Category Archives: Cyber War

Threats, risks, and players in the cyber realm.

Black Hat 2019 and DEFCON: Leveraging Private Sector Talent for Cyber Capability

By Christian Heller

The U.S. defense complex is looking to private industry and civilian research to gain an advantage on the battlefield as advanced technologies push warfare in new directions. In cyber capabilities especially,the U.S. and its naval services lean on civilians, contractors, and independent cybersecurity companies to gain a competitive national edge. Every year these groups descend upon Las Vegas, Nevada for back-to-back information security and hacking conventions dubbed Black Hat USA and DEFCON. The Department of Defense follows in step to search for best practices, advanced insights, experimental tools, and new talent.

The 2019 editions of Black Hat and DEFCON held plenty for national security analysts to ponder. Dino Dai Zovi, the head of mobile security at the credit card processing company Square, spoke of the need for security software with effective user interfaces which keeps pace with advances in technology. Security programs must be built for “observability” to better “understand if the protections are working and also perform anomaly detection.” Such a requirement is not only necessary for the Navy, but finds a strong historical precedent. The Navy has a long history of simplifying advanced technologies into easier, usable forms for better employment by young sailors.

Identity intelligence, one of the most utilized capabilities of U.S. forces during the past two decades of counterinsurgencies, has also been a main effort for Chinese military and government development. Researchers from the Chinese firm Tencent demonstrated the ability to spoof biometric authentication devices with common eyeglasses. They did so not by convincing the systems that the user was a different person, but rather that the user was a photo instead of a living person. Low budget defenses against identity intelligence tools may prove just as frustrating to U.S. forces in future stability operations as space blankets did against early UAVs.

Major tech leaders like Apple and Microsoft announced new measures to search externally for IT security support through the use of rewards. Apple, which normally treats its technology and systems with close-hold protections, will now award upwards of $1 million to hackers who identify critical vulnerabilities in Apple technology. Microsoft is also offering up to $300,000 to hackers who identify exploits in its Azure cloud technology systems. To facilitate this outside support, Microsoft is creating Azure Security Labs where participants can experiment on Azure networks without affecting the existing customer base.

These bounty programs have already benefited organizations like the Marine Corps which may lack the capacity or skillsets to facilitate internal network testing. At last year’s conference, the Marine Corps hosted a hacking program to test the durability of its public websites and the Marine Corps Enterprise Network, or MCEN. One hundred ethical hackers spent nine hours testing the Marine Corps’ systems and found 75 vulnerabilities in return for $80,000 in combined prize money. Though the payment pales compared to private industry awards, these events are an important way for defense agencies to engage with community experts who are willing to support the military while gaining valuable organizational knowledge in the process. The Pentagon has hosted hacking projects since 2016 and recently leveraged three security firms – Bugcrowd, HackerOne, and Synack – via contract to conduct sustained network testing. Additionally, if data scientists and cyber specialists are going to play a pivotal role in the future Navy and Marine Corps, engaging with non-traditional audiences at events like Black Hat and DEFCON help to expose the hacking world to the armed services.

The Air Force is embracing conferences like DEFCON to leverage technical expertise and open up the service to these communities. It hosted two events at this year’s conference. One challenged hackers to gain entry into an airbase, and the other tested data transfer hardware for the F-15 fighter. The Trusted Aircraft Information Download Station, or TADs, is an independent subsystem of the F-15 which helps collect sensor inputs like images. Next year the Air Force wants to bring an entire F-15 aircraft to the convention and host a hacking event involving a live satellite.

This year’s events also pointed toward the changing battlespace in which U.S. forces will operate. Harvard lecturer and fellow Bruce Schneier discussed “hacking for good,” a movement which is becoming more prevalent throughout the world. Just as military forces found themselves operating around civilians and non-governmental organizations (NGOs) in Iraq and Afghanistan, the future cyber battlespace may be filled with hacktivists trying to do good or “grey hat” operators taking advantage of disorder to pursue alternative motives.

Hacktivist campaigns have occurred in almost every recent global crisis including Sudan, Venezuela, Pakistan, and Libya. Hacktivist campaigns usually involve unsophisticated denial of service attacks to take down websites and servers which achieve mixed results. However, as cyberspace conflict between great powers becomes routine, such groups are sure to increase operations and become regular actors in the same competitive spaces in which government agencies and militaries interact.

Another feature of the changing cyber battlefield is internal competition between state actors. Kimberly Zenz, a senior official with the German cybersecurity organization DSCO, explained at Black Hat that Russia’s intelligence agencies and hacking organizations should be viewed as individual groups competing for influence with one another. This competition can lead to chaos and risk-taking in cyberspace as groups minimize coordination amongst one another and compete to showcase their abilities to senior officials. The results could be similar to the $10 billion dollars in damages caused by the NotPetya malware.

An information graphic depicting the dangers of cyber attacks. (U.S. Navy graphic/Click to Expand)

For the Navy, Marine Corps, and Department of Defense, the consequences of these foreign internal rivalries could be sporadic and disproportionate cyber attacks. Leaders may struggle not only to determine which actor initiated the attack, but what the target, intentions, and overall scale truly are. From the defender’s point of view, probes and attacks which could seem like a coordinated and widespread operation may instead be many. They may also be part of a concerted “persistent engagement” strategy with long-term but subtle objectives. In this case, a defender’s response could be disproportionate to what the attacker intended. These factors make deterrence in cyberspace an elusive goal for policymakers.

One final takeaway from the 2019 conventions is the intention and ability of nefarious actors to target defense users and systems outside of official government channels. Agencies may spend millions to harden networks, but users, such as service members at home, may be the greatest vulnerability in the system. They are often the softest target for foreign powers and criminal groups to exploit with simple techniques. One presenter demonstrated a fully-functioning, charging-capable Apple USB which contains a Wi-Fi implant and allows nearby hackers to access the connected computer. Another speaker showed how she used information from common online subscription services such as Netflix and Spotify to access bank accounts and personal financial data. Using common talking points, customer service helplines, and classic identity theft techniques, she was able to get access to private account information at major financial institutions without any advanced technology. A separate group, Check Point Research, demonstrated the ability to hack digital cameras to spread malware through home networks and hold personal information for ransom.

The military’s efforts to increase information technology security in the workplace may need to extend to personal services and education for service members to prevent workforce distractions, blackmail, or the further spread of malware throughout units and networks. Currently, the individual Soldier, Sailor, Airman, or Marine is the easiest objective for hostile cyber actors to target, whether for criminal, intelligence, or military purposes. The main lessons from Blackhat and DEFCON may be that nowhere is safe, and the services should explore a wider range of protection services for the users they rely on to carry out missions.

Christian Heller is a graduate of the U.S. Naval Academy and University of Oxford. He currently serves as an officer in the United States Marine Corps. Follow him on Twitter, @hellerchThe opinions represented are solely those of the author and do not represent the views of the United States Marine Corps, the Department of Defense, or the United States Government.

Featured Image: DefCon attendees gather in Las Vegas to learn about new technology vulnerabilities and cyberattacks. (AP Photo/Jae C. Hong)

Navy Culture Must Be Adapted to Fit the Information Age

By Lieutenant Commander Travis D. Howard, USN

A recent independent review of the Navy’s cybersecurity posture, completed in March 2019, was predictably harsh on our Navy’s current culture, people, structure, processes, and resourcing to address cybersecurity.1 For many of us within the Information Warfare discipline, much of this report does not come as a shock, but it does lay bare our cultural, structural, and procedural problems that the Navy has been struggling with since the turn of the century.

The 76th Secretary of the Navy, Richard V. Spencer, should be applauded for enabling open and honest dialogue on the key issues of this report by releasing it for public comment and professional discourse. The review found that the Navy was not “optimally focused, organized, [nor] resourced” for cyberwar.2 Such transparency has been the hallmark of the naval service for centuries, and is largely the reason why such robust professional forums such as the United States Naval Institute (USNI) and the Center for International Maritime Security (CIMSEC) continue to thrive.

The report was particularly critical of the Navy’s culture, stating that the Navy is “preparing to win some future kinetic battle, while it is losing the current global, counter-force, counter-value, cyberwar.”3 The report goes on to recommend that the highest levels of Navy leadership adjust the service’s cultural landscape to become more information-centric, rather than platform-centric. This excerpt is particularly vexing:

“Navies must become information enterprises who happen to operate on, over, under, and from the sea; a vast difference from a 355 ship mindset.”4

In truth, the Navy that acts as an information enterprise and the Navy that pursues the tenants of traditional naval warfare as laid out by naval doctrine are not mutually exclusive. Our drive toward a bigger, better, and more ready Navy, aligned to the National Defense Strategy, requires a naval culture ready for high-end conflict but active and engaged in all levels of conflict below lethal combat. The adoption of information enterprise core principles certainly has a place in our doctrine; in fact, it’s already there but lacks proper execution and widespread cultural adoption as a core competency across all warfare communities. Navy culture can be adapted to better fit the information age, but it will take the entire Navy to do it and not just a single community of effort.

Information is Already in our Doctrine, but Prioritization Must Improve

The 31st Chief of Naval Operations (CNO), Admiral John Richardson, released a Design for Maintaining Maritime Superiority shortly after assuming his role, and recently released an update (Design 2.0) to compliment the 2018 National Defense Strategy. The CNO put information warfare at the center of his strategic thinking, and challenged the Navy’s operational and resourcing arms to “adapt to this reality and respond with urgency.”5 But this change in the security environment wasn’t new to this CNO, in fact, it was foreseen decades ago by thinkers like CAPT (ret.) Wayne P. Hughes, a venerated naval tactician and professor emeritus at the Graduate School of Operations and Information Sciences of the Naval Postgraduate School. Early versions of Hughes’ Fleet Tactics and Coastal Combat, required reading in graduate-level naval officer training, placed information, rapid adoption of technology, and intelligence at the forefront of effective maritime operations in the modern age.6

If we’ve valued information in warfighting all along, then why are we failing to adapt our naval culture to the Information Age? The Cybersecurity Readiness Review cuts straight to the point: “… cybersecurity continues to be seen largely as an ‘IT issue’ or ‘someone else’s problem.’”7 In our haste to stand up a community of practice to do all the cyber things we, as a Navy, failed to make the necessary cultural changes that should have accompanied it.

Why hasn’t the growth of the Information Warfare Community focused the Navy’s culture appropriately? After all, creating such specialized warfare communities has always worked well in the past, as any aviator can attest to. Truthfully, the problem is bigger than just one community; the subsequent decades saw the rise of global information technology as central to nearly everything we do, and every Sailor now uses the network as a primary on-the-job resource. The loss of email, web browsing, and support systems that handle tasks from personnel to logistics can and does result in work stoppage; any assertions to the contrary, that workarounds or manual methods still exist, do not accept the reality of the situation.

Cultural change is long overdue, and just like a Marine or Soldier learns how to handle their weapon safely and effectively from day one, we must now train and mentor our Sailors to use the network in the same vein. No more can we flippantly say “we have people for that” when faced with information management and cybersecurity problems, putting effort into modernizing complex systems and enhancing Information Warfare’s lethality, while ignoring the power a single negligent user could wield to bring it all down. It’s all hands on deck now, or the Navy faces the very real possibility of fumbling the opening stages of the next kinetic fight.

Security is Already an Inherent Part of Navy Culture

The good news is that information security is already an intrinsic part of being a member of the armed forces, uniformed or civil service. Security clearances, safe handling procedures for classified information, and cryptography practices like two-person integrity have been trained into the workforce for decades. Protecting information is as much a part of our culture as operating weapons systems or driving warships.

The Navy’s training machine should find ways to leverage this existing culture of compliance to incorporate dynamic and repetitive ways to reach all Sailors at all stages of development – from boot camp to C school, from initial officer training to graduate school, focused on making each Sailor a harder target for information exploitation. Each engagement should be tailored to fit the environment and to complement subject matter: initial user training should teach how to report spear-phishing, practice OPSEC on social media (and how to spot adversarial attempts to collect against them), and recognizing unusual activity on a network workstation. A more senior Sailor in C-school might learn how to look at cybersecurity from a supervisory perspective, managing a work center and a group of network assets, and how to spot and report insider threats both malicious and negligent. An officer in a naval graduate program, such as at NPS or the Naval War College, would take advanced threat briefings on adversarial activity targeting rank-and-file users on the network, and how to incorporate such threat information into wargaming to inform the strategic and operational levels of war.

Some of these actions are already in the works, but the emphasis should be on how to engage Sailors in multi-faceted, multi-media ways, and repetition is critical. Seeing the same concept in different ways, in different case studies, reinforces better behavior. The Navy is no stranger to this training method: we are masters at repetitive drills to train crews to accomplish complex actions in combat. Reinforcement of this behavior cannot come fast enough. Incidents attributed to negligent network users are on the rise, and cost organizations millions of dollars a year.8 The Navy is no exception: category-4 incidents (improper usage) are too common.

Ultimately, the objective should be a Sailor who understands cyber hygiene and proper use of the network as a primary on-the-job tool, just as well as any Soldier or Marine knows his or her rifle. Sailors go to sea aboard complex warships with integrated networked systems that run everything from Hull, Mechanical, and Electrical (HM&E) systems to combat systems and weapons employment. The computer is our rifle, why shouldn’t we learn how to use it more safely and effectively?

Keys to Success

Cultural change is hard, but lessons learned from our past, best practices from the private sector, and good old fashioned invasive leadership (the kind the Navy does very well) can adjust the ship’s rudder and speed before we find ourselves much further in shoal water.

Top level leadership must set the conditions for success, but they have to believe in it themselves. Our Sailors can easily tell when a leader doesn’t fully commit to action, paying lip service but nothing beyond it. They are also hungry to follow a leader who has a passion for what they do. To effect change, passionate leaders need to take center stage with the authority and resources necessary to translate change into action at the deckplate level. When a Sailor sees a top-level message about a desired change, then sees that change actually happening in their workspace, it becomes real for them. Let’s also trust them to understand the threats, rather than keeping the “scary” threat briefs at the senior levels.

Successes must be celebrated, but failures must have real consequences. It’s time to get serious about stopping insider threats, specifically negligent insiders. Too often the conversation about insider threats goes to the criminal and malicious insiders, ignoring the most common root of user-based attack vectors. Our Sailors must be better informed through regular threat briefings, training on how to spot abnormal activity on the network, and clear, standardized reporting procedures when faced with phishing and other types of user-targeted attacks. Those who report suspicious activity resulting in corrective action should be rewarded. Likewise, those who blatantly ignore established cyber hygiene practices and procedures must face real consequences on a scale similar to cryptographic incidents or unattended secure spaces. This will be painful, but necessary to set our user culture right.

Effective training begets cultural change. We must take advantage of new and innovative training methods to enrich our schoolhouses with multimedia experiences that will reshape the force and resonate with our new generation of Sailors. The annual Cybersecurity Challenge should be retired, its effectiveness has been questionable at best, and replaced with the same level of rigor that we used to attack no-fail topics like sexual assault prevention. With the stand-up of a Director of Warfighting Development (N7), and the lines of effort within the CNO’s Design 2.0 rife with high-velocity learning concepts, the near-future landscape to make this sea change looks promising.9

Conclusion

The Navy has spent the better part of 30 years struggling to adopt an information-centric mindset, and the good news is that operational forces have come a long way in embracing the importance of information in warfare, and how it permeates all other warfare areas. Yet our culture still has a long way to go to break the now dangerously misguided notion that information management and cybersecurity are something that “we have people for” and doesn’t concern every non-IW Sailor. The IW Community has come a long way and can do a lot to further the Navy’s lethality in space, cyberspace, and the electromagnetic spectrum, but it can’t fix an entire Navy’s cultural resistance to change without strong assistance.

Secretary Spencer, in his letter introducing the public release of the 2019 Cybersecurity Readiness Review, noted that “the report highlights the value of data and the need to modify our business and data hygiene processes in order to protect data as a resource.”10 He highlighted that cross-functional groups were already underway to address the findings in the report, and surely the machinations of the Navy Headquarters are more than capable of making the necessary changes to the Navy’s “policy, processes, and resources needed to enhance cyber defense and increase resiliency.”11 But culture, that’s all of us, and we must be biased toward change and improvement. We are the generation of naval professionals who must adapt to this reality and respond with urgency.

Lieutenant Commander Howard is an Information Warfare Officer, information professional, assigned to the staff of the Chief of Naval Operations in Washington DC. A prior enlisted IT and Surface Warfare Officer, his last operational assignment was as the Combat Systems Information Officer aboard USS ESSEX (LHD 2) in San Diego, CA.

References

[1] The Hon. Michael J. Bayer, Mr. John M. B. O’Connor, Mr. Ronald S. Moultrie, Mr. William H. Swanson. Secretary of the Navy Cybersecurity Readiness Review (CSRR), March 2019. https://www.navy.mil/strategic/CyberSecurityReview.pdf

[2] Ibid

[3] Ibid

[4] Ibid

[5] Chief of Naval Operations, December 2018. Design for Maintaining Maritime Superiority, Version 2.0. https://www.navy.mil/navydata/people/cno/Richardson/Resource/Design_2.0.pdf. p. 3

[6] Wayne P. Hughes, 2000. Fleet Tactics and Coastal Combat. Annapolis, MD: Naval Institute Press.

[7] Bayer, et al., CSRR 2019, p. 12

[8] Security Magazine, Apr 24, 2019. “What’s the Average Cost of an Insider Threat?” https://www.businesswire.com/news/home/20180424005342/en/Research-Ponemon-Institute-ObserveITReveals-Insider-Threat

[9] CNO, Design 2.0, p. 13

[10] Secretary of the Navy, 12 Mar 2019. Letter accompanying public release of the CSRR 2019. https://www.navy.mil/strategic/SECNAVCybersecurityLetter.pdf.

[11] Ibid.

Featured Image: U.S. 7TH FLEET AREA OF OPERATIONS (Oct. 16, 2015) Operations Specialist 1st Class Keith Tatum, from Americus, Georgia, stands watch in the Combat Information Center (CIC) aboard the guided-missile cruiser USS Normandy (CG 60) during an air-defense exercise as a part of the joint exercise Malabar 2015. Malabar is a continuing series of complex, high-end warfighting exercises conducted to advance multi-national maritime relationships and mutual security. Normandy is deployed to the U.S. 7th Fleet area of operations as part of a worldwide deployment. (U.S. Navy photo by Mass Communication Specialist 3rd Class Justin R. DiNiro/Released)

The Future of Information Combat Power: Winning the Information War

By VADM T.J. White, RDML Danelle Barrett, and LCDR Robert “Jake” Bebber

Imagine you are the Information Warfare Commander (IWC) of a coalition naval task force in the South China Sea in 2033. The task force’s mission is to deliver combat power in support of the Commander’s campaign objectives. As the IWC, you are simultaneously a “supporting” and “supported” commander. You execute multiple lines of operations across the full-spectrum of influence, information, and cyberspace. The other warfare commanders – strike, air defense, and sea combat – rely on you to understand their fight and fuel their decision-making with precision information, while simultaneously conducting an integrated high-end fight in and through the information domain leading to warfighting outcomes. The information domain is vast, it can be both localized and completely global, interweaving through all other domains of war.

Cyberspace and the Electromagnetic Spectrum are material realizations of the information domain, whether midpoint or endpoint, Internet Protocol or radio frequency, defense or attack, this is where you fight, for there is only one network separated in time. The arsenal of interoperable weapons and systems, manned and unmanned platforms, at the Commander’s disposal to execute and sustain a campaign requires all that you can bring to bear from across your composeable force to achieve unmatched distributed lethality. You have the authorities to execute full-spectrum information warfare to:

  • Reach intended audiences and decision-makers to alter adversary courses of action to our advantage;
  • Protect coalition decision-making;
  • Seize and hold at risk adversary cyberspace;
  • Defend our interests in and through cyberspace;
  • Compete and Win.

Technological capabilities are advancing at an exponential rate while also converging with each other, creating new capabilities for both you and your adversary. When those are combined with people and processes, they provide significant operational advantages, enabling us to simultaneously contest adversary actions in cyberspace, land, sea, air, and space. Future warfighting, enabled by these emerging technologies, is necessary to adapt, develop, and execute new, more lethal operational methods. The future IWC must foster an intuitive ability in themselves and across their force to recognize these emergent opportunities, seize them with deliberate intent, and be comfortable with a battlespace changing at an unprecedented rate. As “maestro” of the Information Warfare afloat symphony, you understand the potential power of full-spectrum, integrated information warfare. You guide your force to realize that potential by opportunities seized and effects achieved.

This requires serious forethought and planning to make certain the force – human and platform –  is prepared to orchestrate effects in this type of environment. It demands a certain mentality and type of thinker – agile, adaptive, innovative, willing to take calculated risks with speed; an aggressive change agent. Thinking like a futurist and being comfortable with being uncomfortable should be part of the IWC job description. As the IWC, you see the convergence of people, information, and machines as your domain and how the Navy makes that our warfighting gain.

The complex interactions within the information environment and ecosystem expose new vulnerabilities to pre-emptively close or seize. Space, cyberspace, and the electromagnetic spectrum must be protected from disruption by sophisticated and increasingly aggressive adversaries. These domains are contested ecosystems in which you as the IWC must align kinetic and non-kinetic fires, synchronized alongside other operations. At your disposal are surface, subsurface, air, and space autonomous vehicles that can reason, recommend actions, and execute within prescribed rules of engagement. Autonomous information warfare platforms are hyper-connected with manned units using both laser and radio frequency communications links, complicating an already congested spectrum. The ability to tie all these elements together into the fleet tactical grid, coupled with advanced data analytics and machine learning, are required to prevail in our highly contested battlespace.

Additionally, platforms are equipped with quantum computers networked across 24 time-zones. Secure cloud-networked afloat “information warfare vaults” at the tactical edge project combat power and provide the bandwidth, security, and resiliency needed to fight through information disruption and denial. Our peer adversaries have rapidly advanced their capabilities in parallel. Inexpensive and ubiquitous technology has eroded the qualitative operational advantages we once enjoyed. Our force must be postured to deny the information space to adversaries who wish to hold our national interests at risk. Resilience in your operations presents both sides of the coin; challenge and opportunity.

We observed a sea change in operational focus, due to the vastly different threat outlook outlined 17 years earlier in the 2018 National Defense Strategy (NDS). In 2033