The Internet has grown phenomenally since the 1990s and currently has about 3.5 billion users who make up 47 percent of the world population.1 Out of the 201 countries surveyed, 38 percent have a penetration rate of at least 80 percent of its population.2The ubiquity and reliance on cyberspace to improve the efficiency and capability of government, military, and civilian sectors lead to the Internet of Things (IOT) for day-to-day operations and in this pervasiveness of the use of Internet lies the potential for devastating cyber-attacks.
This paper seeks to discuss the crippling effects and dangers of cyber-attacks and outline the defensive responses against and control of cyber warfare.
The lethality, and hence appeal of cyber warfare, lies in its asymmetric3 and stealthy nature. Little resource, such as teams of experienced hackers, is required to render a disproportional amount of devastating damage to the core and day-to-day operations of both the government as well as the military. Unlike conventional warfare where a military build-up and transportation of resources are tell-tale signs of preparation, cyber-attacks can be conducted without warning. In this regard, it is akin to covert operations, such as the use of Special Forces or submarines, with added advantage of not exposing soldiers to the risk of harm. Coupled with the inherent difficulty in pinpointing attribution,4 subjects of a cyber-attack are left with the choice of either doing nothing except to try to recover or to retaliate against the suspected attacker without concrete proof and lose moral high ground, neither of which is optimal.
An example of a well-coordinated attack demonstrating the covert nature of cyber warfare occurred in 2007 when the Estonian government and government-related web-services were disabled.5 Though no physical damage was inflicted, it created widespread disruption for Estonian citizens. While Russia was the suspected perpetrator, it was never proven or acknowledged. In 2010, it was discovered that Iranian nuclear centrifuges that are responsible for enriching uranium gas had been infected and crippled by a malware, codenamed “Stuxnet.”6 This successful insertion of this malware effectively set the Iranian nuclear program back for a few years and demonstrated an effective and non-attributable way7 to pressurize if not exert will without the use of military might as it achieved what the United Nations Security Council (UNSC) had hitherto failed to do, i.e., curtail the development of nuclear weapons by Iran.
The above examples illustrate the potential damage of small-scale and limited cyber-attacks. Extrapolating from these examples, it is conceivable that the damage from a successful large-scale cyber-attack on a well-connected country that relies heavily on IOT can range from disruption of essential services, crippling confusion and even operational paralysis of both government and the military. For the government, a cyber-attack across every essential means and aspects of daily living including but not limited to destruction of financial data, records and transactions, forms of travel, communication means, and national power grid create chaos and confusion resulting in psychological shock that will in turn sap the will and resilience of the citizens. For the military, the irony is that the more modern and advanced a military is with its concomitant reliance on technology and network centric warfare, the more vulnerable it is to a potential cyber Pearl Harbor attack that will render its technological superiority over its adversary impotent. Given the symbiotic relation between the government and the military, a successful simultaneous cyber-attack on both government and the military can achieve Sun Tze’s axiom that the supreme art of war is to subdue the enemy without fighting.
Given its unique nature and unmatched demonstrated potential for lethality, it is understandable the attractiveness of cyber warfare as an instrument of choice for all players, both state and non-state actors and even individuals. As with all other forms of warfare, the need for defense against should be proportional to the threat. It is a game of cat and mouse,8 where hackers seek to find security vulnerabilities while defenders attempt to patch them up as soon as they are exploited and redirect the attackers to digital traps, preventing them from obtaining crucial information or cause damages. Specialized cyber warfare military branches have been formed in many countries, and extensive cyber defensive measures and contingency plans are being developed by government, military, and civil sectors of states. Through inter-cooperation, potential attacks could be resolved in the shortest time possible and minimize disruption, while preventing future attacks. As the world begins to witness the increasing use of cyber warfare as a weapon, cyber-attacks may not be as easy to conduct as before as states that understand the lethality of such attacks seek to safeguard their nation.9
Beyond defense at the national level, there is a lack of well-defined norms on the rules of cyber warfare as the international law community is still interpreting how current law of war can apply to cyber warfare. Recently, Tallinn Manual 2.0 was published by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDOE) and is to date the most detailed study of how existing international laws can govern cyber operations.10 However, it currently serves as a reference and is non-binding. It is crucial for nations to iron out the rules for cyber warfare together and abide by it, ensuring that it will not affect the lives of civilians and minimize potential damages to non-military installations by cyber-attacks and cyber warfare.
Cyber warfare is a real and growing threat which has the potential to create disruption that the world has yet to witness. As nations become even more reliant on cyberspace as it ventures into automation and smart cities, they need to invest adequately in cyber defense and ensure that this new frontier is well-guarded. Apart from dealing with it domestically, on an international level, rules of cyber warfare need to be clarified and be abided by the international community to safeguard civilians. Cyber warfare may be threatening, but if the international community abides by clarified rules of cyber warfare and has sufficient cyber defensive measures established, the potential devastation caused by cyber-attacks could be minimized.
Yang Kang is a naval officer from the Republic of Singapore and a freshman at the Nanyang Technological University (NTU) in Singapore currently studying Electrical and Electronics Engineering. Before attending NTU, Yang Kang underwent midshipman training in Midshipman Wing, Officer Cadet School of the Singapore Armed Forces and was appointed Midshipman Engineering Commanding Officer during the Advanced Naval Term, his final phase of training.
Featured Image: U.S. sailors assigned to Navy Cyber Defense Operations Command man their stations at Joint Expeditionary Base Little Creek-Fort Story, Va., Aug. 4, 2010. NCDOC sailors monitor, analyze, detect and respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Petty Officer 2nd Class Joshua J. Wahl)
For the past fifty-six years, the United States Naval Academy has hosted the Naval Academy Foreign Affairs Conference (NAFAC). NAFAC, planned and executed by the midshipmen themselves, brings togetheroutstanding undergraduate delegates as well as notable speakers, scholars, and subject matter experts from around the nation and the world to discuss a current and relevant international relations issue. The theme for this year’s conference, A New Era of Great Power Competition?, seeks to explore the shifting dynamics of the international system, challenges to a U.S. – led world order, the nature of potential future conflicts, the challenge of proto-peer competitors and rising as well as what steps the U.S. might take to remain the primary arbiter of the international system at large. As this topic is of great interest to CIMSEC’s readership, we are proud to partner with NAFAC in this, their 57th year, to bring you a series of real-time posts from the day’s events in Annapolis, MD. CIMSEC would like to recognize MIDN 1/C Charlotte Asdal, NAFAC Director, and her staff for allowing us to participate in this year’s events and for inviting our readership to virtually share in the week’s rich academic environment.
Robert H. McKinney Address – Vice Admiral James Foggo, III, Director, Navy Staff and Former Commander 6th Fleet
“The greatest leaders must be educated broadly.” – Gen. George Olmstead
Vice Admiral James Foggo III addressed midshipmen and delegates Thursday morning, the last day of the NAFAC conference. The address, bolstered by personal anecdotes, videos, and photographs from the Navy Staff Director and former 6th Fleet Commander, largely addressed the question of great power competition from the perspective of the United States’ relationship with the Russian Federation. The admiral’s address familiarized the audience with recent history and current operations within the Mediterranean, Arctic, Baltic and beyond, informing the day’s discussion on the evolution of great power competition in the coming decades.
What Makes a Great Power?
To begin, VADM Foggo was careful to define the terms used in answering the question: Are we in a new era of great power competition? The admiral expressed confidence that the United States remains the greatest nation in the world, providing exposition on what makes the United States a great power. Great powers, he explained, go beyond the sum of their people, economic, or military strength to offer ideas, opportunity, and leadership, using their power to affect change for the world’s weakest and most vulnerable populations. Russia, he went on to conclude, is not by this definition a great power – their “sum” qualifies the Federation as a major power, but their actions, primarily enacted in self-interest, disqualify them from great power status. Understanding this distinction is crucial.
The 4th Battle for the Atlantic
VADM Foggo provided helpful historical context for the historical relationship between the Soviet Union/Russian Federation and the United States. The First Battle for the Atlantic, he explained, occurred during the course of World War One, while the Second, where the United States and her allies defeated axis powers relentless undersea tactics with “grit, resolution, the submarine detection system, and the lend-lease program to Britain.” The third battle, he explained, occurred during the course of the Cold War. An unclassified report based on the3rd Battle Innovation Project commissioned by the United States Submarine Force on the contribution of U.S. undersea assets to U.S. victory in the Cold War concluded with the following sentiment: “someday, we may face a 4th Battle of the Atlantic.” VADM Foggo asserted that we are, indeed, in the midst of this battle now. The admiral and his co-author Alarik Fritz of the Center for Naval Analysis, collected their thoughts in an article published by the United States Naval Institute, “The 4th Battle for the Atlantic.”
VADM Foggo characterized the aforementioned 4th Battle for the Atlantic though a series of examples and anecdotes. Beginning with Russia’s invasion of Georgia in 2008, the United States exercised its responsibility as a great power to seek to deescalate tensions and compromise where possible by pursuing the Reset policy with the Russian Federation. This policy, he explained, did not work as intended. In 2014, the U.S. was once again surprised by Russia’s aggressive and illegal actions in Ukraine. This unjustified action, he went on, is an example of why Russia is not a great power, but rather only a major power. This action partially inspired the “back to basics” policy for U.S. defense thinkers and policymakers called for by ADM Greenert.
Admiral Foggo recommended several books to the audience, including ONI’s Russian Navy report, which he emphasized was a “must read” for tomorrow’s defense and foreign policy leaders.
VADM Foggo explored a few key areas where Russia is challenging U.S. and allied interests, providing tangible examples. In the Arctic, he explained, Russians currently operate seven former Cold War bases at company- and battalion- strength units with an endurance of a year or more. Russia has militarized the Arctic, which concerns the U.S. and our allies, particularly the Norwegians, regarding restricted access to international waters. To drive this point home, the admiral displayed a photograph of the Russian flag planted at the geographical North Pole, moved there by a Russian submersible.
U.S. Navy ship encounters aggressive Russian aircraft in Baltic Sea, April 12, 2016. (U.S. European Command)
Given the venue of the conference, VADM Foggo appropriately addressed his professional experience with aggressive actions by the Russian Federation at sea. Beginning with the Su-24 flyby of the USS Donald Cook (DDG-75) in the Black Sea, during which, he emphasized, the wingtip of the Russian aircraft was no more than 30 feet from the deck of the destroyer, the Russian Naval forces escalated tensions in response to U.S. presence in Russia’s adjacent international waters and beyond. The admiral explained the import of strategic communication to gain the moral high ground, which the U.S. achieved by declassifying and releasing an image of the Su-24 narrowly off the bridge wing of the Donald Cook, along with diplomatic protest and meaningful presence in the form of BALTOPS 2016.
“49 Ships Became 52”
BALTOPS is a NATO exercise to improve and display the interoperability of allied forces. The 2016 exercise communicated a clear strategic message; the exercise boasted three amphibious landing operations (versus the previous year’s two), extensive anti-submarine warfare (ASW) operations with three allied submarines and maritime patrol and reconnaissance (MPRA) aircraft, and more. In an effective anecdote that illustrated the Russian response to the exercise, the admiral shared that when reviewing photos from the PHOTOEX conducted during BALTOPS, 52 ships appeared in the photograph – 49 allied vessels, two Russian destroyers, and a Russian AGI. “49 ships, he recalled, became 52.” Tellingly, the Russian response to the success of the strategic messaging of the exercise included “a Stalin-like purge of Russian commanders in the Baltic Fleet,” due to their unwillingness to challenge western ships. Further reinforcing the point, VADM Foggo shared moreexamples of his interactions with Russian counterparts in multilateral and bilateral discussions.
Looking Forward – “The Surest Guarantee of Peace”
The tone of VADM Foggo’s remarks was one of stark realism, but also optimism as well. The admiral expressed confidence in the forces that were under his command, but reiterated to the audience of future diplomatic and military leaders the crucial nature of continued vigilance and continued action in support of the United States’ responsibilities as a great power. He included a timely example – the recent strikes on a Syrian airbase in response to the use of chemical weapons by the Assad regime. “Great powers react, but they react proportionally,” the VADM concluded, expressing belief in the possibility that such actions can bring compromise – a concept, he said, a great power should pursue and prioritize.
Technology and Cyber-Competition Panel
Note: The following information is paraphrased from the panelists’ remarks – their thoughts, remarks, and research are their own and are reproduced here for the information of our audience only.
Panelists Brigadier General Greg Touhill, USAF (ret.), the First Federal Chief of Information Security Officer, Mr. August Cole, Senior Fellow at the Atlantic Council and co-author of Ghost Fleet, andDr. Nicol Turner-Lee, Fellow at the Center for Technology and Innovation at the Brookings Institution, were given the opportunity to provide open-ended remarks before the question and answer portion of the panel.
A Strategic Framework for Cybersecurity
Cybersecurity is a provocative issue, and General Touhill used his opening remarks to dispel some common rumors about the cyber realm. This is not a technology issue, he went on, but a risk management issue; it is an instrinsic facet of [the United States’] national economy and security to be sensitive to the protection of our technology, information, and competitive advantage. Cybersecurity, he explained, is not all about the tech, but rather about the information. When considering cyber strategy, the General contended that a direct, simple strategy is best and most likely to be effectively executed. To this end, he outlined five lines of effort:
Harden the workforce: risk exposure is tremendous, as our culture, norms, and economy rely on automated information systems – this includes home, federal, and corporate entities
You can’t defend what you don’t know you have. Information is an asset, and should be treated as such.
Within five years, every business will be conducting asset inventory and valuation of its information as any other asset – some entities within the Federal Government, he explained, may not appreciate the value of their information and may not even realize they have it.
Do the right things, the right way, at the right time: Cyber hygiene is great, but has to be applied smartly – 85 percent of breaches, he explained, are due to improper patching of common vulnerabilities. The basics come first – stakeholders should update apps, OS, and apply other simple fixes. Care and due diligence is required.
Investment. The General introduced “Touhill’s Law,” which contends that one human years accounts for twenty five “computer” years – by this math, some machines in the federal government architecture are several thousand years old. Depreciation and recapitalization are key; from a strategic standpoint, neglecting this reality is a failure.
It’s all about the risk. In a contemporary sense, much of the risk is deferred to server management teams and IT, and decisions on that risk are not being made at the right levels.
The general indicated a desperate need for a cogent strategic cyber framework on which to operate and that these five lines of effort are a good foundation for such a framework.
Fiction’s Role in Challenging Assumptions
August Cole, a noted analyst and fiction author, began by recounting the impact that Tom Clancy’s 1986 thriller Red Storm Rising had on his life. As a fiction author, he went on the explain, his job is to think the unthinkable, devoting intellectual energy and professional attention to considering tomorrow’s conflict from a multitude of perspectives. Fiction, Cole explained, allows us to consider an adversaries perspective and confront our own biases to present a bigger truth.
Cole and his co-author Peter Signer’s novel Ghost Fleet addresses the rise of China – the book starts a conversation in an engaging way that captured the authors’ imagination. The writing process caused the authors to confront some uncomfortable truths. The American way of war, he said, is predicated on technical superiority that isn’t necessarily in line with our evolving reality. The reliance on tech creates a vulnerability, and through the lens of great power competition, we should be thinking about the difference between our assumptions about conflict and how conflict will actually be. One must challenge their assumptions, and resist the urge to fall in love with their own investments.
Information as a Commodity and Vulnerability
As a policy analyst and social scientist, Dr. Turner-Lee looks to understand behaviors that are overlaid with technology – she has focused on what we need to do to create equitable access to technology. Tech, she explained, is changing the nature of human behavior and increasing vulnerabilities. We must consider, she said, how we are contributing to the evolution of the tech ecosystem from the realm of consumption to an entity that effects the fabric of national security. What we understand as being “simple” actually isn’t, and what started as a privacy discussion has evolved into a security issue. When considering social media, Dr. Turner-Lee went on, it is interesting to see how 140 characters can become the catalyst for campaigns that threaten national security.
Dr. Turner-Lee mentioned the concept of pushback from technology companies against government requests for information and policies that need to be engaged to address this. There is a role, she explained, for the military to identifies vulnerabilities, while companies are appointing chief privacy officers and innovation officers, while lastly, the research community needs people to understand how information has become a commodity. As researchers, she explained, she and her colleagues are trying to find vulnerability and understand the impact on our national economy by looking at the nature of human behavior prescribing the right policies to ensure threats are minimized.
Given the current security landscape for cyber, what do you see as the greatest cyber threats facing the U.S.?
Brig. Get Touhill explained that at the Department of Homeland Security, they binned threats into 6 groups:
Vandals – frequent and common
Burglars – financially motivated and prevalent
Muggers – this includes hacks like SONY as well as cyber-bullies
Spies – can be either insiders or traditional political-military threat looking to gain a competitive edge by stealing intellectual property.
Sabatuers – pernicious, difficult to find, and could be, for example, an individual who is fired but retains access to a system.
Negligent Users – This group constitutes the greatest threat. This group includes the careless, negligent, and indifferent in our own ranks.
China has been evidently and aggressively pursuing AI, hypersonic, quantum computing, and other next-generation technology – what does this mean for our assumption about the American way of war over the next several decades?
August Cole explained that the U.S. must directly confront the assumption that we will always have the edge of technical superiority – this may very well remain true, he said, but we cannot count on it. From a PRC military point of view, they look to not only acquire capabilities but further their knowledge on how best to employ them. We must, he went on, work to connect information and technology that we would not instinctively put in the same basket by considering, for instance, the battlefield implications of a hack on a healthcare provider who serviced military personnel. Technology, he explained, will alter the relationship between power and people, and understanding this connection is complex and difficult. Fiction allows us to synthesize these realms in a way that may be difficult otherwise – and appreciate the operational implications.
How has social media impacted our ability to monitor and address national security threats?
Dr. Turner-Lee began by exploring the implication of emerging social media tools that do not curate data (think Snapchat), explaining that as encryption technology has become more sophisticated, it has further complicated the national security problem. Nicole referred to “permission-less innovation,” meaning that the tech community continues to innovate in ways that cannot be controlled and this innovation is sometimes disruptive. Social media, she went on, is not always designed with privacy in mind, and enacting privacy policies has been reactionary for many companies.
Turner-Lee addressed the general hesitation of users to hand over or allow the collection of their information – personal data, she said, is seen as just that – personal – and companies promote this quality in their tech. For instance, she alluded to the current lawsuit between Twitter and the federal government over the identities of disruptive Twitter accounts. The disconnect between privacy and security, she concluded, can sometimes constitute a weakness.
The moderator pointed out that while tech has developed, policy has lagged. Mr. Cole added that the “internet of things” provides a corollary to this. Further development of wearable or say-to-day tech that generates and collects data automatically has national security implications. He provided an example in the domain of land warfare, suggesting that operators could notionally create a digital map based on device feedback. The data and processing power to make these analytics will exist, he affirmed, but we haven’t considered it.
Dr. Turner-Lee further elaborated that machine-to-machine interactions, which are based on algorithms that predict what you will or will not do, sustain a threat to national security when those algorithms are incorrect or tampered with. For instance, autonomous vehicles could be hacked and directed in a way that makes them a vehicular bomb. Overcoming machine-to-machine bias is very difficult and constitutes a security risk proportional to our dependence on machine-to-machine tech. This is a space, she said, with many vulnerabilities, driving itself in ways we are unaware of.
The final day of NAFAC 2017 proved a fitting end to three days of intense discussion and consideration on the topic of a new era of great power competition. VADM Foggo’s address brought a much needed operational perspective to the delegates and attendees, relaying the seriousness and immediate applicability of the question at hand, particularly for those midshipmen who will be serving aboard operational vessels in just a few short months. Further, the Technology and Cyber-Competition panel provided much needed context for the changing nature of tomorrow’s conflicts, challenging many long-held assumptions about the way of war.
Our representatives were impressed with the diligence, research, and creative thought participants brought to the round table panels. Readers can look for select publications from the Round Tables next week, when CIMSEC will share outstanding research essays from delegates. CIMSEC is extremely grateful to the United States Naval Academy, MIDN Charlotte Asdal and her NAFAC staff, and senior advisors and moderators for allowing us to participate in this year’s conference and share the great value of this discussion with our readership.
Until next year!
Sally DeBoer is the President of CIMSEC for 2016-2017. She can be reached at firstname.lastname@example.org.
Featured Image: A CH-53E Super Stallion helicopter flies ahead of the amphibious assault ship USS Peleliu (LHA-5) after conducting helocast operations at Pyramid Rock Beach, Marine Corps Base Hawaii. The helocast was part of a final amphibious assault during Rim of the Pacific (RIMPAC) Exercise 2014. (U.S. Marine Corps photo by Cpl. Matthew Callahan/Released)
The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2
Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.
Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.
In 2016, The Economistand The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.
On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system).New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.
Preparing Cyber Leaders
Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.
Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.
The Polaris of Programming
Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.
When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.
An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.
1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8
2. Charles Seife, “Decoding the Universe,” p. 8
3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143
4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.
5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp
6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4
Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)
The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.
Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.
This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.
Navy Network Threats and Vulnerabilities
There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.
Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.
One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).
The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.
Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.” Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.
The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.
As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.
Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.
Technical Security Measures and Controls
The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.
The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.
Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.
The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.
Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.
Information Security Policy Needed to Address Threats and Vulnerabilities
The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).
Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.
This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.
Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.
Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.
Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities
It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.
Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.
Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.
A recent article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.
Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.“
This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.
The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.
In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.
Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.
Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.
The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.
Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)