Tag Archives: cyber

A Cyber Vulnerability Assessment of the U.S. Navy in the 21st Century

By Travis Howard and José de Arimatéia da Cruz

Introduction

The United States Navy is a vast, worldwide organization with unique missions and challenges, with information security (and information warfare at large) a key priority within the Chief of Naval Operations’ strategic design. With over 320,000 active duty personnel, 274 ships with over 20 percent of them deployed across the world at any one time, the Navy’s ability to securely communicate across the globe to its forces is crucial to its mission. In this age of rapid technological growth and the ever expanding internet of things, information security is a primary consideration in the minds of senior leadership of every global organization. The Navy is no different, and success or failure impacts far more than a stock price.

Indeed, an entire sub-community of professional officers and enlisted personnel are dedicated to this domain of information warfare. The great warrior-philosopher Sun Tzu said “one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The Navy must understand the enemy, but also understand its own limitations and vulnerabilities, and develop suitable strategies to combat them. Thankfully, strategy and policy are core competencies of military leadership, and although information warfare may be replete with new technology, it conceptually remains warfare and thus can be understood, adapted, and exploited by the military mind.

This paper presents a high-level, unclassified overview of threats and vulnerabilities surrounding the U.S. Navy’s network systems and operations in cyberspace. Several threats are identified to include nation states, non-state actors, and insider threats. Additionally, vulnerabilities are presented such as outdated network infrastructure, unique networking challenges present aboard ships at sea, and inadequate operating practices. Technical security measures that the Navy uses to thwart these threats and mitigate these vulnerabilities are also presented. Current U.S. Navy information security policies are analyzed, and a potential security strategy is presented that better protects the fleet from the before-mentioned cyber threats, mitigates vulnerabilities, and aligns with current federal government mandates.

Navy Network Threats and Vulnerabilities

There are several cyber threats that the Navy continues to face when conducting information operations in cyberspace. Attacks against DoD networks are relentless, with 30 million known malicious intrusions occurring on DoD networks over a ten-month period in 2015. Of principal importance to the U.S. intelligence apparatus are nation states that conduct espionage against U.S. interests. In cyberspace, the Navy contests with rival nations such as Russia, China, Iran, and North Korea, and all are developing their own information warfare capabilities and information dominance strategies. These nations, still in various stages of competency in the information warfare domain, continue to show interest in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities.

Non-state actors also threaten naval networks. Organized activist groups known collectively as “hacktivists,” with no centralized command and control structure and dubious, fickle motivations, present a threat to naval cyberspace operations if their goals are properly aligned. In 2012, Navy officials discovered hacktivists from the group “Team Digi7al” had infiltrated the Navy’s Smart Web Move website, extracting personal data from almost 220,000 service members, and has been accused of more than two dozen additional attacks on government systems from 2012 to 2013. The hactivist group boasted of their exploits over social media, citing political reasons but also indicated they did it for recreation as well. Individual hackers, criminal organizations, and terrorist groups are also non-state threat actors, seeking to probe naval networks for vulnerabilities that can be exploited to their own ends. All of these threats, state or non-state actors, follow what the Department of Defense (DoD) calls the “cyber kill chain,” depicted in figure 1. Once objectives are defined, the attacker follows the general framework from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defenses, finally executing their exploit to achieve their objective.

Figure 1. Navy depiction of the “cyber kill chain

One of the Navy’s most closely-watched threat sources is the insider threat. Liang and Biros, researchers at Oklahoma State University, define this threat as “an insider’s action that puts an organization or its resources at risk.” This is a broad definition but adequately captures the scope, as an insider could be either malicious (unlikely but possible, with recent examples) or unintentional (more likely and often overlooked).

The previously-mentioned Team Digi7al hactivist group’s leader was discovered to be a U.S. Navy enlisted Sailor, Petty Officer Nicholas Knight, a system administrator within the reactor department aboard USS HARRY S TRUMAN (CVN 75). Knight used his inside knowledge of Navy and government systems to his group’s benefit, and was apprehended in 2013 by the Navy Criminal Investigative Service and later sentenced to 24 months in prison and a dishonorable discharge from Naval service.

Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”  Malevolence aside, the insider threat is particularly perilous because these actors, by virtue of their position within the organization, have already bypassed many of the technical controls and cyber defenses that are designed to defeat external threats. These insiders can cause irreparable harm to national security and the Navy’s interests in cyberspace. This has been demonstrated by the Walker-Whitworth espionage case in the 1980s, Private Manning in the latter 2000s, or the very recent Edward Snowden/NSA disclosure incidents.

The Navy’s vulnerabilities, both inherent to its nature and as a result of its technological advances, are likewise troubling. In his 2016 strategic design, Chief of Naval Operations Admiral John M. Richardson stated that “the forces at play in the maritime system, the force of the information system, and the force of technology entering the environment – and the interplay between them have profound implications for the United States Navy.” Without going into classified details or technical errata, the Navy’s efforts to secure its networks are continuously hampered by a number of factors which allow these threats a broad attack surface from which to choose.

As the previous Chief of Naval Operations (CNO), Admiral Jon Greenert describes in 2012, Navy platforms depend on networked systems for command and control: “Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ to some degree.” The continual reliance on position, navigation, and timing (PNT) systems, such as the spoofing and jamming-vulnerable Global Positioning System (GPS) satellite constellation for navigation and precision weapons, is likewise a technical vulnerability. An internet search on this subject reveals multiple scholarly and journalist works on these vulnerabilities, and more than a few describe how to exploit them for very little financial investment, making them potentially cheap attack vectors.

Even the Navy’s vast size and scope of its networks present a vulnerability to its interests in cyberspace. As of 2006, the Navy and Marine Corps Intranet (NMCI), a Government Owned-Contractor Operated (GOCO) network that connects Navy and Marine Corps CONUS shore commands under a centralized architecture, is “the world’s largest, most secure private network serving more than 500,000 sailors and marines globally.” That number has likely grown in the 10 years since that statistic was published, and even though the name has been changed to the Navy’s Next Generation Network (NGEN), it is still the same large beast it was before, and remains one of the single largest network architectures operating worldwide. Such a network provides an enticing target.

Technical Security Measures and Controls

The Navy employs the full litany of technical cybersecurity controls across the naval network enterprise, afloat and ashore. Technical controls include host level protection through the use of McAfee’s Host Based Security System (HBSS), designed specifically for the Navy to provide technical controls at the host (workstation and server) level. Network controls include network firewalls, intrusion detection and prevention systems (IDS/IPS), security information and event management, continuous monitoring, boundary protection, and defense-in-depth functional implementation architecture. Anti-virus protection is enabled on all host systems through McAfee Anti-Virus, built into HBSS, and Symantec Anti-Virus for servers. Additionally, the Navy employs a robust vulnerability scanning and remediation program, requiring all Navy units to conduct a “scan-patch-scan” rhythm on a monthly basis, although many units conduct these scans weekly.

The Navy’s engineering organization for developing and implementing cybersecurity technical controls to combat the cyber kill chain in figure 1 is the Space and Naval Warfare Systems Command (SPAWAR), currently led by Rear Admiral David Lewis, and earlier this year SPAWAR released eight technical standards that define how the Navy will implement technical solutions such as firewalls, demilitarized zones (DMZs), and vulnerability scanners. RADM Lewis noted that 38 standards will eventually be developed by 2018, containing almost 1,000 different technical controls that must be implemented across the enterprise.

Of significance in this new technical control scheme is that no single control has priority over the others. All defensive measures work in tandem to defeat the adversary’s cyber kill chain, preventing them from moving “to the right” without the Navy’s ability to detect, localize, contain, and counter-attack. RADM Lewis notes that “the key is defining interfaces between systems and collections of systems called enclaves,” while also using “open architecture” systems moving forward to ensure all components speak the same language and can communicate throughout the enterprise.

The importance of open systems architecture (OSA) as a way to build a defendable network the size of the Navy’s cannot be understated. The DoD and the Navy, in particular, have mandated use of open systems specifications since 1994; systems that “employ modular design, use widely supported and consensus-based standards for their key interfaces, and have been subjected to successful validation and verification tests to ensure the openness of their key interfaces.” By using OSA as a means to build networked systems, the Navy can layer defensive capabilities on top of them and integrate existing cybersecurity controls more seamlessly. Proprietary systems, by comparison, lack such flexibility thereby making integration into existing architecture more difficult.

Technical controls for combating the insider threat become more difficult, often revolving around identity management software and access control measures. Liang and Biros note two organizational factors to influencing insider threats: security policy and organizational culture. Employment of the policy must be clearly and easily understood by the workforce, and the policy must be enforced (more importantly, the workforce must fully understand through example that the policies are enforced). Organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel. Liang and Biros also note that access control and monitoring are two must-have technical security controls, and as previously discussed, the Navy clearly has both yet the insider threat remains a primary concern. Clearly, more must be done at the organizational level to combat this threat, rather than just technical implementation of access controls and activity monitoring systems.

Information Security Policy Needed to Address Threats and Vulnerabilities

The U.S. Navy has had an information security policy in place for many years, and the latest revision is outlined in Secretary of the Navy Instruction (SECNAVINST) 5510.36, signed June 2006. This instruction is severely out of date and does not keep pace with current technology or best practices; Apple released the first iPhone in 2007, kicking off the smart phone phenomenon that would reach the hands of 68% of all U.S. adults as of 2015, with 45% also owning tablets. Moreover, the policy has a number of inconsistencies and fallacies that can be avoided, such as a requirement that each individual Navy unit establish its own information security policy, which creates unnecessary administrative burden on commands that may not have the time nor expertise to do so. Additionally, the policy includes a number of outdated security controls under older programs such as the DoD Information Assurance Certification and Accreditation Process (DIACAP), which has since transitioned to the National Institute for Standards and Technology (NIST) Risk Management Framework (RMF).

Beginning in 2012, the DoD began transitioning away from DIACAP towards the NIST RMF, making full use of NIST Special Publications (SPs) for policy development and implementation of security controls. The NIST RMF as it applies to DoD, and thus the Navy, is illustrated in figure 2. The process involves using NIST standards (identified in various SPs) to first categorize systems, select appropriate security controls, implement the controls, assess their effectiveness, authorize systems to operate, then monitor their use for process improvement.

Figure 2. NIST Risk Management Framework

This policy is appropriate for military systems, and the Navy in particular, as it allows for a number of advantages for policymakers, warfighters, system owners, and developers alike. It standardizes cybersecurity language and controls across the federal government for DoD and Navy policymakers, and increases rapid implementation of security solutions to accommodate the fluidity of warfighting needs. Additionally, it drives more consistent standards and optimized workflow for risk management which benefits system developers and those responsible for implementation, such as SPAWAR.

Efforts are already underway to implement these policy measures in the Navy, spearheaded by SPAWAR as the Navy’s information technology engineering authority. The Navy also launched a new policy initiative to ensure its afloat units are being fitted with appropriate security controls, known as “CYBERSAFE.” This program will ensure the implementation of NIST security controls will be safe for use aboard ships, and will overall “focus on ship safety, ship combat systems, networked combat and logistics systems” similar to the Navy’s acclaimed SUBSAFE program for submarine systems but with some notable IT-specific differences. CYBERSAFE will categorize systems into three levels of protection, each requiring a different level of cybersecurity controls commensurate with how critical the system is to the Navy’s combat or maritime safety systems, with Grade A (mission critical) requiring the most tightly-controlled component acquisition plan and continuous evaluation throughout the systems’ service life.

Implementation of the NIST RMF and associated security policies is the right choice for the Navy, but it must accelerate its implementation to combat the ever-evolving threat. While the process is already well underway, at great cost and effort to system commands like SPAWAR, these controls cannot be delayed. Implementing the RMF across the Navy enterprise will reduce risk, increase security controls, and put its implementation in the right technical hands rather than a haphazard implementation of an outdated security policy that has, thus far, proven inadequate to meet the threats and reduce vulnerabilities inherent with operating such a large networked enterprise. With the adoption of these new NIST policies also comes a new strategy for combating foes in cyberspace, and the Navy has answered that in a few key strategy publications outlined in the next section.

Potential Security Strategy for Combating Threats and Minimizing Vulnerabilities

It is important to note that the Navy, like the other armed services of the DoD, was “originally founded to project U.S. interests into non-governed common spaces, and both have established organizations to deal with cybersecurity.” The Navy’s cyber policy and strategy arm is U.S. Fleet Cyber Command (FLTCYBERCOM, or FCC), co-located with the DoD’s unified cyber commander, U.S. Cyber Command (USCYBERCOM, or USCC). Additionally, its operational cyber arm, responsible for offensive and defensive operations in cyberspace, is U.S. 10th Fleet (C10F), which is also co-located with U.S. Fleet Cyber and shares the same commander, currently Vice Admiral Michael Gilday.

Prior to VADM Gilday’s assumption of command as FCC/C10F, a strategy document was published by the Chief of Naval Operations in 2013 known as Navy Cyber Power 2020, which outlines the Navy’s new strategy for cyberspace operations and combating the threats and vulnerabilities it faces in the information age. The strategic overview is illustrated in figure 3, and attempts to align Navy systems and cybersecurity efforts with four main focus areas: integrated operations, optimized cyber workforce, technology innovation, and acquisition reform. In short, the Navy intends to integrate its offensive and defensive operations with other agencies and federal departments to create a unity of effort (evident by its location at Ft. Meade, MD, along with the National Security Agency and USCC), better recruit and train its cyber workforce, rapidly provide new technological solutions to the fleet, and reform the acquisition process to be more streamlined for information technology and allow faster development of security systems.

Figure 3. Threats and Motivations, Strategic Focus of Navy Cybersecurity 

Alexander Vacca, in his recent published research into military culture as it applies to cybersecurity, noted that the Navy is heavily influenced by sea combat strategies theorized by Alfred Thayer Mahan, one of the great naval strategists of the 19th century. Indeed, the Navy continually turns to Mahan throughout an officer’s career from the junior midshipman at the Naval Academy to the senior officer at the Naval War College. Vacca noted that the Navy prefers Mahan’s “decisive battle” strategic approach, preferring to project power and dominance rather than pursue a passive, defensive strategy. This potentially indicates the Navy’s preference to adopt a strategy “designed to defeat enemy cyber operations” and that “the U.S. Navy will pay more attention to the defeat of specified threats” in cyberspace rather than embracing cyber deterrence wholesale. Former Secretary of the Navy Ray Mabus described the offensive preference for the Navy’s cyberspace operations in early 2015, stating that the Navy was increasing its cyber effects elements in war games and exercises, and developing alternative methods of operating during denial-of-service situations. It is clear, then, that the Navy’s strategy for dealing with its own vulnerabilities is to train to operate without its advanced networked capabilities, should the enemy deny its use. Continuity of operations (COOP) is a major component in any cybersecurity strategy, but for a military operation, COOP becomes essential to remaining flexible in the chaos of warfare.

A recent  article describing a recent training conference between top industry cybersecurity experts and DoD officials was critical of the military’s cybersecurity training programs. Chief amongst these criticisms was that the DoD’s training plan and existing policies are too rigid and inflexible to operate in cyberspace, stating that “cyber is all about breaking the rules… if you try to break cyber defense into a series of check-box requirements, you will fail.” The strategic challenge moving forward for the Navy and the DoD as a whole is how to make military cybersecurity policy (historically inflexible and absolute) and training methods more like special forces units: highly trained, specialized, lethal, shadowy, and with greater autonomy within their specialization.

Current training methods within the U.S. Cyber Command’s “Cyber Mission Force” are evolving rapidly, with construction of high-tech cyber warfare training facilities already underway. While not yet nearly as rigorous as special forces-like training (and certainly not focused on the physical fitness aspect of it), the training strategy is clearly moving in a direction that will develop a highly-specialized joint information warfare workforce. Naegele’s article concludes with a resounding thought: “The heart of cyber warfare…is offensive operations. These are essential military skills…which need to be developed and nurtured in order to ensure a sound cyber defense.

Conclusions

This paper outlined several threats against the U.S. Navy’s networked enterprise, to include nation state cyber-rivals like China, Russia, Iran, and North Korea, and non-state actors such as hactivists, individual hackers, terrorists, and criminal organizations. The insider threat is of particular concern due to this threat’s ability to circumvent established security measures, and requires organizational and cultural influences to counter it, as well as technical access controls and monitoring. Additionally, the Navy has inherent vulnerabilities in the PNT technology used in navigation and weapon systems throughout the fleet, as well as the vast scope of the ashore network known as NMCI, or NGEN.

The Navy implements a litany of cybersecurity technical controls to counter these threats, including firewalls, DMZs, and vulnerability scanning. One of the Navy’s primary anti-access and detection controls is host-based security through McAfee’s HBSS suite, anti-virus scanning, and use of open systems architecture to create additions to its network infrastructure. The Navy, and DoD as a whole, is adopting the NIST Risk Management Framework as its information security policy model, implementing almost 1000 controls adopted from NIST Special Publication 800-53, and employing the RMF process across the entire enterprise. The Navy’s four-pronged strategy for combating threats in cyberspace and reducing its vulnerability footprint involves partnering with other agencies and organizations, revamping its training programs, bringing new technological solutions to the fleet, and reforming its acquisition process. However, great challenges remain in evolving its training regimen and military culture to enable an agile and cyber-lethal warfighter to meet the growing threats.

In the end, the Navy and the entire U.S. military apparatus is designed for warfare and offensive operations. In this way, the military has a tactical advantage over many of its adversaries, as the U.S. military is the best trained and resourced force the world has ever known. General Carl von Clausewitz, in his great anthology on warfare, stated as much in chapter 3 of book 5 of On War (1984), describing relative strength through admission that “the principle of bringing the maximum possible strength to the decisive engagement must therefore rank higher than it did in the past.” The Navy must continue to exploit this strength, using its resources smartly by enacting smart risk management policies, a flexible strategy for combating cyber threats while reducing vulnerabilities, and training its workforce to be the best in the world.

Lieutenant Howard is an information warfare officer/information professional assigned to the staff of the Chief of Naval Operations in Washington D.C. He was previously the Director of Information Systems and Chief Information Security Officer on a WASP-class amphibious assault ship in San Diego.

Dr. da Cruz is a Professor of International Relations and Comparative Politics at Armstrong State University, Savannah, Georgia and Adjunct Research Professor at the U.S. Army War College, Carlisle, Pennsylvania.

The views expressed here are solely those of the authors and do not necessarily reflect those of the Department of the Navy, Department of the Army, Department of Defense or the United States Government.

Featured Image: At sea aboard USS San Jacinto (CG 56) Mar. 5, 2003 — Fire Controlman Joshua L. Tillman along with three other Fire Controlmen, man the shipÕs launch control watch station in the Combat Information Center (CIC) aboard the guided missile cruiser during a Tomahawk Land Attack Missile (TLAM) training exercise. (RELEASED)

The Lawless Trons of Cyberspace

 By LT Travis Nicks, USN

Introduction

Open borders are here. You likely crossed the Rio Grande before breakfast this morning and you’ll sneak into China before you sleep tonight. Trons travel through cyberspace ignoring all manners of political boundaries. Technology doesn’t care where Ukraine ends and Russia begins, or about an air gap between China and Taiwan. The policy of cyber does; it shouldn’t.

Conceptualizing Cyber Borders

 The national policy for cyber borders has been similar to conceptions of airspace: a vertical extension of geopolitical borders into the sky, or in the case of cyber, into the flowing infrastructure of the internet. If a plane is going to travel through the airspace of another country, that country has to agree to it or the flight has to go around. A long-range bomber aircraft might fly over a few countries for a raid on the other side. Packets or “trons” can travel continents’ worth of countries in a path of least resistance taking seconds. Furthermore, while borders stay the same, digital routes are totally dynamic. In order to prevent the unintended escalation of cyber operations, we must divorce the routes trons take from the effects they cause.

A Path Forward

Fortunately, an existing policy framework already exists for an effects-based policy in a new frontier. We need to rise above the airspace mentality, and draw inspiration from satellites. Satellites travel freely over countries and cross borders with impunity. The international community agreed to a borderless framework in space in the Outer Space Treaty of 1967.1 The orbit a satellite is on and its position relative to political borders are irrelevant when it takes an action that causes an effect. The effect is all that matters. The group at the effect’s end may protest or retaliate, but the country under the satellite at the time of the action will have no issue. If, for example, China shot down a Russian satellite while the satellite was over Mexico, Russia would have no issue with Mexico for having allowed the attack above them, because they don’t own that space. Instead, China would be responsible for causing the malign effect.

The Department of Defense (DoD) has addressed this attribution issue. The DoD Law of War Manual specifically addresses “cyber operations that use communications infrastructure in neutral states.”2 This policy allows trons to be routed through neutral nations so long as the cyber infrastructure in that country allows innocuous information to be routed through it as well, if they route trons for the common World Wide Web. It also specifically acknowledges that it is unreasonable to expect other nations to review all cyber traffic for its content. These principles are fundamental to the spirit and design of the internet. Acknowledging those fundamentals will prevent future conflicts that will otherwise arise from misattribution during analysis of tron routes. Imagine Canada sends cyber attack trons to Russia via France, Thailand, and China. It is easy to see Russia determining that China may not have ownership of the trons that attacked them, but—unless we agree otherwise—they were complicit in the attack. A scenario where clumsy confusion leads to aggressive accusation, the likes of which we have not seen since the eve of WW1, is not far-fetched given the cyber domain’s peculiarities.

Many international cyber agreements are being written. One, the International Code of Conduct for Information Security, has already been signed by major players Russia and China. That agreement addresses the intent of cyber warfare and end effects, but leaves a grey area in between. A 2013 NATO report addressed this point indirectly, saying “demilitarized zones are not feasible in the context of cyberspace, due to its global scope.”3 NATO failed to separate the infrastructure itself from the use of the infrastructure. A United Nations report from 2015 (aware of NATO’s 2013 report)  further departs in the wrong direction and declares “states of jurisdiction over the ICT (information and communications technologies) infrastructure located within their territory.”4 This policy direction simply does not pragmatically address the technology involved. The transnational spirit of the internet and the technology itself does not respect borders as the UN does. A failure to acknowledge this fact is dangerous. The focus on infrastructure and not on the transmissions and effects of the technology leaves a dangerous grey area.

The solution is an agreement among the international community to ignore cyber routes. The DoD’s cyber components must press this issue into international agreements. The Department is uniquely equipped to lead this effort. It is the center of our nation’s cyber warfare universe. The NSA, CIA, DIA, and others with less notoriety are led or staffed largely by military officers and enlisted, retired versions of the same, or DoD civilians. No other organization is as integrated into every aspect of offensive and defensive cyber operations. DoD’s outsized operational involvement gives us an equally outsized cyber policy voice, and we should use it to ensure a discussion on cyber routes.

The discussion should acknowledge, first, that attribution is the foundation of cyber warfare. Second, acknowledge that routing technologies use the communications equipment of neutral states to obscure  the origin of cyber-attacks. After establishing those truths, the policy must focus on ensuring the analysis of digital forensic evidence acknowledges the inherent deceptiveness of cyber route analysis and delegitimizes the evidence as international policy. The international community must agree to focus on the information and effects of the trons and not attempt to hold accountable the infrastructure used for transmission. Absolve the owners of the infrastructure and the land on which it sits from responsibility for the trons it transmits, and inversely remove the standing they might have if they dislike the trons.

Conclusion

The publicly available cyber discussions in the international community have so far focused on intent, effects, and physical infrastructure while they ignore any agreement on cyber routes. To avoid a massive international misunderstanding in the fog of attribution we must internationally agree to ignore cyber routes. We have a framework for this. In space we own the object, not the orbit. In cyber we will own the information, not the route.

Travis Nicks is a nuclear submarine officer serving at the Pentagon. He is focused on finding precise fixes to complex problems. LT Nicks is interested in cyber policy and personnel performance issues. The views herein are his alone and do not represent the views of the Department of Defense, the Department of the Navy, or any other organization.

References

1. Outer Space Treaty, 1967, Article II

2. Department of Defense, Law of War Manual, 2016, Section 16.4.1

3. Dr. Katharina Ziolkowski, NATO Cooperative Cyber Defense Centre of Excellence, Confidence Building Measures for Cyberspace – Legal Implications, 2013, Section 3.2

4. Group of Government Experts, United Nations General Assembly, report on Developments in the Field of Information and Telecommunications in the Context of International Security, 2015, Section VI.28.a.

Featured Image: U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis, U.S. Air Force Staff Sgt. Rogerick Montgomery, U.S. Cyber Command network analysis, and U.S. Army Staff Sgt. Jacob Harding, 780th Military Intelligence Brigade cyber systems analysis, analyze an exercise scenario during Cyber Flag 13-1, Nov. 8, 2012, at Nellis Air Force Base, Nev. (U.S. Air Force photo by Senior Airman Matthew Lancaster)

Trident: Industry, Scotland, and Long-Range Bomber and Land-Based Missile Alternatives

By Alex Calvo

Introduction

The third installment in our four-part series begins with Trident’s impact on British industry and the Scottish factor, very much in evidence in the run up to the 2014 referendum. We then move to examine British nuclear doctrine, asking ourselves whether a minimal posture is tenable, and looking in this connection at potential cyber and undersea unmanned threats to submarines, both of which have attracted public attention over the last few months. While in July this year the UK Parliament voted to renew the Trident fleet with the building of four new submarines, it is still interesting to discuss whether Trident’s cost may have been cut by reducing the number of boats. We then move to consider potential nuclear alternatives to the program, starting with long-range bombers and land-based missiles, leaving submarine and air-launched cruise missiles for the fourth and final installment in our series. Read Part One, Part Two

Trident and British Industry

Any decisions on defense have an industrial component, leading to an uneasy conundrum. On the one hand, the acquisition of assets should be at least primarily motivated by the needs and priorities laid down in defense planning. On the other, because of the sums involved and the strong link between military and civilian research and development, it is impossible to view defense procurement separately from industrial and scientific policy. Thus, while the decision on the continuity of Trident taken in July this year by the UK Parliament should ideally not rest on the interests of the industrial actors involved, we cannot simply dismiss them when analyzing it. In particular, when pondering both nuclear and non-nuclear alternatives to Trident, it is likely that British authorities examined the resulting net effect on British defense and dual-use industries as a whole and on those companies involved in Trident.

We could say something similar when it comes to jobs, which should not have been the primary consideration, but are likely to have featured in this political decision. Some estimates say up to 15,000 jobs may have been lost had Trident not been renewed, but the net impact both in terms of figures and human capital depends on the alternatives should Trident been discontinued. BASIC notes how Trident’s base “supports some 6,700 jobs, expected to rise to 8,200 by 2022,” adding that “the UK submarine industry accounts for 3% of employment in the UK’s scientific and defense industrial base,” and that a “replacement as currently planned could employ up to 26,000 people at some point in the process.” This could at least partly explain the huge majority of 355 in a 650-strong chamber that voted for the program’s renewal with more than half of opposition Labour MPs voting aye in direct contradiction with their leader’s stance, and this after PM Theresa May had publicly made it clear she was ready to press the nuclear button if necessary. Furthemore, while Labour leader Jeremy Corbyn was later reelected by an increased majority of 62 percent, his shadow defense minister, Clive Lewis, stated that his party would remain committed to an independent, sea-based, British nuclear deterrent.

The Scottish Factor: Trident and the Union

The SNP and, more widely, Scottish Nationalists, have traditionally been hostile to Trident for a number of reasons. Among them we may note the party’s weak commitment to security and defense, little regard for collective security, hostility to the notion of the UK as a major world power, and willingness to outsource key policy areas to the European Union. At the tactical level, as seen in the 2014 referendum campaign, opposing Trident may enable the Nationalist camp to attract voters not strongly for or even opposed to independence but who fiercely reject nuclear weapons. Some of these voters may see a non-nuclear independent Scotland as a lesser evil. Others in this category may have seen a vote for independence or a vote for the SNP in future elections as a tactical move to force an end to the British nuclear deterrent. The July 2016 parliamentary vote on Trident was yet another opportunity for the SNP to underline its opposition to Trident, made even more visible by the vote in favor of a majority of opposition Labour MPs. Its 54 members of parliament voted against, and the party warned it would prompt a further push for independence, although opinion polls suggest a majority of Scots favor retaining the deterrent.

In connection to this matter, in the run-up to the referendum, there was speculation that the UK may relocate Trident to Devonport (Plymouth), with a report by RUSI estimating the additional cost at £3.5bn. The report concluded that “while the technical and financial challenges presented by Scottish independence would influence this discussion, they would not be severe enough to dictate it.”

British Nuclear Doctrine: Is a Minimal Posture Tenable?

If the UK’s move to a minimal deterrence posture had been followed by other nuclear states, or at least by negotiations with that purpose in mind, the country may have gone down in the annals of history as a pioneer in the noble pursuit of nuclear disarmament. Although the concept, also referred to as “deterrence lite,” has been extensively discussed in academic and government fora, such a move does not appear likely right now. Rather the contrary, with just to mention a few examples including worsening relations between Washington and Moscow, Pakistan developing a sea-based deterrent, and Japan increasingly pondering the convenience of at the very least retaining a powerful “latent” capability on the face of a resurgent China.

The Pacific Egret docked in Tokai (Ibaraki Prefecture) in March 2016, waiting to depart to the US with a cargo of Japanese plutonium. Tokyo's large stockpiles are one of the reasons why the country is considered to be a 'latent nuclear power. (Kyodo)
The Pacific Egret docked in Tokai (Ibaraki Prefecture) in March 2016, waiting to depart to the U.S. with a cargo of Japanese plutonium. Tokyo’s large stockpiles are one of the reasons why the country is considered to be a ‘latent nuclear power. (Kyodo)

The UK is experiencing growing tensions with an established nuclear power, Russia, which shows no intention of relying on non-conventional weapons to a lesser extent in the near future. More precisely, Russian sources note how not until current military reforms reach a successful conclusion will the country be able to lessen her dependence on tactical nuclear weapons (seen as essential not only in a Euro-Atlantic context, but also in a Chinese one, although the latter is seldom publicly discussed). Even without taking into account other potential conflict scenarios, this provides a powerful incentive to retain Trident or some other form of nuclear deterrent, since otherwise the UK would not only be open to nuclear blackmail but the decision to forego the country’s nuclear status may be seen as a sign of weakness and lack of resolve.

Cyber and Undersea Unmanned Threats to the UK’s Minimal Posture

As already explained, the decision to build a sea-based deterrent rested on the assumption that it would be very difficult for a hostile power to detect and destroy submarines, thus ensuring a second-strike capability. This also allowed London to move to a minimal posture, with just one such submarine on patrol at any given time. Of course, it was noted that while “No sector of a superpower’s defense system is quite so invulnerable against a preemptive attack as its fleet of highly mobile, deep-diving, long-ranging missile-bearing submarines. These make possible a second-strike capability that acts as a forceful deterrent against aggression,” and, “this situation could become unbalanced through the development of effective techniques of strategic antisubmarine warfare (ASW).” In recent months, a public debate has emerged concerning two possible threats against British strategic nuclear submarines: cyber warfare and the advent of unmanned undersea systems (submarine drones).

In November 2015, Lord Browne of Ladyton, former British Defence Secretary from 2006 to 2008 and now vice-chair of pro-disarmament group Nuclear Threat Initiative, said: “The government … have an obligation to assure parliament that all of the systems of the nuclear deterrent have been assessed end-to-end against cyber attacks to understand possible weak spots and that those weak spots are protected against a high-tier cyber threat. If they are unable to do that then there is no guarantee that we will have a reliable deterrent or the prime minister will be able to use this system when he needs to reach for it.” Browne cited a January 2013 report by the Pentagon’s Defense Science Board to support his views. Just one week earlier, Chancellor George Osborne had announced an additional investment of £ 3.2 billion in cybersecurity over a five-year period, an amount coming “nowhere near the scale of the cyber-threat challenge” according to Browne.

Franklin Miller, a former U.S. defense official involved in nuclear policy between 1981 and 2001, refuted Browne’s arguments, saying that “If our nuclear command and control system depended upon the internet or went through the internet then the report by the defense science board would be quite an important warning. However, for those reasons it is a standalone system. It is air-gapped. It does not go through the internet.” Miller added that the 2013 report cited by Browne had been written in 2013 as a “shot across the bow” to members of the U.S. defense community thinking of having some elements of the next generation command and control system for the U.S. nuclear deterrent connected to the internet. He said “I am very comfortable saying that right now our command and control system is insulated from cyber-attack because it doesn’t go into any place that cyber would intrude.”

Concerning swarms of undersea drones, the concept is gaining traction as a possible threat to strategic submarines, even though the technology is still in its early stages. The U.S. Navy is already moving forward in this arena with plans to deploy unmanned underwater vehicles (UUVs) from Virginia-class attack submarines. In December 2015, Paul Ingram, BASIC’s chief executive, warned that progress in underwater drone technology threatened to make Trident submarines vulnerable, in line with other experts who have cautioned about “a revolution in underwater drones, as well as advances in sonar, satellite and other anti-submarine warfare systems” making “even totally silent submarines … likely to become detectable.” Ingram said that “There is a major transition taking place in the underwater battle space and it is far from clear how the new submarine will be able to evade detection from emerging sophisticated anti-submarine warfare capabilities.” Adding that this “raises serious questions about the wisdom of putting all your nuclear weapons on board a submarine,” Ingram called for a public debate on this impending vulnerability.

Despite much interest among major navies, underwater drones are being developed at a much slower pace than their aerial counterparts, an often cited reason being water’s much greater opacity to radio waves. According to Frank Herr, head of the Office of Naval Research’s ocean battlespace sensing department, “Underwater vehicles are much harder to do because of this inability for us to communicate robustly with the vehicles the way you can in the air. That means they are way behind in the development.” Chris Rawley, a surface warfare officer in the U.S. Navy Reserve, believes that “the premise that UUVs will make Tridents more detectable glosses over of the complexities of ASW. The physics of underwater sound propagation don’t change just because we take the man out of the loop. Unmanned systems can potentially put more persistent sensors in the water column, but I’d guess we’re at least two decades out from them making a significant impact on ASW.” Rawley discusses this in more detail in a 2015 interview with CIMSEC.

Could Trident’s Cost be Cut by Reducing the Number of Submarines?

In the run-up to the July 2016 parliamentary vote to renew Trident, some voices, including the Liberal Democrats (the Conservatives’ junior coalition partner in the previous administration) and Labour, the main opposition party, suggested or at least speculated on the possibility of reducing the cost of Trident by cutting down the number of boats from the current four. The Liberal Democrats, which open the section in their website on Trident with harsh words, calling it “out-dated and expensive. It is a relic of the Cold War and not up-to-date in 21st century Britain,” while arguing that “It would be extremely expensive and unnecessary to replace all four submarines, so we propose to replace some of the submarines instead. They would not be on constant patrol but could be deployed if the threat from a nuclear-armed country increased.” BASIC included the option of “irregular undisclosed patrolling patterns” in its 2015 “A Memo to the Next Prime Minister: Options Surrounding the Replacement of Trident,” estimating the potential yearly savings at up to 1 billion. Right now, as emphasized by the Royal Navy itself “One of the Navy’s four strategic submarines is always on patrol, ensuring a continuous at sea deterrent, 24/7/365, carrying the nation’s ultimate weapon somewhere in the Seven Seas.” It is very doubtful whether fewer than four submarines could achieve this objective. The need to keep four submarines has been emphasized by many observers, with for example Simon Michell writing for RUSI that “if the United Kingdom is to have a credible and assured nuclear deterrent based on the submarine-launched Trident missile, then four boats are required, not three.” Therefore, it is plausible, should the cost of Trident be considered to be excessive, to move to another kind of deterrent, for example air-based, rather than relying exclusively on a number of boats too small to ensure a consistent deterrent.

Having fewer than four nuclear boats may not only deliver smaller savings than straight arithmetic may suggest given factors such as economies of scale, but would result in gaps in the deterrent with no submarine patrolling at certain given times. This may be seen by a would-be aggressor as providing a window of opportunity. Furthermore, it could be destabilizing in many ways. For example, during a crisis at a time with no boats on patrol, the knowledge that one was soon to sail may be seen by the other side as providing an incentive to strike first. It may also be interpreted as a hostile move, a step in escalation designed to increase pressure. The Trident Alternatives Review, as an exercise in coalition politics, did not rule out this possibility, while failing to discuss in depth the possibility of a sudden unannounced nuclear attack, but nevertheless gave some clues as to why three boats, as opposed to four, would mean accepting a higher degree of risk that such an attack may take place. Where the Review was crystal clear was in explaining that “Over a 20 year period, a 3-boat fleet would risk multiple unplanned breaks in continuous covert patrolling as well as requiring regular planned breaks for maintenance and/or training. Experience to date with the Resolution-class and Vanguard-class SSBNs is that no such breaks have occurred or been required with a 4-boat fleet.” Thus, we can see how lacking the capacity for continuous patrols not only means the deterrent is not always available but also introduces a new factor in an adversary’s calculus during crisis, opening up different venues of speculation concerning the possible motivations for the start and end of deterrence patrols.

Nuclear Alternatives to Trident: Long-Range Bombers

The UK may remain a nuclear power while shifting to other vectors for the country’s warheads. This may result from different motivations, such as cost calculations, a changed perspective on submarine survivability, or the desire for greater strategic autonomy vis a vis the United States, among other few possibilities. Shifting to another delivery method would have a wide range of implications, not only in terms of range, survivability, domestic politics, credibility just to name a few, but for example, inter-service considerations. Trident underscores the Royal Navy’s status as the senior service, which any non-naval alternative would not support in the same way.

Air delivery systems may consist of either missiles launched by aircraft, or gravity bombs dropped by them. An air-dropped alternative to Trident was suggested last year by think-tank Centre Forum. In its report, this organization argues that a minimum nuclear deterrent should be able to destroy “ten or more … major urban areas” of a nuclear adversary (it should be noted that British nuclear doctrine does not provide any explicit assurance to non-nuclear weapons states) and that the UK should therefore be able of delivering 30 warheads.” It goes on to say that “This requires a considerably lower level of capability than” that provided by Trident, meaning that “the UK can achieve deterrence with a considerably less capable nuclear weapons system, saving money and contributing to long-term multilateral nuclear disarmament.” Based on this and other considerations, the report suggests that the UK “move to a free-fall nuclear capability based on Lockheed Martin F-35 Lightning II / Joint Strike Fighter (JSF) that the UK is currently procuring and the forthcoming U.S. B61 Mod 12 (B61-12) bombs that will arm NATO nuclear Dual-Capable Aircraft (DCA) from 2020.” It estimates the capital cost of “100 anglicised B61-12s” at “approximately £16.7bn,” a figure that would include a number of additions to current planned capabilities, among them enabling the Queen Elizabeth-class carriers to operate catapult-launched, arrested-landing aircraft (with a wider range than the vertical takeoff variant currently planned) and extra naval assets such as five attack submarines and four type 26 frigates. The text presents this alternative as a compromise bringing about costs savings while enhancing conventional capabilities, preserving the submarine industrial base, and “a concrete step down the nuclear ladder and towards future nuclear disarmament as the international situation allows in accordance with the UK’s nuclear Non-Proliferation Treaty obligations.”

Given the UK’s global role and the duty to protect British Overseas Territories, any nuclear alternative to Trident should have an equivalent range. This may be a challenge for nuclear bombers, less so for submarine-launched cruise missiles, and would not apply to land-based ICBMs (intercontinental ballistic missiles). The travails of strategic bombers when targets are far from bases were already illustrated in the Falklands War, where the strike against Port Stanley’s airport required the complex coordination of a very large number of aircraft operating from Asuncion Island. The Centre Forum document argues that a combination of existing overseas bases and “Air-to-Air Refueling (AAR) support from RAF Voyager KC2/KC3 tankers covers all of Africa, Europe, the Middle East and South America, along with the Indian subcontinent and most of former Soviet Central Asia.” Leaving aside the fact that this would not cover all existing nuclear weapons states, the sheer complexity of the necessary AAR operations to reach some corners of the world may put a dent on the deterrent’s credibility, tempting a would-be aggressor into thinking it may not ensure a British response. This was noted by a commentator, who wrote “Where the credibility gets shaky is in the delivery. A Voyager tanker can trail 4 fighter jets for 2800 miles in a transfer flight, but an actual strike mission, especially if a return to base is at least envisaged, is a whole different matter. Even bringing all 14 tankers in service (instead of just 8 + 1 transport only and 5 tankers “on demand” at 90 days notice) and fitting them with booms and receptacles so they can juggle fuel between themselves and work cooperatively, it remains dubious that it would be possible to trail a real strike package over the great distances likely to be involved. Particularly because, in order to deliver the strike with gravity-fall bombs with a stand-off reach of 40 kilometers in the very, very best case, you need a large attack squadron, knowing that many aircraft are likely not to make it to the target, even with the F-35’s stealth.”

Date:- 02 July 2011 WAD-11-0463 Background: Every year in July, RAF Waddington opens it's doors to the general public in staging the Royal Air Force's premier airshow event. In 2011, the undoubted stars of the show are the United States Air Force aerobatic display team 'The Thunderbirds'. Along with the welcome return of crowd favourites- the Vulcan and the Red Arrows, are the Battle of Britain Memorial flight and the classic B-17 bomber 'Sally B' from WW2. Image details: The Vulcan aircraft landing at Waddington. Photo By:- SAC Andy Stevens (RAF) For further information contact: Royal Air Force Waddington Media Communications Officer, RAF Waddington MCO Waddington Lincolnshire LN5 9NB Tel 01522 726804
The long-range nuclear bomber Avro Vulcan was employed in a conventional role in the 1982 Falklands War and later decommissioned. ( RAF photo by SAC Andy Stevens)

This text also questions whether it is realistic to expect the UK to sport 72 ready-to-strike nuclear bombers at any one time, as the Centre Forum defends when it states that “Using the 18 airfields shown in Figure 5 today, this would translate into 72 nuclear-armed F-35Cs and their accompanying Airbus Voyager KC2 / KC3 tankers safely airborne before a surprise attack could destroy them on the ground.” Furthermore, it argues that if that number was indeed available it would put such a dent on conventional capabilities as to make the whole exercise self-defeating. These unrealistic assumptions cast a shadow of doubt over the Centre Forum’s proposal, and prompt suspicions that it may have been designed, or at least have been liable to being employed, to underpin a tactical deal between those opposed to British national sovereignty and the country’s independent deterrent on the one hand, and those concerned about continued conventional defense cuts, on the other. By offering the acquisition of additional conventional assets as part of a package deal involving the replacement of Trident by a less able system, the former may have hoped to achieve the necessary political momentum against Trident, assembling a coalition with the latter and perhaps also other actors like the SNP. At a later stage, with Trident out of the way, the door would have been open to further conventional cuts degrading an already less than credible deterrent, thus achieving unilateral nuclear disarmament through the back door.   

Other disadvantages of a naval aircraft-based deterrent are, in the words of an undisclosed naval analyst, that “a ship is ALWAYS more vulnerable than a submarine” and a “plane can also be downed,” plus the fact that adding a further role to a carrier means an additional concentration of risk and incentives for the enemy to try to sink her. Operations by HMS Hermes and HMS Invincible off the Falklands, at a time when anti-access weapons were much more primitive (Argentine forces improvised a shore-launched Exocet missile, hitting HMS Glamorgan, but it was not available until very late in the war), illustrate the complications of sailing near a hostile shore, which would have been even greater had the British deterrent been based on those same two light carriers. At the end of the day, considering all these aspects, it is difficult not to see that moving from submarines to carrier-based planes would mean a significant downsizing of the British deterrent, with the corresponding negative impact on national security. In the words of another author, “A nuclear deterrent based on the B61-12 would be much less capable than Trident, this is definite. The key issue is not the power of the warhead, but the certainty that an enemy anywhere in the world can be reliably hit. Any possible existential enemy of the UK must be keenly aware that there is a credible deterrent which is unquestionably able to strike back and make him pay a price which cannot be possibly accepted.”

As noted later when discussing air-launched cruise missiles but equally applicable here, “The UK would be faced with the choice of having to keep nuclear-armed aircraft permanently in the air (where they would still be visible) or risk having the air base – and its neighbouring community – as the target for a nuclear strike by a potential adversary.”

Things may be different if a long-range bomber powered by Reaction Engines’ SABRE (Synthetic Air-Breathing Rocket Engine) is developed in the future, since such aircraft would be able to strike at any target without aerial refueling. It must be noted, though, that any such dual-capable (nuclear and conventional) bomber may prompt the same concerns over strategic instability which have pushed Washington to withdraw nuclear Tomahawk cruise missiles from service, which we discuss in this series’ final part.   

150317-N-MF696-071 INDIAN HEAD, Md. (March 17, 2015) Members of the Explosive Ordnance Disposal Technology Division team at Naval Surface Warfare Center, Indian Head prepare a Tomahawk missile for a functional ground test at the Large Motor Test Facility in Indian Head, Md. The event marks the 84th functional ground test the Division has conducted since the program began 25 years ago. (U.S. Navy photo by Monica McCoy/Released)
INDIAN HEAD, Md. (March 17, 2015) Members of the Explosive Ordnance Disposal Technology Division team at Naval Surface Warfare Center, Indian Head prepare a Tomahawk missile for a functional ground test at the Large Motor Test Facility in Indian Head, Md.  (U.S. Navy photo by Monica McCoy/Released)

Nuclear Alternatives to Trident: Land-Based Missiles

The deployment of land-based missiles involves at least two problems. First, they are considered to be the most vulnerable asset in the nuclear triad, given their fixed location. To overcome this vulnerability, an alternative may be to deploy missiles on either trucks or trains, ideally camouflaged as ordinary vehicles, but since this alternative has not featured in the debate on the replacement of Trident (in contrast with Russian work in this area) we shall not examine it in detail here.

Second, the construction of the necessary infrastructure may pose legal (land planning) and political complications. As noted in the 2015 RUSI conference on missile defense, it is precisely these legal and political difficulties involved in deploying certain land-based assets that make a naval missile shield the most realistic alternative for British plans on national BMD (ballistic missile defense). Additionally, as discussed when dealing with cruise missiles, developing a new vector would involve significant time and treasure.

In our next and final installment in this series, we will look at other possible alternatives to trident, including both air and submarine-launched cruise missiles. This will include an examination of their technical aspects, as well as wider economic and policy issues. In the case of submarine-launched nuclear missiles, this includes the risk of confusion with their conventional brethen. Last, we will examine a very different scenario, namely the UK as a Japanese-syle ‘latent’ nuclear power. Stay tuned!

Alex Calvo, a former guest professor at Nagoya University (Japan), focuses on security and defence policy, international law, and military history, in the Indian-Pacific Ocean Region. He tweets at Alex__Calvo and his papers can be found at https://nagoya-u.academia.edu/AlexCalvo Previous work on British nuclear policy includes A. Calvo and O. Olsen, “Defending the Falklands: A role for nuclear weapons?” Strife Blog, 29 July 2014.

Featured Image: The Trident nuclear submarine HMS Victorious is pictured near Faslane in Scotland. (UK Ministry of Defence)

Predicting the Proliferation of Cyber Weapons into Small States

This article originally featured at National Defense University’s Joint Force Quarterly and is republished with permission. Read it in its original form here.

By Daniel Hughes and Andrew M. Colarik

Recent analysis of cyber warfare has been dominated by works focused on the challenges and opportunities it presents to the conventional military dominance of the United States. This was aptly demonstrated by the 2015 assessment from the Director of National Intelligence, who named cyber threats as the number one strategic issue facing the United States.1 Conversely, questions regarding cyber weapons acquisition by small states have received little attention. While individually weak, small states are numerous. They comprise over half the membership of the United Nations and remain important to geopolitical considerations.2 Moreover, these states are facing progressively difficult security investment choices as the balance among global security, regional dominance, and national interests is constantly being assessed. An increasingly relevant factor in these choices is the escalating costs of military platforms and perceptions that cyber warfare may provide a cheap and effective offensive capability to exert strategic influence over geopolitical rivals.

This article takes the position that in cyber warfare the balance of power between offense and defense has yet to be determined. Moreover, the indirect and immaterial nature of cyber weapons ensures that they do not alter the fundamental principles of warfare and cannot win military conflicts unaided. Rather, cyber weapons are likely to be most effective when used as a force multiplier and not just as an infrastructure disruption capability. The consideration of cyber dependence—that is, the extent to which a state’s economy, military, and government rely on cyberspace—is also highly relevant to this discussion. Depending on infrastructure resiliency, a strategic technological advantage may become a significant disadvantage in times of conflict. The capacity to amplify conventional military capabilities, exploit vulnerabilities in national infrastructure, and control the cyber conflict space is thus an important aspect for any war-making doctrine. Integrating these capabilities into defense strategies is the driving force in the research and development of cyber weapons.

Located at Naval Computer and Telecommunications Area Master Station Pacific, Wahiawa, Hawaii, Mobile User Objective System is next-generation narrowband tactical satellite communications system intended to significantly improve ground communications for U.S. forces on the move, November 3, 2008 (U.S. Navy/John W. Ciccarelli, Jr.)
Located at Naval Computer and Telecommunications Area Master Station Pacific, Wahiawa, Hawaii, Mobile User Objective System is next-generation narrowband tactical satellite communications system intended to significantly improve ground communications for U.S. forces on the move, November 3, 2008 (U.S. Navy/John W. Ciccarelli, Jr.)

The Nature of Cyber Warfare

Cyber warfare is increasingly being recognized as the fifth domain of warfare. Its growing importance is suggested by its prominence in national strategy, military doctrine, and significant investments in relevant capabilities. Despite this, a conclusive definition of cyber warfare has yet to emerge.3 For our purposes, such a definition is not required as the critical features of cyber warfare can be summarized in three points. First, cyber warfare involves actions that achieve political or military effect. Second, it involves the use of cyberspace to deliver direct or cascading kinetic effects that have comparable results to traditional military capabilities. Third, it creates results that either cause or are a crucial component of a serious threat to a nation’s security or that are conducted in response to such a threat.4 More specifically, cyber weapons are defined as weaponized cyber warfare capabilities held by those with the expertise and resources required to deliver and deploy them. Thus, it is the intent to possess the skills required to develop and deploy cyber weapons that must be the focus of any national security strategy involving cyber warfare.

Notable theorists have judged that in cyber warfare, offense is dominant.5 Attacks can be launched instantaneously, and there is rapid growth in the number of networks and assets requiring protection. After all, cyberspace is a target-rich environment based on network structures that privilege accessibility over security. Considerable technical and legal difficulties make accurate attribution of cyber attacks, as well as precise and proportionate retaliation, a fraught process.6 There is also the low cost of creating cyber weapons—code is cheap—and any weapon released onto the Internet can be modified to create the basis of new offensive capabilities.7 All of this means that the battlespace is open, accessible, nearly anonymous, and with an entry cost that appears affordable to any nation-state.

Strategies that rely too heavily on offensive dominance in cyber warfare may, however, be premature. Cyber dependence—the extent to which an attacker depends on cyberspace for critical infrastructure—is crucial to the strategic advantages that cyber weapons can provide. Uncertainty rules as the dual-use nature of cyber weapons allows them to be captured, manipulated, and turned against their creators.8 Equally important is the practice of “escalation dominance.”9 As shown by as yet untested U.S. policy, retaliation for a cyber attack may be delivered by more destructive military capabilities.10 And while the speed of a cyber attack may be near instantaneous, preparation for sophisticated cyber attacks is considerable. The Stuxnet attack required the resources of a technologically sophisticated state to provide the expansive espionage, industrial testing, and clandestine delivery that were so vital to its success. The above demonstrates that the true cost of advanced cyber weapons lies not in their creation but in their targeting and deployment, both of which reduce their ability to be redeployed to face future, unforeseen threats.

Cyber weapons are further limited by their lack of physicality. As pieces of computer code, they generate military effect only by exploiting vulnerabilities created by reliance on cyberspace.11 They can attack vulnerable platforms and infrastructures by manipulating computer systems or act as a force multiplier to traditional military assets. This may lead to the disruption and control of the battlespace, as well as to the provision of additional intelligence when payloads are deployed. These effects, however, are always secondary—cyber weapons cannot directly affect the battlefield without a device to act through, nor can they occupy and control territory.

Ultimately, the debate regarding the balance of power in cyber warfare and the relative power of cyber weapons will likely be decided by empirical evidence relating to two factors. The first is the amount of damage caused by the compromise of cyber-dependent platforms. The second will be the extent to which major disruptions to infrastructure erode political willpower and are exploitable by conventional military capabilities. For the moment, however, it is safe to presume that conflicts will not be won in cyberspace alone and that this applies as much to small states as it does to major powers.

Uses of Cyber Weapons by Small States

To be worthy of investment, a cyber weapons arsenal must provide states with political or military advantage over—or at the very least, parity with—their adversaries. To judge whether a small state benefits sufficiently to justify their acquisition, we must understand how these capabilities can be used. A nonexhaustive list of potential cyber weapon uses includes warfighting, coercion, deterrence, and defense diplomacy. As cyber weapons are limited to secondary effects, they currently have restricted uses in warfighting. Their most prominent effect likely will be the disruption and/or manipulation of military command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) capabilities and the degradation of civilian support networks. Attacks on civilian infrastructure remain most feasible, and attacks on automated military platforms are possible.12 The effective use of cyber weapons as a coercive tool is constrained by the relative size and cyber dependence of an opponent and carries the risk of weapons acting in unforeseen ways. Both of these dependencies are shared when cyber weapons are used as a deterrent. This is due to the peculiar nature of the cyber domain, where both coercion and deterrence rely on the same aggressive forward reconnaissance of an adversary’s network. This results in the difference between coercion and deterrence being reduced to intent—something difficult to prove. The final potential use of cyber weapons is as a component of defense diplomacy strategy, which focuses on joint interstate military exercises as a means to dispel hostility, build trust, and develop armed forces.13 This could be expanded to encompass cyber exercises conducted by military cyber specialists. Defense diplomacy can act as a deterrent, but it is effective only if relevant military capabilities are both credible and demonstrable.14 The latter is problematic. Advanced cyber weapons are highly classified; caution must therefore be exercised when demonstrating capabilities so that “live” network penetrations are not divulged.

These four capabilities have crucial dependencies, all of which can limit their suitability for deployment in a conflict. First, the conflicting parties must have comparable military power. Disrupting an opponent’s C4ISR will be of little consequence if they still enjoy considerable conventional military superiority despite the successful deployment of cyber weapons. Second, as demonstrated by the principle of cyber dependence, one state’s disruption of another’s cyber infrastructure is effective only if they can defend their own cyber assets or possess the capability to act without these assets with minimal degradation in operational effectiveness. Third, states must have the resources and expertise required to deploy cyber weapons, which increase commensurate with their efficacy. Fourth, cyber weapons rely on aggressive forward reconnaissance into networks of potential adversaries; weapons should be positioned before conflict begins. This creates political and military risk if an opponent discovers and traces a dormant cyber weapon. Finally, all use of cyber weapons is complicated by their inherent unpredictability, which casts doubts over weapon precision and effect. Once unleashed, the course of cyber weapons may be difficult to predict and/or contain.15 Unforeseen results may undermine relationships or spread to neutral states that then take retaliatory action.16 Accordingly, weapon deployment must follow sound strategy against clearly identified adversaries to minimize unforeseen consequences.

MQ-1 Predator and MQ-9 Reaper assigned to 432nd Aircraft Maintenance Squadron provided intelligence, surveillance, and reconnaissance, especially during Operations Iraqi Freedom and Enduring Freedom (U.S. Air Force/Vernon Young, Jr.)
MQ-1 Predator and MQ-9 Reaper assigned to 432nd Aircraft Maintenance Squadron provided intelligence, surveillance, and reconnaissance, especially during Operations Iraqi Freedom and Enduring Freedom (U.S. Air Force/Vernon Young, Jr.)

A Predictive Framework

What is offered in this section is an analytical framework that may provide a customized evaluation of whether a particular small state should—or will—acquire cyber weapons. In essence, what is being provided is a baseline for a comparative, comprehensive study on a state-by-state basis. The framework itself yields its maximum value when numerous states have been analyzed. This enables potential proliferation patterns to emerge and a clearer picture of the threat landscape to present itself.

Figure. Cyber Weapon Acquisition Framework
The outline of the basic process for analysis is provided in the figure.

Each step is explained by a purpose statement and demonstrated through a case study. The subject of the case study is New Zealand, chosen due to its membership in the Five Eyes intelligence network and because it both self-identifies as and is widely perceived to be a small state.17 Ideally, each step of the framework would be completed by a group representing a variety of perspectives from military forces, government entities, and academic specialties. There is the potential for a much more detailed evaluation than that presented, which has been condensed for brevity.

When submerged, Los Angeles–class fast attack submarine USS Santa Fe is among world’s stealthiest platforms, capable of supporting missions including anti-submarine warfare, anti–surface ship warfare, strike, naval special warfare involving special operations forces, and intelligence, surveillance, and reconnaissance, August 8, 2013 (U.S. Navy/Sebastian McCormack)
When submerged, Los Angeles–class fast attack submarine USS Santa Fe is among world’s stealthiest platforms, capable of supporting missions including anti-submarine warfare, anti–surface ship warfare, strike, naval special warfare involving special operations forces, and intelligence, surveillance, and reconnaissance, August 8, 2013 (U.S. Navy/Sebastian McCormack)

Step One: Identify Foundational Small-State Characteristics. The purpose is to identify key characteristics of the small state within three categories: quantitative, behavioral, and identity.18 Quantitative refers to measures such as land area, population, and gross domestic product (GDP). Behavioral refers to qualitative metrics concerning the behavior of a state, both domestically and within the international system. Identity refers to qualitative metrics that focus on how a state perceives its own identity. This article proposes that metrics from each category can be freely used by suitably informed analysts to assign a size category to any particular state. This avoids the need for a final definition of a small state. Instead, definition and categorization are achieved through possession of a sufficient number of overlapping characteristics—some quantitative, some behavioral, and some identity based.19 Quantitatively, New Zealand has a small population (approximately 4.5 million), a small GDP (approximately $197 billion), and a small land area.20 It is geographically isolated, bordering no other countries. In the realm of behavior, New Zealand practices an institutionally focused multilateral foreign policy. It is a founding member of the United Nations and was elected to the Security Council for the 2015–2016 term after running on a platform of advocating for other small states. It participates in multiple alliances and takes a special interest in the security of the South Pacific.21 Regarding identity, New Zealand’s self-identity emphasizes the values of fairness, independence, nonaggression, cooperation, and acknowledgment of its status as a small state.22 Its security identity is driven by a lack of perceived threat that allows New Zealand to make security decisions based on principle rather than practicality.23 This was demonstrated by the banning of nuclear-armed and nuclear-powered ships within New Zealand waters, and its subsequent informal exclusion from aspects of the Australia, New Zealand, and United States Security Treaty. Despite reduced security, however, domestic opinion strongly supported the anti-nuclear policy that, along with support for nonproliferation and disarmament, has strengthened the pacifistic elements of New Zealand’s national identity.24

Step Two: Identify Resource Availability and Policy Alignment for Cyber Weapon Development, Deployment, and Exploitation. The purpose is to identify how the use of cyber weapons would align with current security and defense policies; whether the small state has the military capabilities to exploit vulnerabilities caused by cyber weapon deployment; and whether the small state has the intelligence and technical resources needed to target, develop, and deploy cyber weapons.

In key New Zealand defense documents, references to cyber primarily mention defense against cyber attacks, with only two references to the application of military force to cyberspace. There is no mention of cyber weapon acquisition. New Zealand’s defense policy has focused on military contributions to a secure New Zealand, a rules-based international order, and a sound global economy. Because the likelihood of direct threats against the country and its closest allies is low, there has been a focus on peacekeeping, disaster relief, affordability, and maritime patrol. New Zealand’s military is small (11,500 personnel, including reservists) with limited offensive capabilities and low funding (just 1.1 percent of GDP). Accordingly, the New Zealand military lacks the ability to exploit vulnerabilities caused by the successful use of cyber weapons.

New Zealand is a member of the Five Eyes intelligence network and thus can access more sophisticated intelligence than most small states. This can be used to increase its ability to target and deploy cyber weapons. It has a modern signals intelligence capability, housed by the civilian Government Communications Security Bureau, which also has responsibility for national cybersecurity. It most likely has the technical capability to adapt existing cyber weapons or develop new ones, particularly if aided by its allies. Due to fiscal constraints, however, any additional funding for cyber weapons will likely have to come from the existing defense budget and thus result in compromises to other capabilities.25

Step Three: Examine Small-State Cyber Dependence. The purpose is to examine the small state’s reliance on cyberspace for its military capabilities and critical infrastructure, as well as its relative cyber dependence when compared to potential geopolitical adversaries.

New Zealand has moderate to high cyber dependence, with increasing reliance on online services and platforms by the government, business sector, and civil society. This dependence will increase. For example, the acquisition of new C4ISR capabilities to increase military adoption of network-centric warfare principles would create new vulnerabilities.26New Zealand’s cyber dependence is further increased by limited cybersecurity expertise.27 It does not have obvious military opponents, so its relative level of cyber dependence is difficult to calculate.

Step Four: Analyze State Behavior Against Competing Security Models. The purpose is to analyze how state behavior aligns with each competing security model and how cyber weapon acquisition and use may support or detract from this behavior. Cyber weapon arsenals are used to advance political and military objectives. These objectives depend on a state’s behavior and identity, both of which are difficult to quantify. A degree of quantification is possible, however, through the use of conceptual security models. A synthesis of recent small- state security scholarship generates four models: the first focused on alliances, the second on international cooperation, and the third and fourth on identity, differentiated by competing focuses (collaboration and influence, and defensive autonomy).28 The alliance-focused model presents small states with persuasive reasons to acquire cyber weapons. This applies both to balancing behavior (that is, joining an alliance against a threatening state) and bandwagoning (that is, entering into an alliance with a threatening state).29 The additional military resources provided by an alliance present greater opportunities for the exploitation of vulnerabilities caused by cyber weapons. In the event that a cyber weapon unwittingly targets a powerful third party, a small state may be less likely to be subjected to blowback if it is shielded by a strong alliance. Furthermore, cyber weapons may be a reasonably cost-effective contribution to an alliance; a great power could even provide preferential procurement opportunities for a favored ally.

New Zealand maintains a close military alliance with Australia and is a member of the Five Power Defence Arrangements. It also has recently signed cybersecurity agreements with the North Atlantic Treaty Organization and United Kingdom.30 The alliances above have focused on security and mutual defense rather than offensive capabilities. New Zealand does, however, have a policy of complementing Australian defense capabilities.31 This could be achieved through the acquisition of cyber weapons, so long as it was closely coordinated and integrated with the Australian military. Thus this model assesses state behavioral alignment as medium/high and cyber weapon support as medium/high.

The international cooperation model assumes that small states can exert influence by strengthening international organizations, encouraging cooperative approaches to security, and creating laws and norms to constrain powerful states.32 Small states acting under this model will favor diplomatic and ideological methods of influence. As such, they are less likely to acquire cyber weapons. Instead, it is more likely that they will try to regulate cyber weapons in a manner similar to the restrictions on biological and chemical weapons or by leading efforts to explicitly incorporate them into the international laws of warfare.

New Zealand usually pursues a multilateral foreign policy approach and is a member of multiple international organizations. It has a long history of championing disarmament and arms control, which conflicts with the acquisition of new categories of offensive weapons. This model assesses state behavioral alignment as high and cyber weapon support as low.

Both of the identity focused models (collaboration and influence versus defensive autonomy) are centered on analysis of a small state’s “security identity.” This develops from perceptions of “past behavior and images and myths linked to it which have been internalized over long periods of time by the political elite and population of the state.”33 This identity can be based around a number of disparate factors such as ongoing security threats, perceptions of national character, and historical consciousness. A state’s security identity can lead it toward a preference for either of the identity focused security models mentioned above.Regarding collaboration and influence, New Zealand’s identity strikes a balance between practicality and principle. It strives to be a moral, fair-minded state that advances what it regards as important values, such as human rights and the rule of law.34 It still wishes, however, to work in a constructive manner that allows it to contribute practical solutions to difficult problems. The acquisition of cyber weapons is unlikely to advance this model. Thus this model assesses state behavioral alignment as medium and cyber weapon support as low.

Despite its multilateral behavior, New Zealand retains some defensive autonomy and takes pride in maintaining independent views on major issues.35 Its isolation and lack of major threats have allowed it to retain a measure of autonomy in its defense policy and to maintain a small military. Its independent and pacifistic nature suggests that cyber weapon acquisition could be controversial. Thus this model assesses state behavioral alignment as medium and cyber weapon support as low/medium.

Table 1. Cyber Weapon Cost-Benefit Risk Matrix for New Zealand

 

Warfighting

Coercion

Deterrence

Defense Diplomacy

Benefits

Ability to complement military capabilities of allies

Cost effective offensive capability

Limited coercive ability from cyber weapons

Limited deterrence from cyber weapons

Deterrence from demonstrating effective cyber weapons via defense diplomacy

Feasibility

Allies may provide favorable procurement opportunities

Appropriate technical and intelligence resources exist

Appropriate technical and intelligence resources exist

Appropriate technical and intelligence resources exist

Appropriate technical and intelligence resources exist

Risks

Procurement may result in reduced funding for other military capabilities

Domestic opposition to acquisition of new offensive weapons

Cyber weapon acquisition may reduce international reputation

Cyber weapons exploitation relies on allied forces

High level of cyber dependence increases vulnerability to retaliation

Domestic opposition to acquisition of new offensive weapons

Security identity not reconcilable with coercive military actions

Procurement may result in reduced funding for other military capabilities

Cyber weapon acquisition may reduce international reputation

High level of cyber dependence increases vulnerability to retaliation

Procurement may result in reduced funding for other military capabilities

Cyber weapon acquisition may reduce international reputation

High level of cyber dependence increases vulnerability to retaliation

Lack of identified threats reduces ability to target and develop deterrent cyber weapons

Procurement may result in reduced funding for other military capabilities

Cyber weapon acquisition may reduce international reputation

High level of cyber dependence reduces deterrent effect

Step Five: Analyze Benefits, Feasibility, and Risk for Each Category of Cyber Weapon Use. The purpose is to first identify the benefits, feasibility, and risk of acquiring cyber weapons based on each category of potential use, as shown in table 1. Next this information is analyzed against the degree to which cyber weapon use may support different security models, as shown in table 2. This results in a ranking of the benefits, feasibility, and risk of each combination of cyber weapon use and small-state security model. This is followed by an overall recommendation or prediction for cyber weapon acquisition under each security model and category of cyber weapon use.

Table 2. Cyber Weapon Acquisition Matrix for New Zealand

Security Model

BFR

Warfighting

Coercion

Deterrence

Defense Diplomacy

Overall

Alliances

Benefits

Medium

Low

Low

Medium

Medium

Feasibility

Medium

Medium

Medium

Medium

Medium

Risk

High

Very High

High

Low

High

Recommendation/Prediction

Further Investigation

No

No

Further Investigation

Further Investigation

International cooperation

Benefits

Low

Low

Low

Medium

Low

Feasibility

Medium

Medium

Medium

Medium

Medium

Risk

High

High

High

Low

High

Recommendation/Prediction

No

No

No

Further Investigation

No

Identity and norms: collaboration and influence

Benefits

Low

Low

Low

Medium

Low

Feasibility

Medium

Medium

Medium

Medium

Medium

Risk

High

High

High

Low

High

Recommendation/Prediction

No

No

No

Further Investigation

No

Identity and norms: defensive autonomy

Benefits

Low

Low

Low

Low

Low

Feasibility

Medium

Medium

Medium

Medium

Medium

Risk

High

High

High

Low

High

Recommendation/Prediction

No

No

No

No

No

Step Six: Recommend or Predict Cyber Weapon Acquisition Strategy. The purpose is to summarize key findings, to recommend whether a small state should acquire cyber weapons, and to predict the likelihood of such an acquisition. The key findings are that New Zealand is unlikely to gain significant benefits from the acquisition of cyber weapons. This is due to its limited military capabilities, multilateral foreign approach, extensive participation in international organizations, and pacifistic security identity. Factors that could change this evaluation and increase the benefits of cyber weapon acquisition would include an increased focus on military alliances, the emergence of more obvious threats to New Zealand or its close allies, or a changing security identity.

Therefore, the recommendation/prediction is that New Zealand should not acquire cyber weapons at this time and is unlikely to do so. The framework’s output has considerable utility as a decision support tool. When used by a small state as an input into a strategic decisionmaking process, its output can be incorporated into relevant defense capability and policy documents. If cyber weapon acquisition is recommended, its output could be further used to inform specific strategic, doctrinal, and planning documents. It also provides a basis for potential cyber weapon capabilities to be analyzed under a standard return-on-investment procurement model. This would involve a more detailed analysis of benefits, costs, and risks that would allow fit-for-purpose procurement decisions to be made in a fiscally and operationally prudent manner.

Alternatively, the framework, which is low cost and allows a variety of actors to determine the likelihood of cyber weapon acquisition by small states, could be used as a tool to develop predictive intelligence. Furthermore, when the framework is used on a sufficient number of small states, it could be used as a basis for making broader predictions regarding the proliferation of cyber weapons. This would be particularly effective over geographical areas with a large concentration of small states. For more powerful states, this might indicate opportunities for increased cyber warfare cooperation with geopolitical allies, perhaps even extending to arms sales or defense diplomacy. Conversely, the framework could provide nongovernmental organizations and academics with opportunities to trace cyber weapon proliferation and raise visibility of the phenomenon among international organizations, policymakers, and the general public. These outcomes provide significant benefits to the broad spectrum of actors seeking stability and influence within the international order.

Conclusion

The evolution of the various domains of warfare did not occur overnight. Learning from and leveraging the changing landscapes of war required continuous investigation, reflection, and formative activities to achieve parity, much less dominance, with rivals. Treating cyberspace as the fifth domain of warfare requires a greater understanding of the battlespace than currently exists. This goes well beyond the technological aspects and requires the integration of cyber capabilities and strategies into existing defense doctrines. The framework we have developed has the potential to help guide this process, from strategic decision to procurement and doctrinal and operational integration. Similarly, its predictive potential is significant—any ability to forecast cyber weapon acquisition on a state-by-state basis and thus monitor cyber weapon proliferation would be of substantial geopolitical benefit. We further propose that decisionmakers of large, powerful states must not ignore the strategic impact that small states could have in this domain. We also remind small states that their geopolitical rivals may deploy cyber weapons as a means to advance national interests in this sphere of influence. Therefore, it is our hope that, as a result of clarifying the potential conflict space, future policies might be developed to control the proliferation of cyber weapons. JFQ

Daniel Hughes is a Master’s Candidate with a professional background in Defense and Immigration. Andrew M. Colarik is a Senior Lecturer in the Centre for Defence and Security Studies, Massey University, New Zealand.

Notes

1 Senate Armed Services Committee, James R. Clapper, Statement for the Record, Worldwide Threat Assessment of the U.S. Intelligence Community, February 26, 2015, available at <www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf>.

2 United Nations News Centre, “Ban Praises Small State Contribution to Global Peace and Development,” 2015, available at <www.un.org/apps/news/story.asp?NewsID=43172#.Vp87nip96Uk>.

3 Paulo Shakarian, Jana Shakarian, and Andrew Ruef, Introduction to Cyber Warfare: A Multidisciplinary Approach(Waltham, MA: Syngress, 2013); Catherine A. Theohary and John W. Rollins, Cyber Warfare and Cyberterrorism: In Brief, R43955 (Washington, DC: Congressional Research Service, March 27, 2015), available at <www.fas.org/sgp/crs/natsec/R43955.pdf>.

4 Raymond C. Parks and David P. Duggan, “Principles of Cyber Warfare,” IEEE Security and Privacy Magazine 9, no. 5 (September/October 2011), 30; Andrew M. Colarik and Lech J. Janczewski, “Developing a Grand Strategy for Cyber War,” 7th International Conference on Information Assurance & Security, December 2011, 52; Shakarian, Shakarian, and Ruef.

5 Fred Schrier, On Cyber Warfare, Democratic Control of Armed Forces Working Paper No. 7 (Geneva: Geneva Centre for the Democratic Control of Armed Forces, 2015), available at <www.dcaf.ch/content/download/67316/…/OnCyber warfare-Schreier.pdf>; John Arquilla, “Twenty Years of Cyberwar,” Journal of Military Ethics 12, no. 1 (April 17, 2013), 80–87.

6 Stephen W. Korns and Joshua E. Kastenberg, “Georgia’s Cyber Left Hook,” Parameters 38, no. 4 (Winter 2008–2009).

7 P.W. Singer and Allan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford: Oxford University Press, 2014).

8 Parks and Duggan, 30.

9 Thomas G. Mahnken, “Cyberwar and Cyber Warfare,” in America’s Cyber Future, ed. Kristin M. Lord and Travis Sharp (Washington, DC: Center for a New American Security, 2011), available at <www.cnas.org/sites/default/files/publications-pdf/CNAS_Cyber_Volume%20II_2.pdf>.

10 Department of Defense (DOD), The DOD Cyber Strategy (Washington, DC: DOD, April 2015), available at <www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf>.

11 Joel Carr, “The Misunderstood Acronym: Why Cyber Weapons Aren’t WMD,” Bulletin of the Atomic Scientists 69, no. 5 (2013), 32.

12 Sebastian Schutte, “Cooperation Beats Deterrence in Cyberwar,” Peace Economics, Peace Science, and Public Policy 18, no. 3 (November 2012), 1–11.

13 Defence Diplomacy, Ministry of Defence Policy Papers Paper No. 1 (London: Ministry of Defence, 1998), available at <http://webarchive.nationalarchives.gov.uk/20121026065214/http://www.mod.uk/NR/rdonlyres/BB03F0E7-1F85-4E7B-B7EB-4F0418152932/0/polpaper1_def_dip.pdf>.

14 Andrew T.H. Tan, “Punching Above Its Weight: Singapore’s Armed Forces and Its Contribution to Foreign Policy,” Defence Studies 11, no. 4 (2011), 672–697.

15 David C. Gompert and Martin Libicki, “Waging Cyber War the American Way,” Survival 57, no. 4 (2015), 7–28.

16 Joseph S. Nye, Jr., Cyber Power (Cambridge: Harvard Kennedy School, 2010), available at <http://belfercenter.ksg.harvard.edu/files/cyber-power.pdf>.

17 Jim McLay, “New Zealand and the United Nations: Small State, Big Challenge,” August 27, 2013, available at <http://nzunsc.govt.nz/docs/Jim-McLay-speech-Small-State-Big%20Challenge-Aug-13.pdf>.

18 Joe Burton, “Small States and Cyber Security: The Case of New Zealand,” Political Science 65, no. 2 (2013), 216–238; Jean-Marc Rickli, “European Small States’ Military Policies After the Cold War: From Territorial to Niche Strategies,” Cambridge Review of International Affairs 21, no. 3 (2008), 307–325.

19 Ludwig Wittgenstein, Philosophical Investigations (Oxford: Basil Blackwell, 1958).

20 Statistics New Zealand, “Index of Key New Zealand Statistics,” available at <www.stats.govt.nz/browse_for_stats/snapshots-of-nz/index-key-statistics.aspx#>.

21 New Zealand Ministry of Foreign Affairs and Trade, “Foreign Relations,” March 2014, available at <http://mfat.govt.nz/Foreign-Relations/index.php>.

22 Ibid.

23 New Zealand Defence Force Doctrine, 3rd ed. (Wellington: Headquarters New Zealand Defence Force, June 2012), available at <www.nzdf.mil.nz/downloads/pdf/public-docs/2012/nzddp_d_3rd_ed.pdf>.

24 Andreas Reitzig, “In Defiance of Nuclear Deterrence: Anti-Nuclear New Zealand After Two Decades,” Medicine, Conflict, and Survival 22, no. 2 (2006), 132–144.

25 Defence White Paper 2010 (Wellington: Ministry of Defence, November 2010), available at <www.nzdf.mil.nz/downloads/pdf/public-docs/2010/defence_white_paper_2010.pdf>.

26 New Zealand Defence Force Doctrine.

27 Burton, 216–238.

28 Ibid.; Paul Sutton, “The Concept of Small States in the International Political Economy,” The Round Table 100, no. 413 (2011), 141–153.

29 Burton, 216–238.

30 Ibid.

31 Defence Capability Plan (Wellington: Ministry of Defence, June 2014), available at <www.nzdf.mil.nz/downloads/pdf/public-docs/2014/2014-defence-capability-plan.pdf>.

32 Ibid.

33 Rickli, 307–325.

34 McLay.

35 Ibid.

Featured Image: 13th annual Cyber Defense Exercise. (U.S. Army photo by Mike Strasser/USMA PAO)