We already implement risk management, so applying it to cyber is natural. Leaders should understand the vulnerabilities of, and the threats to, our networks and systems. We should also know when and how to apply technology; sometimes it’s better to use manual systems instead. Once we understand the risk, we can mitigate the threat. Everyone involved in defense needn’t have a graduate degree in cyber security; but we critically need more than two hours of annual training.
Likewise, we must incorporate cyber threats into training exercises. Commanders and exercise planners have been previously reluctant to insert cyber play because the effects might disrupt an exercise’s kinetic objectives. As leaders, however, we must ensure our military is trained to operate with varying degrees of degraded network functionality. Though the most technologically-advanced military in the world, can we operate without our gadgets? We should candidly assess our limitations, however painful, and then minimize them. Cyber is an inherent component of warfighting; failing to train as we fight puts us all at risk.
Defend Against Cyber Threats
Cyber defense is inherently problematic because the Internet operates on the principle of openness. Organizational tension always exists between information accessibility and security. We should expect intrusions and learn to respond decisively by isolating breaches and recovering quickly. This requires constant monitoring and coordination at all command levels. Responses to cyber threats may need to occur at speeds beyond human capacity; thus, automated defensive systems are crucial.
We must also support our unit-level defenders by cooperating with requests for information and not circumventing security mechanisms. Most cyber-related intelligence is highly-classified, so we are rarely privy to the whole story. Everyone must know cyber-attack symptoms and understand incident response procedures, so cyber battle drills must be published and rehearsed. Mistakes will happen, but when we find malicious insiders intentionally perpetrating cybercrimes, we must police our own. We should likewise underwrite honest mistakes and use such occurrences to better educate our organizations.
Defending home computers can be improved, but not guaranteed, by following a few simple rules. We recommend NSA’s “Best Practices for Keeping Your Home Network Secure.” Additionally, since malicious hackers exploit human weaknesses, they will use social engineering to dupe their targets. We must protect our personal information. Keep life stories off social networking sites lest attackers obtain the information needed to guess passwords, gain access to important accounts, or employ targeted phishing or social engineering attacks.
Shape the Development of Military Doctrine, Organizations, and Strategies
Cyber Operations is in its infancy. We all can shape our future organization. There’s much work to be done nationally to identify appropriate organizational constructs across the federal government, with state and local partners, and with private industry. Some military organizations responsible for operating and defending the cyberspace domain have barely articulated their mission statements, so we should collectively discuss structures, doctrine, and strategies crucial for success.
We should smartly leverage existing talent found in academia, industry, non-profits, and the hacker community, remembering the multifaceted nature of the cyberspace domain. Improving the processes and technology to defend our networks won’t suffice. We must better understand how weapon systems—tanks, airplanes, ships, and satellites—think and function, which requires cooperation with organizations and people outside the usual defense industrial base.
Manage the Cyber Workforce
People are the key, so we must define and cultivate an elite cyber workforce. Fortunately, progress is ongoing. As an example, the National Initiative for Cybersecurity Education (NICE) leadership plan identifies 43 different skills in seven cyber-related areas. Human resource professionals should recognize these newly-defined skills and create new military and civilian career paths.
Our existing workforce can learn new skills, but our future rests with tomorrow’s leaders. In raw numbers, we are demographically and culturally disadvantaged: China has more honors students than we have students, and America’s youth rank dismally low in math and science compared to other industrialized countries. Our schools must revitalize Science, Technology, Engineering, and Math (STEM) programs. We must foster the emerging cyber warrior’s lifespan, from early identification and nurturing to career-long professional development in the military and through post-military service. As we nurture this cyber workforce, we must incentivize existing talent to support our national objectives.
We have become desensitized to daily news of computer security lapses. Today we witness an increase in attacks ranging from minor inconveniences to cyber events arguably akin to acts of war. Whether these battles are fought through proxies or by nation-states, cyber warfare escalation is here, and we must take it seriously. But cyberspace operations can also provide us unprecedented advantage. Leaders of all military ranks must facilitate the necessary change forced upon us by this man-made operational domain. Our nation’s landscape and modern warfighting have fundamentally changed.
We have painted a candid picture of the challenges we face in the cyberspace domain. The promise, potential, and ever-presence of cyber are undeniable: it touches nearly every facet of our lives. Today’s decisions will shape our nation’s prosperity, our military’s strength, and the quality of our children’s lives. Cyber is not simply a one-off problem, like the Y2K bug, but instead represents a fundamental shift in warfighting. We have the opportunity to do it right, but the change required will take considerable debate, cooperation, and ultimately, decisive action.
The views expressed in this article are the authors’ and do not reflect the official policy or position of West Point, Army Cyber Command, Department of the Army, Department of Defense, or US Government.
About the Author(s)
I also want to add that I'm terrified by the apparent fact that the US's cyberwarfare experts aren't smart enough to verify in any way whatever that the US isn't receiving CPUs etc that aren't compromised at the hardware level. It's not like a first pass solution is hard to come up with: how a chip behaves is dependant on the arrangement of transistor gates upon it, and this can be inspected with an electron microscope. So you randomly take chips being delivered, em scan them, and then probably hand the task of comparison over to a piece of software. This will probably be a job for a decent computer cluster with specially written software - but we're talking less than a paintjob for an F22, not a justification for cyber WW3.
There are 3 responses to that:
1. A journal article should not be a marketing piece; if a figure is dubious, then the authors should be honest about it
2. Using a debunking of an impossibly high figure as a source for a high figure is simply risible and reflects poorly on both the competence and honesty of the authors
3. Politicians and their aides do a lot of stupid and dishonest things.
While the economic impact figure of 1 trillion dollars is open to debate, I note that it was also used in the White House Cyberspace Policy Review http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_fin… (p2)
As for the two of the other attacks mentioned, sheer stupidity does not equal a vast cyberthreat requiring cyberwar and cyberpork - its just stupidity, and requires the usual response, which is that you stop being stupid. And, yes, transmitting TV feed from a drone in unecrypted form is extremely stupid. Ditto the complete lack of common sense in the design of the software that let the Iranians spoof the drone they brought down.
And that really is all that is being used to justify the cyberwarfare hype:
- The inappropriate use of OS's with poor security
- Some faked figures for damages
- Some easily prevented minor incidents that would more aptly justify a "Think!" campaign than hundreds of billions of dollars of pork.
Remember those Marine officers who lied about the Osprey? Or that kid in Gulf 1 who lied on camera and claimed that his squadron's gunships were at an unbelieveable +90% availability? Well, I just checked a second link. According to paper's authors this link is supposed to prove that cybercrime does one trillion dollars worth of damage a year. But when you read it you get this:
BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice round number is the $1 trillion-worth of intellectual property that, one senator claimed earlier this year, cybercriminals snaffle annually.
It is hard to know what to make of these numbers. Online crooks, like their real-world brethren, do not file quarterly reports. In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.
A paper by two researchers at Microsoft, Dinei Florencio and Cormac Herley, shows why: because losses are unevenly distributed. Most people never have their bank accounts raided by cyber criminals, but an unfortunate few do, and lose a lot. This means that per capita losses, which the surveys calculate before extrapolating to a national figure, are dominated by a handful of big online heists. Errors in the reporting of such infrequent crimes have a huge effect on the headline figure. In a 1,000-person survey in America, for example, exaggerating the impact of a single crime by $50,000 would add $10 billion to the national figure.
...Such hauls fall well short of extravagant claims from the security industry that some spammers make millions every day. Stefan Savage, Mr Kanich's PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.
None of this means that the threat of cybercrime can be written off as pure invention, or that people should turn off their spam filters. But in the grand scheme of criminal threats, hacker kingpins do not appear to be on a par with Colombian drug lords—even if the security industry would wish it otherwise
I.e. their respectable looking source for their one trillion dollar figure is one that DEBUNKS that figure as a hoax.
I concur with everything you said. Whenever I read one of these articles it always seems like they avoid discussing the obvious things that could be done to stop an enemy from infiltrating computer networks. One suggestion is to make Deep Packet Inspection (DPI) ubiquitous on all our networks, civilian and military! Given our advancing ability to use pattern matching techniques to find packets that contain things we do not want them to contain and build hardware that is fast enough so that the inspection goes unnoticed I am perplexed as to why this is not being done already. DPI networks could be built that use operating systems and network protocols that are not used anyplace else. The DPI network would act a sentry system for the internet and military networks and theoretically prevent most of the problems we are now experiencing. Expensive but fairly straight forward to implement.
From virtually the first link these shills give:
"the article still doesn’t uncover anything that justifies the hyperbole that the government has used for this breach since it was first uncovered."
The truth is that these people are not seriously interested in defending against a cyberthreat, only in spending money. Because if they were genuinely concerned then Windows, with its inherently poor security model, would be banned for military use - and probably banned for use by ISPs.
Explaining the technical problems with Windows would require several pages, but the difference in security outcome between it and even standard Linux is easily explained:
- The most valuable hacker targets are ISP servers, because of their huge bandwidth and consequent ability to attack other machines. These hijacked servers are the backbone of the botnets used for DoS attacks, password cracking, and data theft.
- Most of these machines, the most valuable targets there are, run Linux. But not one Linux server has ever been taken by malware - compared to literally thousands of Windows servers. Malware isn't magic; it has to go through holes that exist inside the OS. By design Windows is full of these holes. For example:
RPC stands for Remote Procedure Call. Simply put, an RPC is what happens when one program sends a message over a network to tell another program to do something. For example, one program can use an RPC to tell another program to calculate the average cost of tea in China and return the answer. The reason it’s called a remote procedure call is because it doesn’t matter if the other program is running on the same machine, another machine in the next cube, or somewhere on the Internet.
RPCs are potential security risks because they are designed to let other computers somewhere on a network to tell your computer what to do. Whenever someone discovers a flaw in an RPC-enabled program, there is the potential for someone with a network-connected computer to exploit the flaw in order to tell your computer what to do. Unfortunately, Windows users cannot disable RPC because Windows depends upon it, even if your computer is not connected to a network. Many Windows services are simply designed that way. In some cases, you can block an RPC port at your firewall, but Windows often depends so heavily on RPC mechanisms for basic functions that this is not always possible. Ironically, some of the most serious vulnerabilities in Windows Server 2003 (see table in section below) are due to flaws in the Windows RPC functions themselves, rather than the applications that use them. The most common way to exploit an RPC-related vulnerability is to attack the service that uses RPC, not RPC itself...
SELinux is more secure again, and an even more secure version of Linux could be written that runs the OS and apps entirely from ROM. But no one in the military shows any interest in this - it would mean annoying the Microsoft lobbyists (and I have nothing against Microsoft - many of their technologies are excellent, they just don't fit into a high security environment) and losing an excuse for the modern US military's main activity - i.e. spending enormous amounts of money for no sane reason.