Tag Archives: cyber

The Fight to Know

By Jack Whitacre

The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2

Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis  argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.

Oceanic Applications

Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.

In 2016, The Economist and The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.

On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system). New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.

Preparing Cyber Leaders

Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.

 (March 25, 2011) – Aerographer’s Mate 3rd Class Nick Pennell, a watch stander at the Naval Oceanography and Anti-Submarine Warfare Center, looks over a Japan Self-Defense Force Mobile Operations sheet at Commander Fleet Activities Yokosuka (CFAY). (U.S. Navy photo by Mass Communication Specialist 3rd Class Mikey Mulcare/Released)

Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7 By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.

The Polaris of Programming

Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.

Conclusion

When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.

An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.

References

1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8

2. Charles Seife, “Decoding the Universe,” p. 8

3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143

4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.

5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp

6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4

7. Ibid.

Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)

A Cyber Vulnerability Assessment of the U.S. Navy in the 21st Century

By Travis Howard and José de Arimatéia da Cruz

Introduction

The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.

Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.

This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.

Navy Network Threats and Vulnerabilities

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.

Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.

Figure 1. Navy depiction of the “cyber kill chain

One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).

The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.

Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”  Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.

The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.

As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.

Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.

Technical Security Measures and Controls

The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.

The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.

Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.

The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.

Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.

Information Security Policy Needed to Address Threats and Vulnerabilities

The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).

Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.

Figure 2. NIST Risk Management Framework

This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.

Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.

Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.

Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities

It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.

Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.

Figure 3. Threats and Motivations, Strategic Focus of Navy Cybersecurity 

Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.

A recent  article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.

Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.

Conclusions

This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.

The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.

In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.

Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.

Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.

The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.

Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)

The Lawless Trons of Cyberspace

 By LT Travis Nicks, USN

Introduction

Open borders are here. You likely crossed the Rio Grande before breakfast this morning and you’ll sneak into China before you sleep tonight. Trons travel through cyberspace ignoring all manners of political boundaries. Technology doesn’t care where Ukraine ends and Russia begins, or about an air gap between China and Taiwan. The policy of cyber does; it shouldn’t.

Conceptualizing Cyber Borders

 The national policy for cyber borders has been similar to conceptions of airspace: a vertical extension of geopolitical borders into the sky, or in the case of cyber, into the flowing infrastructure of the internet. If a plane is going to travel through the airspace of another country, that country has to agree to it or the flight has to go around. A long-range bomber aircraft might fly over a few countries for a raid on the other side. Packets or “trons” can travel continents’ worth of countries in a path of least resistance taking seconds. Furthermore, while borders stay the same, digital routes are totally dynamic. In order to prevent the unintended escalation of cyber operations, we must divorce the routes trons take from the effects they cause.

A Path Forward

Fortunately, an existing policy framework already exists for an effects-based policy in a new frontier. We need to rise above the airspace mentality, and draw inspiration from satellites. Satellites travel freely over countries and cross borders with impunity. The international community agreed to a borderless framework in space in the Outer Space Treaty of 1967.1 The orbit a satellite is on and its position relative to political borders are irrelevant when it takes an action that causes an effect. The effect is all that matters. The group at the effect’s end may protest or retaliate, but the country under the satellite at the time of the action will have no issue. If, for example, China shot down a Russian satellite while the satellite was over Mexico, Russia would have no issue with Mexico for having allowed the attack above them, because they don’t own that space. Instead, China would be responsible for causing the malign effect.

The Department of Defense (DoD) has addressed this attribution issue. The DoD Law of War Manual specifically addresses “cyber operations that use communications infrastructure in neutral states.”2 This policy allows trons to be routed through neutral nations so long as the cyber infrastructure in that country allows innocuous information to be routed through it as well, if they route trons for the common World Wide Web. It also specifically acknowledges that it is unreasonable to expect other nations to review all cyber traffic for its content. These principles are fundamental to the spirit and design of the internet. Acknowledging those fundamentals will prevent future conflicts that will otherwise arise from misattribution during analysis of tron routes. Imagine Canada sends cyber attack trons to Russia via France, Thailand, and China. It is easy to see Russia determining that China may not have ownership of the trons that attacked them, but—unless we agree otherwise—they were complicit in the attack. A scenario where clumsy confusion leads to aggressive accusation, the likes of which we have not seen since the eve of WW1, is not far-fetched given the cyber domain’s peculiarities.

Many international cyber agreements are being written. One, the International Code of Conduct for Information Security, has already been signed by major players Russia and China. That agreement addresses the intent of cyber warfare and end effects, but leaves a grey area in between. A 2013 NATO report addressed this point indirectly, saying “demilitarized zones are not feasible in the context of cyberspace, due to its global scope.”3 NATO failed to separate the infrastructure itself from the use of the infrastructure. A United Nations report from 2015 (aware of NATO’s 2013 report)  further departs in the wrong direction and declares “states of jurisdiction over the ICT (information and communications technologies) infrastructure located within their territory.”4 This policy direction simply does not pragmatically address the technology involved. The transnational spirit of the internet and the technology itself does not respect borders as the UN does. A failure to acknowledge this fact is dangerous. The focus on infrastructure and not on the transmissions and effects of the technology leaves a dangerous grey area.

The solution is an agreement among the international community to ignore cyber routes. The DoD’s cyber components must press this issue into international agreements. The Department is uniquely equipped to lead this effort. It is the center of our nation’s cyber warfare universe. The NSA, CIA, DIA, and others with less notoriety are led or staffed largely by military officers and enlisted, retired versions of the same, or DoD civilians. No other organization is as integrated into every aspect of offensive and defensive cyber operations. DoD’s outsized operational involvement gives us an equally outsized cyber policy voice, and we should use it to ensure a discussion on cyber routes.

The discussion should acknowledge, first, that attribution is the foundation of cyber warfare. Second, acknowledge that routing technologies use the communications equipment of neutral states to obscure  the origin of cyber-attacks. After establishing those truths, the policy must focus on ensuring the analysis of digital forensic evidence acknowledges the inherent deceptiveness of cyber route analysis and delegitimizes the evidence as international policy. The international community must agree to focus on the information and effects of the trons and not attempt to hold accountable the infrastructure used for transmission. Absolve the owners of the infrastructure and the land on which it sits from responsibility for the trons it transmits, and inversely remove the standing they might have if they dislike the trons.

Conclusion

The publicly available cyber discussions in the international community have so far focused on intent, effects, and physical infrastructure while they ignore any agreement on cyber routes. To avoid a massive international misunderstanding in the fog of attribution we must internationally agree to ignore cyber routes. We have a framework for this. In space we own the object, not the orbit. In cyber we will own the information, not the route.

Travis Nicks is a nuclear submarine officer serving at the Pentagon. He is focused on finding precise fixes to complex problems. LT Nicks is interested in cyber policy and personnel performance issues. The views herein are his alone and do not represent the views of the Department of Defense, the Department of the Navy, or any other organization.

References

1. Outer Space Treaty, 1967, Article II

2. Department of Defense, Law of War Manual, 2016, Section 16.4.1

3. Dr. Katharina Ziolkowski, NATO Cooperative Cyber Defense Centre of Excellence, Confidence Building Measures for Cyberspace – Legal Implications, 2013, Section 3.2

4. Group of Government Experts, United Nations General Assembly, report on Developments in the Field of Information and Telecommunications in the Context of International Security, 2015, Section VI.28.a.

Featured Image: U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis, U.S. Air Force Staff Sgt. Rogerick Montgomery, U.S. Cyber Command network analysis, and U.S. Army Staff Sgt. Jacob Harding, 780th Military Intelligence Brigade cyber systems analysis, analyze an exercise scenario during Cyber Flag 13-1, Nov. 8, 2012, at Nellis Air Force Base, Nev. (U.S. Air Force photo by Senior Airman Matthew Lancaster)

Trident: Industry, Scotland, and Long-Range Bomber and Land-Based Missile Alternatives

By Alex Calvo

Introduction

The third installment in our four-part series begins with Trident’s impact on British industry and the Scottish factor, very much in evidence in the run up to the 2014 referendum. We then move to examine British nuclear doctrine, asking ourselves whether a minimal posture is tenable, and looking in this connection at potential cyber and undersea unmanned threats to submarines, both of which have attracted public attention over the last few months. While in July this year the UK Parliament voted to renew the Trident fleet with the building of four new submarines, it is still interesting to discuss whether Trident’s cost may have been cut by reducing the number of boats. We then move to consider potential nuclear alternatives to the program, starting with long-range bombers and land-based missiles, leaving submarine and air-launched cruise missiles for the fourth and final installment in our series. Read Part One, Part Two

Trident and British Industry

Any decisions on defense have an industrial component, leading to an uneasy conundrum. On the one hand, the acquisition of assets should be at least primarily motivated by the needs and priorities laid down in defense planning. On the other, because of the sums involved and the strong link between military and civilian research and development, it is impossible to view defense procurement separately from industrial and scientific policy. Thus, while the decision on the continuity of Trident taken in July this year by the UK Parliament should ideally not rest on the interests of the industrial actors involved, we cannot simply dismiss them when analyzing it. In particular, when pondering both nuclear and non-nuclear alternatives to Trident, it is likely that British authorities examined the resulting net effect on British defense and dual-use industries as a whole and on those companies involved in Trident.

We could say something similar when it comes to jobs, which should not have been the primary consideration, but are likely to have featured in this political decision. Some estimates say up to 15,000 jobs may have been lost had Trident not been renewed, but the net impact both in terms of figures and human capital depends on the alternatives should Trident been discontinued. BASIC notes how Trident’s base “supports some 6,700 jobs, expected to rise to 8,200 by 2022,” adding that “the UK submarine industry accounts for 3% of employment in the UK’s scientific and defense industrial base,” and that a “replacement as currently planned could employ up to 26,000 people at some point in the process.” This could at least partly explain the huge majority of 355 in a 650-strong chamber that voted for the program’s renewal with more than half of opposition Labour MPs voting aye in direct contradiction with their leader’s stance, and this after PM Theresa May had publicly made it clear she was ready to press the nuclear button if necessary. Furthemore, while Labour leader Jeremy Corbyn was later reelected by an increased majority of 62 percent, his shadow defense minister, Clive Lewis, stated that his party would remain committed to an independent, sea-based, British nuclear deterrent.

The Scottish Factor: Trident and the Union

The SNP and, more widely, Scottish Nationalists, have traditionally been hostile to Trident for a number of reasons. Among them we may note the party’s weak commitment to security and defense, little regard for collective security, hostility to the notion of the UK as a major world power, and willingness to outsource key policy areas to the European Union. At the tactical level, as seen in the 2014 referendum campaign, opposing Trident may enable the Nationalist camp to attract voters not strongly for or even opposed to independence but who fiercely reject nuclear weapons. Some of these voters may see a non-nuclear independent Scotland as a lesser evil. Others in this category may have seen a vote for independence or a vote for the SNP in future elections as a tactical move to force an end to the British nuclear deterrent. The July 2016 parliamentary vote on Trident was yet another opportunity for the SNP to underline its opposition to Trident, made even more visible by the vote in favor of a majority of opposition Labour MPs. Its 54 members of parliament voted against, and the party warned it would prompt a further push for independence, although opinion polls suggest a majority of Scots favor retaining the deterrent.

In connection to this matter, in the run-up to the referendum, there was speculation that the UK may relocate Trident to Devonport (Plymouth), with a report by RUSI estimating the additional cost at £3.5bn. The report concluded that “while the technical and financial challenges presented by Scottish independence would influence this discussion, they would not be severe enough to dictate it.”

British Nuclear Doctrine: Is a Minimal Posture Tenable?

If the UK’s move to a minimal deterrence posture had been followed by other nuclear states, or at least by negotiations with that purpose in mind, the country may have gone down in the annals of history as a pioneer in the noble pursuit of nuclear disarmament. Although the concept, also referred to as “deterrence lite,” has been extensively discussed in academic and government fora, such a move does not appear likely right now. Rather the contrary, with just to mention a few examples including worsening relations between Washington and Moscow, Pakistan developing a sea-based deterrent, and Japan increasingly pondering the convenience of at the very least retaining a powerful “latent” capability on the face of a resurgent China.

The Pacific Egret docked in Tokai (Ibaraki Prefecture) in March 2016, waiting to depart to the US with a cargo of Japanese plutonium. Tokyo's large stockpiles are one of the reasons why the country is considered to be a 'latent nuclear power. (Kyodo)
The Pacific Egret docked in Tokai (Ibaraki Prefecture) in March 2016, waiting to depart to the U.S. with a cargo of Japanese plutonium. Tokyo’s large stockpiles are one of the reasons why the country is considered to be a ‘latent nuclear power. (Kyodo)

The UK is experiencing growing tensions with an established nuclear power, Russia, which shows no intention of relying on non-conventional weapons to a lesser extent in the near future. More precisely, Russian sources note how not until current military reforms reach a successful conclusion will the country be able to lessen her dependence on tactical nuclear weapons (seen as essential not only in a Euro-Atlantic context, but also in a Chinese one, although the latter is seldom publicly discussed). Even without taking into account other potential conflict scenarios, this provides a powerful incentive to retain Trident or some other form of nuclear deterrent, since otherwise the UK would not only be open to nuclear blackmail but the decision to forego the country’s nuclear status may be seen as a sign of weakness and lack of resolve.

Cyber and Undersea Unmanned Threats to the UK’s Minimal Posture

As already explained, the decision to build a sea-based deterrent rested on the assumption that it would be very difficult for a hostile power to detect and destroy submarines, thus ensuring a second-strike capability. This also allowed London to move to a minimal posture, with just one such submarine on patrol at any given time. Of course, it was noted that while “No sector of a superpower’s defense system is quite so invulnerable against a preemptive attack as its fleet of highly mobile, deep-diving, long-ranging missile-bearing submarines. These make possible a second-strike capability that acts as a forceful deterrent against aggression,” and, “this situation could become unbalanced through the development of effective techniques of strategic antisubmarine warfare (ASW).” In recent months, a public debate has emerged concerning two possible threats against British strategic nuclear submarines: cyber warfare and the advent of unmanned undersea systems (submarine drones).

In November 2015, Lord Browne of Ladyton, former British Defence Secretary from 2006 to 2008 and now vice-chair of pro-disarmament group Nuclear Threat Initiative, said: “The government … have an obligation to assure parliament that all of the systems of the nuclear deterrent have been assessed end-to-end against cyber attacks to understand possible weak spots and that those weak spots are protected against a high-tier cyber threat. If they are unable to do that then there is no guarantee that we will have a reliable deterrent or the prime minister will be able to use this system when he needs to reach for it.” Browne cited a January 2013 report by the Pentagon’s Defense Science Board to support his views. Just one week earlier, Chancellor George Osborne had announced an additional investment of £ 3.2 billion in cybersecurity over a five-year period, an amount coming “nowhere near the scale of the cyber-threat challenge” according to Browne.

Franklin Miller, a former U.S. defense official involved in nuclear policy between 1981 and 2001, refuted Browne’s arguments, saying that “If our nuclear command and control system depended upon the internet or went through the internet then the report by the defense science board would be quite an important warning. However, for those reasons it is a standalone system. It is air-gapped. It does not go through the internet.” Miller added that the 2013 report cited by Browne had been written in 2013 as a “shot across the bow” to members of the U.S. defense community thinking of having some elements of the next generation command and control system for the U.S. nuclear deterrent connected to the internet. He said “I am very comfortable saying that right now our command and control system is insulated from cyber-attack because it doesn’t go into any place that cyber would intrude.”

Concerning swarms of undersea drones, the concept is gaining traction as a possible threat to strategic submarines, even though the technology is still in its early stages. The U.S. Navy is already moving forward in this arena with plans to deploy unmanned underwater vehicles (UUVs) from Virginia-class attack submarines. In December 2015, Paul Ingram, BASIC’s chief executive, warned that progress in underwater drone technology threatened to make Trident submarines vulnerable, in line with other experts who have cautioned about “a revolution in underwater drones, as well as advances in sonar, satellite and other anti-submarine warfare systems” making “even totally silent submarines … likely to become detectable.” Ingram said that “There is a major transition taking place in the underwater battle space and it is far from clear how the new submarine will be able to evade detection from emerging sophisticated anti-submarine warfare capabilities.” Adding that this “raises serious questions about the wisdom of putting all your nuclear weapons on board a submarine,” Ingram called for a public debate on this impending vulnerability.

Despite much interest among major navies, underwater drones are being developed at a much slower pace than their aerial counterparts, an often cited reason being water’s much greater opacity to radio waves. According to Frank Herr, head of the Office of Naval Research’s ocean battlespace sensing department, “Underwater vehicles are much harder to do because of this inability for us to communicate robustly with the vehicles the way you can in the air. That means they are way behind in the development.” Chris Rawley, a surface warfare officer in the U.S. Navy Reserve, believes that “the premise that UUVs will make Tridents more detectable glosses over of the complexities of ASW. The physics of underwater sound propagation don’t change just because we take the man out of the loop. Unmanned systems can potentially put more persistent sensors in the water column, but I’d guess we’re at least two decades out from them making a significant impact on ASW.” Rawley discusses this in more detail in a 2015 interview with CIMSEC.

Could Trident’s Cost be Cut by Reducing the Number of Submarines?

In the run-up to the July 2016 parliamentary vote to renew Trident, some voices, including the Liberal Democrats (the Conservatives’ junior coalition partner in the previous administration) and Labour, the main opposition party, suggested or at least speculated on the possibility of reducing the cost of Trident by cutting down the number of boats from the current four. The Liberal Democrats, which open the section in their website on Trident with harsh words, calling it “out-dated and expensive. It is a relic of the Cold War and not up-to-date in 21st century Britain,” while arguing that “It would be extremely expensive and unnecessary to replace all four submarines, so we propose to replace some of the submarines instead. They would not be on constant patrol but could be deployed if the threat from a nuclear-armed country increased.” BASIC included the option of “irregular undisclosed patrolling patterns” in its 2015 “A Memo to the Next Prime Minister: Options Surrounding the Replacement of Trident,” estimating the potential yearly savings at up to 1 billion. Right now, as emphasized by the Royal Navy itself “One of the Navy’s four strategic submarines is always on patrol, ensuring a continuous at sea deterrent, 24/7/365, carrying the nation’s ultimate weapon somewhere in the Seven Seas.” It is very doubtful whether fewer than four submarines could achieve this objective. The need to keep four submarines has been emphasized by many observers, with for example Simon Michell writing for RUSI that “if the United Kingdom is to have a credible and assured nuclear deterrent based on the submarine-launched Trident missile, then four boats are required, not three.” Therefore, it is plausible, should the cost of Trident be considered to be excessive, to move to another kind of deterrent, for example air-based, rather than relying exclusively on a number of boats too small to ensure a consistent deterrent.

Having fewer than four nuclear boats may not only deliver smaller savings than straight arithmetic may suggest given factors such as economies of scale, but would result in gaps in the deterrent with no submarine patrolling at certain given times. This may be seen by a would-be aggressor as providing a window of opportunity. Furthermore, it could be destabilizing in many ways. For example, during a crisis at a time with no boats on patrol, the knowledge that one was soon to sail may be seen by the other side as providing an incentive to strike first. It may also be interpreted as a hostile move, a step in escalation designed to increase pressure. The Trident Alternatives Review, as an exercise in coalition politics, did not rule out this possibility, while failing to discuss in depth the possibility of a sudden unannounced nuclear attack, but nevertheless gave some clues as to why three boats, as opposed to four, would mean accepting a higher degree of risk that such an attack may take place. Where the Review was crystal clear was in explaining that “Over a 20 year period, a 3-boat fleet would risk multiple unplanned breaks in continuous covert patrolling as well as requiring regular planned breaks for maintenance and/or training. Experience to date with the Resolution-class and Vanguard-class SSBNs is that no such breaks have occurred or been required with a 4-boat fleet.” Thus, we can see how lacking the capacity for continuous patrols not only means the deterrent is not always available but also introduces a new factor in an adversary’s calculus during crisis, opening up different venues of speculation concerning the possible motivations for the start and end of deterrence patrols.

Nuclear Alternatives to Trident: Long-Range Bombers

The UK may remain a nuclear power while shifting to other vectors for the country’s warheads. This may result from different motivations, such as cost calculations, a changed perspective on submarine survivability, or the desire for greater strategic autonomy vis a vis the United States, among other few possibilities. Shifting to another delivery method would have a wide range of implications, not only in terms of range, survivability, domestic politics, credibility just to name a few, but for example, inter-service considerations. Trident underscores the Royal Navy’s status as the senior service, which any non-naval alternative would not support in the same way.

Air delivery systems may consist of either missiles launched by aircraft, or gravity bombs dropped by them. An air-dropped alternative to Trident was suggested last year by think-tank Centre Forum. In its report, this organization argues that a minimum nuclear deterrent should be able to destroy “ten or more … major urban areas” of a nuclear adversary (it should be noted that British nuclear doctrine does not provide any explicit assurance to non-nuclear weapons states) and that the UK should therefore be able of delivering 30 warheads.” It goes on to say that “This requires a considerably lower level of capability than” that provided by Trident, meaning that “the UK can achieve deterrence with a considerably less capable nuclear weapons system, saving money and contributing to long-term multilateral nuclear disarmament.” Based on this and other considerations, the report suggests that the UK “move to a free-fall nuclear capability based on Lockheed Martin F-35 Lightning II / Joint Strike Fighter (JSF) that the UK is currently procuring and the forthcoming U.S. B61 Mod 12 (B61-12) bombs that will arm NATO nuclear Dual-Capable Aircraft (DCA) from 2020.” It estimates the capital cost of “100 anglicised B61-12s” at “approximately £16.7bn,” a figure that would include a number of additions to current planned capabilities, among them enabling the Queen Elizabeth-class carriers to operate catapult-launched, arrested-landing aircraft (with a wider range than the vertical takeoff variant currently planned) and extra naval assets such as five attack submarines and four type 26 frigates. The text presents this alternative as a compromise bringing about costs savings while enhancing conventional capabilities, preserving the submarine industrial base, and “a concrete step down the nuclear ladder and towards future nuclear disarmament as the international situation allows in accordance with the UK’s nuclear Non-Proliferation Treaty obligations.”

Given the UK’s global role and the duty to protect British Overseas Territories, any nuclear alternative to Trident should have an equivalent range. This may be a challenge for nuclear bombers, less so for submarine-launched cruise missiles, and would not apply to land-based ICBMs (intercontinental ballistic missiles). The travails of strategic bombers when targets are far from bases were already illustrated in the Falklands War, where the strike against Port Stanley’s airport required the complex coordination of a very large number of aircraft operating from Asuncion Island. The Centre Forum document argues that a combination of existing overseas bases and “Air-to-Air Refueling (AAR) support from RAF Voyager KC2/KC3 tankers covers all of Africa, Europe, the Middle East and South America, along with the Indian subcontinent and most of former Soviet Central Asia.” Leaving aside the fact that this would not cover all existing nuclear weapons states, the sheer complexity of the necessary AAR operations to reach some corners of the world may put a dent on the deterrent’s credibility, tempting a would-be aggressor into thinking it may not ensure a British response. This was noted by a commentator, who wrote “Where the credibility gets shaky is in the delivery. A Voyager tanker can trail 4 fighter jets for 2800 miles in a transfer flight, but an actual strike mission, especially if a return to base is at least envisaged, is a whole different matter. Even bringing all 14 tankers in service (instead of just 8 + 1 transport only and 5 tankers “on demand” at 90 days notice) and fitting them with booms and receptacles so they can juggle fuel between themselves and work cooperatively, it remains dubious that it would be possible to trail a real strike package over the great distances likely to be involved. Particularly because, in order to deliver the strike with gravity-fall bombs with a stand-off reach of 40 kilometers in the very, very best case, you need a large attack squadron, knowing that many aircraft are likely not to make it to the target, even with the F-35’s stealth.”

Date:- 02 July 2011 WAD-11-0463 Background: Every year in July, RAF Waddington opens it's doors to the general public in staging the Royal Air Force's premier airshow event. In 2011, the undoubted stars of the show are the United States Air Force aerobatic display team 'The Thunderbirds'. Along with the welcome return of crowd favourites- the Vulcan and the Red Arrows, are the Battle of Britain Memorial flight and the classic B-17 bomber 'Sally B' from WW2. Image details: The Vulcan aircraft landing at Waddington. Photo By:- SAC Andy Stevens (RAF) For further information contact: Royal Air Force Waddington Media Communications Officer, RAF Waddington MCO Waddington Lincolnshire LN5 9NB Tel 01522 726804
The long-range nuclear bomber Avro Vulcan was employed in a conventional role in the 1982 Falklands War and later decommissioned. ( RAF photo by SAC Andy Stevens)

This text also questions whether it is realistic to expect the UK to sport 72 ready-to-strike nuclear bombers at any one time, as the Centre Forum defends when it states that “Using the 18 airfields shown in Figure 5 today, this would translate into 72 nuclear-armed F-35Cs and their accompanying Airbus Voyager KC2 / KC3 tankers safely airborne before a surprise attack could destroy them on the ground.” Furthermore, it argues that if that number was indeed available it would put such a dent on conventional capabilities as to make the whole exercise self-defeating. These unrealistic assumptions cast a shadow of doubt over the Centre Forum’s proposal, and prompt suspicions that it may have been designed, or at least have been liable to being employed, to underpin a tactical deal between those opposed to British national sovereignty and the country’s independent deterrent on the one hand, and those concerned about continued conventional defense cuts, on the other. By offering the acquisition of additional conventional assets as part of a package deal involving the replacement of Trident by a less able system, the former may have hoped to achieve the necessary political momentum against Trident, assembling a coalition with the latter and perhaps also other actors like the SNP. At a later stage, with Trident out of the way, the door would have been open to further conventional cuts degrading an already less than credible deterrent, thus achieving unilateral nuclear disarmament through the back door.   

Other disadvantages of a naval aircraft-based deterrent are, in the words of an undisclosed naval analyst, that “a ship is ALWAYS more vulnerable than a submarine” and a “plane can also be downed,” plus the fact that adding a further role to a carrier means an additional concentration of risk and incentives for the enemy to try to sink her. Operations by HMS Hermes and HMS Invincible off the Falklands, at a time when anti-access weapons were much more primitive (Argentine forces improvised a shore-launched Exocet missile, hitting HMS Glamorgan, but it was not available until very late in the war), illustrate the complications of sailing near a hostile shore, which would have been even greater had the British deterrent been based on those same two light carriers. At the end of the day, considering all these aspects, it is difficult not to see that moving from submarines to carrier-based planes would mean a significant downsizing of the British deterrent, with the corresponding negative impact on national security. In the words of another author, “A nuclear deterrent based on the B61-12 would be much less capable than Trident, this is definite. The key issue is not the power of the warhead, but the certainty that an enemy anywhere in the world can be reliably hit. Any possible existential enemy of the UK must be keenly aware that there is a credible deterrent which is unquestionably able to strike back and make him pay a price which cannot be possibly accepted.”

As noted later when discussing air-launched cruise missiles but equally applicable here, “The UK would be faced with the choice of having to keep nuclear-armed aircraft permanently in the air (where they would still be visible) or risk having the air base – and its neighbouring community – as the target for a nuclear strike by a potential adversary.”

Things may be different if a long-range bomber powered by Reaction Engines’ SABRE (Synthetic Air-Breathing Rocket Engine) is developed in the future, since such aircraft would be able to strike at any target without aerial refueling. It must be noted, though, that any such dual-capable (nuclear and conventional) bomber may prompt the same concerns over strategic instability which have pushed Washington to withdraw nuclear Tomahawk cruise missiles from service, which we discuss in this series’ final part.   

150317-N-MF696-071 INDIAN HEAD, Md. (March 17, 2015) Members of the Explosive Ordnance Disposal Technology Division team at Naval Surface Warfare Center, Indian Head prepare a Tomahawk missile for a functional ground test at the Large Motor Test Facility in Indian Head, Md. The event marks the 84th functional ground test the Division has conducted since the program began 25 years ago. (U.S. Navy photo by Monica McCoy/Released)
INDIAN HEAD, Md. (March 17, 2015) Members of the Explosive Ordnance Disposal Technology Division team at Naval Surface Warfare Center, Indian Head prepare a Tomahawk missile for a functional ground test at the Large Motor Test Facility in Indian Head, Md.  (U.S. Navy photo by Monica McCoy/Released)

Nuclear Alternatives to Trident: Land-Based Missiles

The deployment of land-based missiles involves at least two problems. First, they are considered to be the most vulnerable asset in the nuclear triad, given their fixed location. To overcome this vulnerability, an alternative may be to deploy missiles on either trucks or trains, ideally camouflaged as ordinary vehicles, but since this alternative has not featured in the debate on the replacement of Trident (in contrast with Russian work in this area) we shall not examine it in detail here.

Second, the construction of the necessary infrastructure may pose legal (land planning) and political complications. As noted in the 2015 RUSI conference on missile defense, it is precisely these legal and political difficulties involved in deploying certain land-based assets that make a naval missile shield the most realistic alternative for British plans on national BMD (ballistic missile defense). Additionally, as discussed when dealing with cruise missiles, developing a new vector would involve significant time and treasure.

In our next and final installment in this series, we will look at other possible alternatives to trident, including both air and submarine-launched cruise missiles. This will include an examination of their technical aspects, as well as wider economic and policy issues. In the case of submarine-launched nuclear missiles, this includes the risk of confusion with their conventional brethen. Last, we will examine a very different scenario, namely the UK as a Japanese-syle ‘latent’ nuclear power. Stay tuned!

Alex Calvo, a former guest professor at Nagoya University (Japan), focuses on security and defence policy, international law, and military history, in the Indian-Pacific Ocean Region. He tweets at Alex__Calvo and his papers can be found at https://nagoya-u.academia.edu/AlexCalvo Previous work on British nuclear policy includes A. Calvo and O. Olsen, “Defending the Falklands: A role for nuclear weapons?” Strife Blog, 29 July 2014.

Featured Image: The Trident nuclear submarine HMS Victorious is pictured near Faslane in Scotland. (UK Ministry of Defence)