Multi-Domain Battle's Impact on Civil Infrastructure
The concept of Multi-Domain Battle (MDB) recognizes the fundamental shift in how potential adversaries of the United States engage in geostrategic means with which to achieve geopolitical goals via means below-armed-conflict. MDB employs all the warfighting domains to achieve these ends. There are numerous aspects to MDB and to be honest I’m still learning what they are and how they interrelate. While reading all of this preliminary, non-doctrinal, unofficial literature one key question can be identified: Given the nearly total reliance of the military on civilian infrastructure, how do we achieve the objectives of securing the Strategic and Operational Support Areas? Senior leaders and planners within the military have relied on unfettered access to the internet for the last 16 years to conduct operations, this assumption is no longer guaranteed in MDB.
Civilian infrastructure required to move big pieces of military hardware around the world rides on the non-secured (or civilian secured) internet. From submission of contracts to loading containers onto freighters, all of this traffic is secured (or not) in the civil domain. The MDB construct classifies this infrastructure as part of the Strategic Support Area and puts the impetus on the military to secure it as a means of achieving national security objectives. Through the MDB lens, potential adversaries can be expected to be conducting cyber-ISR (and indeed are) on these civilian networks. If adversaries were monitoring and suspected the US to launch some sort of conventional attack, they could use the increase in traffic between known contract companies and the Department of Defense (DoD) as an indicator and warning (I&W) of “strange things being afoot at the Circle K”. They could then use this reliance on infrastructure to delay US strategic deployment.
In addition to functioning as an indicator and warning, these civil targets are legitimate below-armed-conflict targets for threat actors. Once identified as a threatening activity, adversaries could move to delay and disrupt our ability to mobilize forces through cyberspace. This could come in the form of manipulating orders to have incorrect information, coding equipment to ship to Abu Dhabi instead of Busan, or crashing the software which operates the loading cranes at the port. It may be subtle or overt in nature, ranging from disrupting traffic lights to crashing the Supervisory Control And Data Acquisition (SCADA) systems at a power plant or distribution center.
Not just the obvious are targets for nefarious cyber actors. As a grad student studying at the University of Kansas, we learned about numerous instances of cities and counties automating infrastructure to achieve efficiency. From sewer overflow systems to power distribution to traffic control, large and small cities alike use these networked SCADA systems to handle everyday tasks. This creates additional problems which MDB takes into consideration. Imagine a cyber-attack on a power plant which supplies power to not just a major city, but the local military base as well. Many bases rely on civilian power for most of their needs. If we can’t get power to our server stacks, it’s going to be nearly impossible to mobilize for operations. The power goes down and we lose internet and cellular communications, our primary means to talk stateside.
MDB accounts for other-below armed-conflict acts, such as the use of information warfare to affect civil discourse. There are numerous protest groups already operating across the country which are hostile to US foreign policy objectives, the military, the defense industry, or even just the President which could be mobilized to interfere with a mobilization. As we have recently seen, Russian involvement through fake social movement accounts on social media reached over 126 million Americans during the campaign season. The themes and messages therein focused on the divisions Americans have and encouraged action based on these fears. Part of a below-armed-conflict campaign would logically use a similar tactic to try and motivate already existing indigenous protest groups to demonstrate out of military gates or blockade interstates, further delaying or ensnarling movement. This begs the question, does the DoD have a legitimate interest in somehow securing the Social Media Environment? How does it do this? Through the Public Affairs Officer and the Information Officer?
Inclusive to MDB is the security of space assets. The DoD has several communications constellations in orbit, but still relies on commercial satellites to route a fair amount of traffic. These become targets of Support Area activities as well. The extent to which commercial satellites have been compromised is not yet publically known, but routing traffic on a satellite that anyone can rent bandwidth from creates a hazard for secrets to spill or a degradation in throughput.
These concerns beg the question of how we can secure these Operational Support Areas. The common thread linking all of them is cyber infrastructure. This is obviously a matter of import for the DoD, but it poses problems. As Susan Brenner points out “Cyberspace transcends spatial boundaries and thereby erodes the distinction between ‘inside’ and ‘outside’ threats” (Brenner, 2013). The Posse Comitatus Act essentially split security matters between inside (criminals in society) and outside (foreign militaries, terrorists) to be dealt with by police and military entities respectively. If we militarize the security of the cyber domain, we run the risk of violating this act. This begs the question implied by Brenner, does this act even apply to cyberspace or is it even appropriate given the unique nature of the threat? A military solution alone seems impractical.
The next plausible course of action is to rely on civilian infrastructure alone to secure itself. Following the attacks of September 11th, 2001, the Homeland Security Act of 2002 created the Department of Homeland Security and established the Director of Information Analysis, and Infrastructure Protection (IAIP). This director is responsible for the security of cyber and critical infrastructure protection (Hildick-Smith, 2005). Despite the creation of this directorate, cyberattacks on SCADA infrastructure continue to increase (examples can be found here). There is also a problem with having unity of effort across the increasingly interconnected number of SCADA systems. On the one hand decentralized efforts reduce common vulnerabilities, but it also makes updating security against known threats harder. A civilian-lead approach seems slightly less impractical, but still not sufficient.
The logical solution seems to be some sort of private-public partnership. The Director of the National Security Agency (DIRNSA) Navy Admiral Mike S. Rogers thinks this is the way ahead. After the Sony cyberattack perpetrated by North Korea, there was significant cooperation between the NSA and Sony (Pellerin, 2016). Not only does he think it’s a good idea, but the scholars at the Wharton Public Policy Initiative do as well (Jagasia, 2017). Given the private sector controls a majority of the cyber backbone it has the necessary access to systems the DoD needs. The DoD has a unique advantage in its ability to collect cyber intelligence from foreign nations. The private sector has a majority of the skilled experts in cyber security while the DoD has the authorities and intelligence infrastructure to reach across international boundaries. Sharing resources between the two entities, it makes the most sense to really begin to get at securing the Operational Support Area of the homeland cyber infrastructure.
As we have seen, Multi-domain battle has a nexus in the Operational Support Area of cyberspace. Often taken for granted, freedom of maneuver in the cyber domain is not guaranteed. This space is contested at all times (as you can see Here), not just times of declared hostilities. People have been discussing and sounding the alarm over this particular vulnerability essentially since the internet was made public. With a shift in doctrinal emphasis potentially going towards MDB, it becomes imperative the DoD makes a concerted effort to figure out how to achieve Operational Support Area Cybersecurity (OSAC) within the MDB construct. This will require private-public partnerships which will need to be worked out on the policy level, but could be executed as a portion of community relations (COMREL). How this will be achieved is uncertain. What is clear however, is we need to put deliberate effort into working with community and business partners to secure our critical cyber infrastructure soon, or else the next war might be over before we can even get tanks on ships.
The opinions presented here are the author’s and do not necessarily reflect those of the U.S. Army or U.S. Department of Defense.
Brenner, S. W. (2013). Cyberthreats and the Posse Comitatus Act: Speculations. Journal of International and Comparative Law, 26-36.
Hildick-Smith, A. (2005). Security for Critical Infrastructure SCADA Systems. SANS Institute.
Jagasia, A. (2017, April 18). A Look Into Public Private Partnerships For Cybersecurity. Retrieved from Public Policy Intiative: https://publicpolicy.wharton.upenn.edu/live/news/1815-a-look-into-public-private-partnerships-for
Pellerin, C. (2016, November 16). Cybercom Commander: Public-Private Partnerships Needed for Cybersecurity. Retrieved from U.S. Department of Defense: https://www.defense.gov/News/Article/Article/1006807/cybercom-commander-public-private-partnerships-needed-for-cybersecurity/