The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2
Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.
Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.
In 2016, The Economistand The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.
On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system).New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.
Preparing Cyber Leaders
Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.
Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.
The Polaris of Programming
Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.
When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.
An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.
1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8
2. Charles Seife, “Decoding the Universe,” p. 8
3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143
4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.
5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp
6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4
Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)
The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.
Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.
This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.
Navy Network Threats and Vulnerabilities
There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.
Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.
One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).
The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.
Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.” Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.
The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.
As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.
Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.
Technical Security Measures and Controls
The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.
The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.
Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.
The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.
Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.
Information Security Policy Needed to Address Threats and Vulnerabilities
The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).
Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.
This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.
Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.
Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.
Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities
It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.
Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.
Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.
A recent article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.
Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.“
This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.
The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.
In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.
Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.
Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.
The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.
Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)
Open borders are here. You likely crossed the Rio Grande before breakfast this morning and you’ll sneak into China before you sleep tonight. Trons travel through cyberspace ignoring all manners of political boundaries. Technology doesn’t care where Ukraine ends and Russia begins, or about an air gap between China and Taiwan. The policy of cyber does; it shouldn’t.
Conceptualizing Cyber Borders
The national policy for cyber borders has been similar to conceptions of airspace: a vertical extension of geopolitical borders into the sky, or in the case of cyber, into the flowing infrastructure of the internet. If a plane is going to travel through the airspace of another country, that country has to agree to it or the flight has to go around. A long-range bomber aircraft might fly over a few countries for a raid on the other side. Packets or “trons” can travel continents’ worth of countries in a path of least resistance taking seconds. Furthermore, while borders stay the same, digital routes are totally dynamic. In order to prevent the unintended escalation of cyber operations, we must divorce the routes trons take from the effects they cause.
A Path Forward
Fortunately, an existing policy framework already exists for an effects-based policy in a new frontier. We need to rise above the airspace mentality, and draw inspiration from satellites. Satellites travel freely over countries and cross borders with impunity. The international community agreed to a borderless framework in space in the Outer Space Treaty of 1967.1 The orbit a satellite is on and its position relative to political borders are irrelevant when it takes an action that causes an effect. The effect is all that matters. The group at the effect’s end may protest or retaliate, but the country under the satellite at the time of the action will have no issue. If, for example, China shot down a Russian satellite while the satellite was over Mexico, Russia would have no issue with Mexico for having allowed the attack above them, because they don’t own that space. Instead, China would be responsible for causing the malign effect.
The Department of Defense (DoD) has addressed this attribution issue. The DoD Law of War Manual specifically addresses “cyber operations that use communications infrastructure in neutral states.”2 This policy allows trons to be routed through neutral nations so long as the cyber infrastructure in that country allows innocuous information to be routed through it as well, if they route trons for the common World Wide Web. It also specifically acknowledges that it is unreasonable to expect other nations to review all cyber traffic for its content. These principles are fundamental to the spirit and design of the internet. Acknowledging those fundamentals will prevent future conflicts that will otherwise arise from misattribution during analysis of tron routes. Imagine Canada sends cyber attack trons to Russia via France, Thailand, and China. It is easy to see Russia determining that China may not have ownership of the trons that attacked them, but—unless we agree otherwise—they were complicit in the attack. A scenario where clumsy confusion leads to aggressive accusation, the likes of which we have not seen since the eve of WW1, is not far-fetched given the cyber domain’s peculiarities.
Many international cyber agreements are being written. One, the International Code of Conduct for Information Security, has already been signed by major players Russia and China. That agreement addresses the intent of cyber warfare and end effects, but leaves a grey area in between. A 2013 NATO report addressed this point indirectly, saying “demilitarized zones are not feasible in the context of cyberspace, due to its global scope.”3 NATO failed to separate the infrastructure itself from the use of the infrastructure. A United Nations report from 2015 (aware of NATO’s 2013 report) further departs in the wrong direction and declares “states of jurisdiction over the ICT (information and communications technologies) infrastructure located within their territory.”4 This policy direction simply does not pragmatically address the technology involved. The transnational spirit of the internet and the technology itself does not respect borders as the UN does. A failure to acknowledge this fact is dangerous. The focus on infrastructure and not on the transmissions and effects of the technology leaves a dangerous grey area.
The solution is an agreement among the international community to ignore cyber routes. The DoD’s cyber components must press this issue into international agreements. The Department is uniquely equipped to lead this effort. It is the center of our nation’s cyber warfare universe. The NSA, CIA, DIA, and others with less notoriety are led or staffed largely by military officers and enlisted, retired versions of the same, or DoD civilians. No other organization is as integrated into every aspect of offensive and defensive cyber operations. DoD’s outsized operational involvement gives us an equally outsized cyber policy voice, and we should use it to ensure a discussion on cyber routes.
The discussion should acknowledge, first, that attribution is the foundation of cyber warfare. Second, acknowledge that routing technologies use the communications equipment of neutral states to obscure the origin of cyber-attacks. After establishing those truths, the policy must focus on ensuring the analysis of digital forensic evidence acknowledges the inherent deceptiveness of cyber route analysis and delegitimizes the evidence as international policy. The international community must agree to focus on the information and effects of the trons and not attempt to hold accountable the infrastructure used for transmission. Absolve the owners of the infrastructure and the land on which it sits from responsibility for the trons it transmits, and inversely remove the standing they might have if they dislike the trons.
The publicly available cyber discussions in the international community have so far focused on intent, effects, and physical infrastructure while they ignore any agreement on cyber routes. To avoid a massive international misunderstanding in the fog of attribution we must internationally agree to ignore cyber routes. We have a framework for this. In space we own the object, not the orbit. In cyber we will own the information, not the route.
Travis Nicks is a nuclear submarine officer serving at the Pentagon. He is focused on finding precise fixes to complex problems. LT Nicks is interested in cyber policy and personnel performance issues. The views herein are his alone and do not represent the views of the Department of Defense, the Department of the Navy, or any other organization.
1. Outer Space Treaty, 1967, Article II
2. Department of Defense, Law of War Manual, 2016, Section 16.4.1
3. Dr. Katharina Ziolkowski, NATO Cooperative Cyber Defense Centre of Excellence, Confidence Building Measures for Cyberspace – Legal Implications, 2013, Section 3.2
4. Group of Government Experts, United Nations General Assembly, report on Developments in the Field of Information and Telecommunications in the Context of International Security, 2015, Section VI.28.a.
Featured Image: U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis, U.S. Air Force Staff Sgt. Rogerick Montgomery, U.S. Cyber Command network analysis, and U.S. Army Staff Sgt. Jacob Harding, 780th Military Intelligence Brigade cyber systems analysis, analyze an exercise scenario during Cyber Flag 13-1, Nov. 8, 2012, at Nellis Air Force Base, Nev. (U.S. Air Force photo by Senior Airman Matthew Lancaster)
Written by Terence Bennett, Naval Applications of Tech discusses how emerging and disruptive technologies can be used to make the U.S. Navy more effective. It examines potential and evolving developments in the tech industry, communication platforms, computer software and hardware, mechanical systems, power generation, and other areas.
“The most damaging phrase in the language is ‘We’ve always done it this way!’” — Rear Admiral Grace Murray Hopper in an interview in Information Week, March 9, 1987, p. 52
By Terence Bennett
Philippines President Duterte announced last month that he wanted all U.S. forces out of the Philippines in two years, leaving U.S. policy makers to find an alternative naval basing strategy for the region. The presence of U.S. naval forces in the Philippines can be traced directly back to Commodore Dewey’s command, “You may fire when you are ready, Gridley,” utterly shortly before a fleet of U.S. Battleships entered Manila Bay to liberate it from Spanish rule in 1898. At the time, Alfred Thayer Mahan’s work The Influence of Sea Power upon History had popularized the need for a strong U.S. merchant fleet, battle fleet, and network of naval bases. The taking of Manila Bay would give the United States its first taste of colonialism and the ability to operate U.S. ships from a homeport far away from the United States. With today’s political landscape changing in unstable ways, it is time to rethink any assumption about U.S. naval basing and power projection. Surface ships and naval basing platforms need to capitalize on unique forms of energy that surround them starting with solar, kinetic, and wind power.
Emerging clean technologies have presented many alternative forms of power generation, but none have been able to replace the energy dense and ubiquitous nature of diesel. Despite a strong commitment after World War II under Admiral Rickover towards a nuclear Navy, today’s over reliance on diesel is epitomized by the Arleigh Burke-class Destroyer (DDG). This modern destroyer was commissioned in 1991 with seven gas turbine engines used for propulsion and power generation. Although having an extremely high power to weight ratio, gas turbine engines are fuel hogs and have left the U.S. surface fleet tethered to supply ships. In the two-and-half-decades since commissioning, the Arleigh-Burke-class has been improved with better combat systems, faster projectiles, and even hybrid-electric drives. But the Navy has not fundamentally readdressed Mahan’s assumptions on resupply and fuel-burning energy generation. The Navy needs to find solutions that unburden U.S. national security from a dependence on countries with strategically-located deep water ports. The issue of naval basing on foreign soil isn’t a political problem, but rather a technological one.
Solar power has been historically difficult to employ due to low efficiency, expensive equipment, and the need for a lot of space to gather sunlight. Successful application of solar has typically been to supply individual households with power. An Italian company has put a twist on this small-scale solar model by placing solar panels on floating platforms in residential lakes and ponds. This solution allows the arrays to rotate toward the sun, utilize otherwise unoccupied space, and cool equipment more efficiently. This year, researchers in Vienna have developed ocean wave dampening technology that will allow large floating platforms of solar arrays to be deployed with less risk of damage from waves at sea. Although floating solar arrays are not employed by the Navy today, this development may make sea-based solar arrays a project of interest in the future. When complete, the Heliofloat will be the size of a football field and generate solar energy for use on shore.
The Heliofloat is getting attention from the solar energy community because it aims to leverage a large expanse of unutilized space. This same attitude can be applied to ships at sea. We overlook the paradox of sailing tightly cramped ships on the vast openness of the ocean. Naval architects and engineers work to fit as much as possible onto ships, but this mindset leaves out the potential for employing the open space around the ship for a useful purpose. Ohio-based startup Xunlighthas developed large flexible roll-up solar arrays that could be used for solar energy generation outside the skin of a ship. Sailmakers have already started using this technology in the sails of commercially sold sailboats, demonstrating the material’s resilience and versatility. Like the solar sails of Jules Verne’s novels, Navy ships could employ large outriggers with quickly deployable solar arrays to collect the sun’s energy. Although impractical for many scenarios – in transit, in high seas, or winds – ships could make use of this solution during loiter operations. These solar sails could be designed to disguise ships from radar, or make them appear like an entirely different class of ship. A deployable roll-out solar array would be an easily prototyped green energy solution for ships today.
The Navy is currently testing the Azura Wave device off the coast of Kaneohe Bay in Hawaii. This single device is capable of generating 20 kW from the motion of the ocean. To put that in perspective, the average Hawaiian consumes 17 kWh per day. This buoy, in optimal conditions, is offsetting the daily power consumption of one average Hawaiian resident in one hour. Although this may not seem like much of an impact, it proves that it can be done. Two more companies are planning to test similar devices capable of producing 500 kW. In the not so distance future, kinetic generators like this might be anchored in a grid and secured to Heliofloat-like platforms for combined kinetic-solar generation. Through the combination of different alternative energy projects, yields can be increased to levels competitive with fossil fuel systems.
At the time of writing, winds in the central Arabian Gulf
are blowing at 23 knots. This is just fast enough to produce 5,000 kW with a 282 ft long Sheerwind wind tunnel, roughly the equivalent power production of two Allison generators aboard an Arleigh Burke-class DDG. Minnesota-based Sheerwind has developed a system to capture, concentrate, accelerate and harvest wind power in a funnel. The tunnels happen to be very big, but the installation of towers to collect wind could fit at the top of a ship’s stacks and ideally installed in line with existing diesel generation systems. This setup could allow the ship to use wind power when it was available and shift to diesel generation as necessary. This technology would have to be integrated into the design of a ship, but would be ideal for vessels required to operate for extended amounts of time in a single area.
When Mahan envisioned a battleship Navy, he was describing the prevailing example of concentrated seapower. When Mahan described the requirement for a nation to have a strong network of naval bases, it can be assumed that he was describing the need for sustained operations far from friendly coasts. Just as a Fleet in Being is useless unless it presents a legitimate danger of leaving port, a powerful Navy must be present to exert its will on the adversary. In maritime confrontation today, the challenge of finding and facing our adversary often becomes the key to success. For this reason, our current naval strategy of sea basing and sustained operations at sea will continue to be a central theme in the projection of U.S. military power. A glut of cheap oil may have slowed the progress of new Navy energy-related technology, but the emergence of a generation of cheap alternative energy sources and the clever employment of existing technologies can change this. The future of Navy operations is largely unknown, except that ships will always be required to spend long amounts of time at sea. High efficiency and ideally renewable sources like solar, kinetic, and wind energy should be an attractive addition to a ship’s power plant.
LT Bennett is a former Surface Warfare Officer and current Intelligence Officer. The views express herein are solely those of the author and are presented in his personal capacity on his own initiative. They do not reflect the official positions of the Department of the Navy, Department of Defense, or any other U.S. Government agency.
Featured Image: YOKOSUKA, Japan (Aug. 22, 2012) Capt. David Owen, left, commanding officer of Fleet Activities Yokosuka, inspects recently installed solar panels at Sullivan Elementary School. The solar panels are a building integrated photovoltaic system, which is estimated to contribute $297,000 in projected annual energy savings at the installation. (U.S. Navy photo by Mass Communication Specialist 2nd Matthew R. Cole/Released)