Tag Archives: cyber

Standing Up the NIWDC with CAPT John Watkins

By Sally Deboer

CIMSEC was recently joined by Captain John Watkins, the first commanding officer of  the Naval Information Warfighting Development Center (NIWDC). Read on to learn about this new command’s role in shaping the U.S. Navy’s information warfighting skills and capabilities.

SD: We are joined by CAPT John Watkins, the first commanding officer of the newly opened Naval Information Warfighting Development Center. It is truly an honor to have you here. Before we begin, can you share a bit about yourself and your background?

JW: Thanks first and foremost for having me, it’s an honor for me as well. I came into the Navy in 1992 as a Surface Warfare Officer and completed various tours in engineering. I did that for roughly five years and really enjoyed it, but subsequent to those tours I attended the Naval Postgraduate School in Monterey, California where I achieved a Master’s degree in IT Management during which time I laterally transferred into the space and electronic warfare community. A few years transpired and that community was subsumed into the information professional community that we know of today, which comes with the 1820 designator.

Since being an IP, I’ve had multiple operational and staff tours, to include XO of USS Coronado, serving as N6 and Information Warfare Command on Expeditionary and Carrier Strike Group Staffs, and as the N6 on a Numbered Fleet staff. Staff tours have included time on the OPNAV and SURFACE FORCES staffs. I’ve been very fortunate and blessed to have had multiple command tours including NAVCOMTELSTA San Diego, Navy Information Operations Command Texas, and now just recently, my assignment here at the Naval Information Warfighting Development Center.  

SD: Let’s kick off by introducing our readers to your new command. Initial operating capability for the NIWDC was declared on 27 March 2017. Could you please explain the role of this warfighting development center, and specifically the mission of the NIWDC within the information domain?

JW: Like the other warfighting development centers (WDC), we are all focused on four primary lines of operation. First, we’re concerned with enhancing advanced level training. As you can imagine, in terms of NIWDC, that entails all of our information-related capabilities. The advanced level training for our units and forces in the fleet occurs at the latter stages of the optimized fleet response plan (OFRP). We’re heavily invested in that along with our fellow WDCs.

The second line of operation is the development of doctrine that allows us to achieve that advanced level of proficiency – doctrine including tactics, techniques, and procedures (TTPs), standard operating procedures (SOPs), higher level Concepts of Operation (CONOPS), or as necessary, revisions to Naval Warfare publications.

The third line of operation is to cultivate and develop a subject matter expertise known throughout all the WDCs as a ‘warfare tactics instructor’ or WTIs. Other WDCs have WTIs in place today, for example, the model that has been around longest is the Naval Aviation WDC, “Top Gun,” associated with advanced tactics for jet fighting, air-to-air combat, etc. What we want to do here at NIWDC is to build out our own WTI pipeline, which I think of as the “Information Warfare Jedi Knights” of the future; we’ll have quite a few WTI pipelines, as we have a broad spectrum of capabilities.

Last but not least, we’ll have an organic assessments capability built into the command which allows us to, in an OODA loop fashion, assess our advanced level training capabilities, our TTPs and SSPs, and our doctrine as we bake it into our training pipeline and processes, ensuring it is delivering optimal IW warfighting effects. Those are the four lines of operation that were promulgated to the WDCs, directed by the Chief of Naval Operations, in 2014.

SD: The traditional warfare Type Commanders (Air, Surface, Undersea) have established their own warfare development centers, as you mentioned. Given that IW is a critical enabler of other warfare areas, how do you envision the NIWDC interacting with the other warfare development centers? What key IW concepts and understandings should be incorporated by other communities?

JW: That’s a fantastic question. NIWDC just achieved IOC designation in late March, and the good news is that while we are the last WDC to be stood up, we already have IW community professionals, both enlisted and officer, arrayed across the other WDCs today, totaling about 150 people, who are working Information Warfare expertise into Naval warfighting. Even as we’re building up to this capability, our folks that have been embedded throughout the other WDCs have done a remarkable job laying the groundwork and foundation for us to come to fruition as the NIWDC. This is significant because the information-related capabilities that we bring to bear are so ingrained in all the other mission warfare areas of the Navy that we have to be interlinked with the other WDCs and visa-versa.

As we build up our capabilities here, we’d like to see the reciprocal detailing back and forth – where ideally we’ll have Surface Warfare Officers, Submariners, Aviators, etc., embedded and billeted to the NIWDC. That’s the future, and it’s absolutely imperative that we get to that point – to have that common back and forth day in and day out as we’re contemplating modern day warfare – it’s essential for us to understand the other warfare areas, their requirements, how our systems are interdependent, and how we have to operate in real time to optimize our overarching warfare capabilities.

SD: You recently stated, “a key objective of the NIWDC is to provide hard-hitting, fleet-relevant information warfighting effects…” Can you outline what some of those effects might be and what specific mission areas within Information Warfare (IW) they support? 

JW: I think the best way I can answer that question is to describe how we’re building out the command here today. We’ve established a headquarters staff that will manage seven core Mission Area Directorates, or what we refer to as “MADs.”

Those Mission Area Directorates include an Assured command-and-control and CyberSpace Operations MAD, a Space Operations MAD, a Meteorology MAD, an Intelligence MAD, a Cryptology MAD, an Electronic Warfare MAD, and an Information Operations MAD. Laying that all out, we can generate information warfare effects from any of those Mission Areas—but when combined, it becomes extremely optimal. It’s the traditional ‘sum of the parts’ principle.

As we develop our organization here, another big effort we’re putting into play in the larger Navy is the Information Warfare Commander construct, which is an organization led by a fully board-screened senior Information Warfare Community Captain (O-6). I’ll describe the construct at the tactical level for now because I think it will be the best way to articulate where we’re headed in employing our model. On a Carrier Strike Group (CSG) staff, for example, we have the Information Warfare Commander (IWC)—again, that board-screened IW Community Captain, who is providing leadership and oversight on core IW mission areas run by the N2 Intelligence Officer, the N39 Cryptologic Officer, the N6 Communications officer, and to the extent where we can get it into play, the Meteorological officer, who at the end of the day, all work for this O-6 IWC. The entire IWC organization works for the Carrier Strike Commander similar to a Destroyer Squadron or Carrier Air Group Commander.  

Where the synergistic effect really comes in is in information operations planning. If you think across typical phased wartime planning scenarios, the folks that are sitting down at the table in the IWC organization bringing their skills and attributes to the team while enabling holistic planning across all phases of warfare, achieve tremendous synergy and total awareness of the  interdependencies and linkages across their mission areas. This powerful effect cannot be overemphasized. Planning in individual stovepipes, i.e. within traditional N Head silos like the N2, the N39, N6 or Meteorology, is counterproductive in today’s modern warfare continuum. It’s essential that planning along these lines factors in and accounts for the coordination and integration of needs and requirements of our fellow Composite Warfare Commanders. When done correctly, we give our collective Navy team every advantage possible to win when we need to. Suffice it to say, I’m very excited about where we’re headed and how we’re going to make our phenomenal Naval warfighting prowess even better!

SD: There seems to be growing agreement that in future conflict, naval forces will not enjoy undisputed access to the electromagnetic spectrum. How will naval information warfare capabilities enable distributed operations when the spectrum required for C4ISR is being, denied, degraded, disrupted and subject to deception operations?

JW: That’s another great question that we are constantly focused on. We all acknowledge the fact that in modern warfare scenarios, the likelihood that we will have denied or degraded communications is a given. Frankly, it’s almost no longer an assumption—it’s reality. Simply put, we need to be able to retain organic capabilities as much as possible wherever we are, so that if we lose the link back to the beach, we can still function and fight.

To that end, we’ve got to be able to train, operate, and be proficient in fighting in those types of scenarios. We’re all about getting at that advanced level of necessary training here at the NIWDC.

SD: How do you propose addressing the acquisition and fielding of new information technology (cyber/EW/IW) and developing TTPs under the current DOD acquisition system?

JW: Acquisition is an evolving process, and I think acquisition reform surfaces quite frequently anytime we talk about the dynamics of advancing IT. The rate of advancement in technology is astounding, and the acquisition process needs to be agile enough to keep pace. To that end, we’ve looked for creative and innovative ways within our acquisition process to accelerate and expedite systems that facilitate IW warfighting effects and we need to continue doing so. NIWDC participates in many experimentation and innovation venues that help facilitate that speed-to-fleet dynamic and we’re excited to be a partner in those efforts.    

To your question about the TTPs and SOPs – when we introduce new tech to the fleet, it is important that we have TTPs and SOPs built into them from day one. We’ve got to be able to deliver a product that comes with robust training behind it so that when it’s delivered to the fleet, our sailors can put it into immediate effect. The TTPs and SOPs that accompany that capability need to be solid enough out of the gate so that we achieve immediate success from day one of fielding.  

On top of that, what I want to achieve at the NIWDC is the ability to refine and tweak TTPs and SOPs at a high rate – what I call the “wash, rinse, repeat” approach. There’s no reason we can’t take those TTPs and SOPs, have sailors put them into effect, provide their feedback to us if they’re not quite right and suggest course corrections, then update those on a continuous, OODA-loop basis until we have delivered optimal doctrine.

SD: Our adversaries approach the information space (IW/EW/cyber) holistically, blending electronic and information warfare with cyberspace operations, psychological operations, deception – and conduct these operations across all elements of national power (diplomatic, economic, legal, military, information). What steps are you taking to ensure the Navy is developing information warfare strategies, operational concepts, and TTPs that cut across all elements of national power?

JW: I’ll give you an example – that’s the best way I can answer this question – it’s a great question, but one you could spend an hour answering. Earlier in our discussion, we talked about the IWC construct. I’m a firm believer that if we get that instituted correctly and make it a robust organization with the goal of delivering those optimal IW effects that it will serve as the bedrock going forward across the Navy enterprise. We’ll look to institute that construct, as applicable, by using that optimized model at the tactical level and building out from there to implement at the operational and strategic levels.

Back to the point about our adversaries – when they’re exploiting all this goodness and delivering their effects, they are planning across the DOTMPLF (doctrine, organization, training, materiel, leadership and education, personnel and facilities) spectrum. We must do the same thing with our IWC Construct. At the NIWDC, in partnership with IFOR, this is one of our tasks – to perform this DOTMPLF analysis that will codify the IWC construct. We’ve been tasked by Fleet Forces Command and PACFLT to do just that – this will be one of our top objectives in the first years here at the NIWDC – to ensure we’re setting ourselves up for success for decades to come.

SD: Last but not least – if our listeners are new to information warfare, can you suggest any resources or reading materials that could help the less tech-inclined among us become more familiar with the domain and more ready to address its unique challenges?

JW: There are so many great reference materials, but perhaps the quickest way to answer that is to recommend your readers and listeners go to our command website and InfoDOMAIN, or our Navy News Web page or Facebook page. We have a lot of good products posted there – that would be a great start. We have some items posted there that are specific to the NIWDC, so if your readers want more information or a summary, they can find it there as well.

SD: Thank you so much for your time today, CAPT Watkins. It’s truly been an honor speaking with you, and we thank you for taking time out of your busy schedule to help educate us on your new command and the role of IW in the Navy and DoD going forward. We hope you’ll join us again sometime. 

Captain John Watkins is a native of California, where he went on to graduate from the NROTC program at the University of San Diego obtaining his commission in 1991. He joined the Naval Information Warfighting Development Center as the commanding officer in March of 2017.

Sally DeBoer is an Associate Editor with CIMSEC, and previously served as CIMSEC’s president from 2016-2017. 

Featured Image: Chief Fire Controlman Daniel Glatz, from Green Bay, Wisconsin, stands watch in the combat information center aboard the Arleigh Burke-class guided-missile destroyer USS John S. McCain (DDG 56). (Alonzo M. Archer/U.S. Navy)

Sea Control 133 – Hacking for Defense with Chris Taylor

By Matthew Merighi

Join the latest episode of Sea Control for a conversation with Professor Chris Taylor of Georgetown University to talk about the Hacking for Defense (H4D) movement. Pioneered by Stanford Professor Steve Blank, H4D is bringing Silicon Valley’s innovation ethos to combat national security challenges. Chris takes us through the defense innovation ecosystem, the partnerships which support it, and how H4D is becoming a fixture in university classrooms.

For those interested in learning more about H4D and the Silicon Valley principles which guide it, Chris recommended the following resources:

Download Sea Control 133 – Hacking for Defense with Chris Taylor

The transcript of the conversation between Chris Taylor (CT) and Matthew Merighi (MM) begins below. Special thanks to Associate Producers Roman Madaus and Ryan Uljua for helping produce this episode.

MM: As I mentioned at the top I’m here with Professor Chris Taylor of Georgetown University and a member Hacking for Defense. Professor Taylor, thank you very much for being with us on Sea Control today. Now as is Sea Control tradition, Professor Taylor, please introduce yourself tell us a little bit about your background and how you got to be where you are right now.

CT: I spent 14 years in the Marine Corps as an enlisted infantryman and force recon. I finished undergrad at night. I went to night school my last three years. I left the Marine Corps and went to business school at the College of William and Mary where I earned an MBA and worked for five years after that. I went back to school at the Harvard Kennedy School where I earned an MPA in political economy and international security. I’m a two-time defense industry CEO and as you mentioned I’m an adjunct professor of national security studies at Georgetown University.

MM: You obviously have a very broad array of different experiences both in the military, outside of it, leading businesses, but also a very diverse educational background. What were the key decision points in your life as you were building your career and your educational background that guided you on the path which you eventually went down?

CT: I spent 14 years in the Marine Corps. I wanted my bosses’ job at the time I was a staff sergeant. My boss was a Major. When I did the reverse math, I would have had to have spent 10 more years to get promoted to Major just to have that job. As I evaluated all of the fantastic experiences that I had in the Marine Corps and what it had done to develop me as a leader, I thought maybe there was a different way and I wanted a way to push my Marine Corps experience through some sort of framework. I chose business school. I don’t regret that at all, it was fantastic. I loved every minute of my 14 years in the Marine Corps but I loved business school. I had a fairly easy transition to school, I got out, worked for five years in the private sector and then decided with the same formula; I had five years of experience and I didn’t know what framework to push it through to get the most of out it or contribute the most with it. So I went back to grad school at the Kennedy School. I was very fortunate. I had fantastic classmates, fantastic professors. Secretary Ash Carter was actually my adviser. So I had access to brilliant national security minds helping me think through how my experience would allow me to contribute further. That led me to leading some businesses that were successful and now I’ve dipped my toe into the teaching part of life to see how my experiences could help push forward the next few generations of national security leaders. That’s how we got to be on the phone today.

MM: Let’s talk a bit about the educational piece. I have here on the hacking4defensegu.com general info page a class titled “SEST-701 Hacking for Defense: Solving National Security Issues with the Lean Launchpad,” which I kind of understand as a man with a security and startup background. Walk us through this title. What exactly is Hacking for Defense and why is the Lean Launchpad a part of solving national security issues?

CT: Hacking for defense was a name that came along with the package when I was first asked to participate. Most people when they hear it only think it’s about cyber; that’s not true. Think about it in the way you’d think of life hacks: easy and quick ways to get things done which result in great benefit. The Lean Launchpad is a class that legendary Silicon Valley entrepreneur Steve Blank has been teaching which is basically about how to create and run a startup. It came through a series of conversations that happened out at Stanford where Steve was teaching this with Pete Newell who is a retired Army Colonel and Joe Felter, also a retired Army Colonel. The thought was “how do we apply the Lean Startup methodology to national security challenges?” MD5, which is the national security technology accelerator at National Defense University run by [Adam] Jay Harrison, is the U.S. government proponent for the entire education program. I’ve known Pete and Joe for a number years and when they decided they were going to syndicate the class to universities across the country I raised my hand and said I wanted to bring it to Georgetown. We’re about to close out our first Hacking for Defense class on May 1.

MM: So this is just the first iteration of it?

CT: It’s the first iteration at Georgetown. Stanford begun their second iteration. There are others at U.C. San Diego, Boise State, University of Pittsburgh, and James Madison University.

MM: So the model is proliferating across different universities but it is still very new. Now that you are finishing your first session, from the feedback you’ve gotten from Professor Blank and the other institutions, how has the course been going so far? What have been the things that you expected and what has surprised you?

CT: First and foremost, the most exciting thing is that I have nothing but complete confidence in our graduate students across the country to solve national security problems going forward. Our class has been nothing less than stellar. They are smart, they are committed, they work well in teams, they’ve been doing lots of discovery. And they’ve been doing a lot to solve problems. It’s fantastic. The second thing is that what we’ve learned is that when you allow students to self-organize into diverse teams around a problem, you get exponentially better results than if you assigned them to a team and then assigned them a problem. We’re very clear that self-organization leads to the best outcomes. One of the amazing things about the Hacking for Defense class is that it’s actually a team of teams. The center is the student. Surrounding them are the teaching team: myself and Army Lieutenant Colonel Matt Zais, who is the Deputy Director of the Strategic Initiatives Group at U.S. Army Cyber Command, and my teaching partner.

Then we have a series of corporate partners. Companies like SAIS, Amazon Web Services, SAP National Security Solutions, and many others come every class to support the student teams if they get to a point where their problem-solving requires a specific resource, an engineering resource for instance, an instance in a cloud environment, or mentoring for how to think about a problem. We also have mentors who bring experience in the national security ecosystem and in business that they contact to discuss their problems and think differently. And then we have military and intelligence community liaisons. These are active duty military and people currently serving in the intelligence community who can ensure that these teams can reach out to people within the organizations they are working with, which we call their problem sponsors, to elicit as much information as they can to help solve the problem they have.

This semester, we are working on four problems. One is from Special Operations Command: it’s a cross-domain solution. The next is how to use augmented reality to help military and intelligence personnel see bad guys in unstructured crowds. The next one is a social media problem: how do we use social media from an information warfare perspective to better understand what our adversaries might be doing with social media against us. We also have a counter-drone problem. It’s all the rage; everyone is writing about counter-drone. We have a team that’s working on how to use low-cost solutions to counter drones, particularly drones you might see ISIS flying.

MM: That’s a really broad array of different topics. You mentioned at the top that this isn’t just about cyber but a very broad set of challenges. I’m curious about the people who are self-organizing in these teams, since I imagine this is offered through the Security Studies Program, correct?

CT: That is correct. The Security Studies Program (SSP) is where I teach. Bruce Hoffman and Dave Maxwell have given us exceptional support to continue doing this.

MM: In terms of the students who are in these teams, do they have technological backgrounds? Are they primarily ex-military or current intelligence officers? What are the demographics of the people participating in this?

CT: All of the above. We have tech folks. We have former and current military folks. We have data analytics folks. We have linguistics folks. We have policy folks. And then of course we have the SSP folks. The course is open to all schools and all programs across Georgetown University and next year we’re going to open up Hacking for Defense to all graduate schools and graduate programs in the National Capital Region. So instead of solving four problems next year we’re going to solve 40 problems. A bit ambitious and it keeps us moving but if we want to start to develop the capability to solve problems quickly, effectively, and cost-effectively, then there is no better group of talent than America’s graduate students to be able to help us do that. That’s why we are trying to expand it the way that we are.

MM: So this course will be open to everyone in the National Capital Region starting next year which, as a person who currently works in academia, I know that getting even simple things like cross-registration agreements handled can be a challenge, so best of luck to you as you navigate those minefields on the bureaucracy side; but it’s really exciting that so many people are getting engaged. The other method of engagement that I’ve noticed is that you livestream all of the lectures for this course, correct?

CT: Every class session is livestreamed on Twitter @h4dgussp and also on our Facebook Hacking4DefenseGeorgetown. Every week we put it out there. It’s kind of like our own national security reality TV show. We put it out there because we want people to see the quality of students that we’re attracting to this class and the difficulty of some of the problems that they’re working on because, quite frankly, for many of these students this is a 13-week job interview. Many of our corporate partners have reached out to our students and said “look, when this is done I’d really like to speak to you about this” and that’s because they’re doing it well. They’re digging in, they’re becoming better problem solvers, they’re becoming better team members, and they’re leveraging everything that they’ve learned in graduate school and everything they haven’t learned yet. They are learning on the fly to solving the particular problem they are working on.

MM: So you’ve seen firsthand the positive feedback loop of the organizations supporting the course wanting to continue getting access to the students and looping them into their own work.

CT: I just spent last Friday with one of our sponsors, OGSystems in Chantilly, Virginia where the CEO and two other executives sat us down and said “we want to be part of this forever.” And the reason is because we get to see some of the problems plaguing national security but the most interesting thing is that the talent sitting in that classroom is unbelievable. We have not seen that in any other classroom environment and so they, admittedly selfishly, want to find out how to hire the very best students out of Georgetown to become part of their companies. We’re ecstatic about that.

MM: Definitely. That’s always the concern, as a recent grad school graduate; the top of mind concern for those going through their final exams right about now. I’m curious that you have OGSystems and all of these other corporate partners and the military and intelligence liaisons. How did you go about building this diverse, multi-stakeholder team? It couldn’t have been easy to sell organizations, especially ones that aren’t as used to working with the military or with Georgetown in getting involved with this very ambitious, very unique program.

CT: It was a little bit of everything. A lot of it came from my own personal network from being involved in the business of national security for so long. Certainly the folks at Stanford at Hacking for Defense Incorporated (H4DI) were very helpful in introducing us to different folks who wanted to be involved. I’ve gotta be honest with you: it’s not a difficult sell. This is the coolest class being taught. If you’re any type of international relations, national security, diplomacy, government, or business geek at all this is the coolest class being taught anywhere. So it’s not a hard sell. But we want to get the right people involved because there are investors in the classroom as well. At the end of the day, if there’s a “there” for the solution that the student teams have come up with, either the government will give them some money to continue their work or they’re going to start a company and they’re going to get venture money to get it going. There’s nothing else like this happening around the country right now.

MM: What is the next step for Hacking for Defense, the course you in particular are teaching, besides expanding it to the other schools in the National Capital Region? What do you see as the vision for where you want this very unique and clearly very successful business model to go?

CT: I’m involved on the education side, so I want to continue working with the Hacking for Defense and H4DI folks out in Palo Alto and also with MD5 to make sure we can leverage all of the talent in the National Capital Region. There’s 16 different universities in the National Capital Region consortium and we want to take advantage of all of that graduate school talent across all of the schools and programs against the hard problems our problem sponsors are giving us. What we’re coming to find is that now there’s international interest. Oxford University has interest in forming a partnership at Georgetown. I know that the NATO representative at the Pentagon for Strategic Transformation, General Imre Porkoláb, is all over trying to bring this to NATO. From an education perspective, Georgetown will play a role in the National Capital Region. From an enterprise-wide perspective, a company out in Palo Alto called BMNT has the lead on bringing the Hacking for Defense methodology into government offices, corporations, and friendly and allied militaries. So there’s a corporate and commercial side to this with BMNT and there’s an education side and that’s H4D.

MM: And for the people who are out there, whether they are currently in the Fleet or listening to our partners at the University of Kiel in Germany or down in Australia, what would you recommend for ways for those people to get involved or to learn about your organization?

CT: First, I’m glad you mentioned Australia. One of our mentors for Hacking for Defense at Georgetown is a gentleman by the name of Jamie Watson and he is an Australian military liaison for innovation and technology. He’s actually helped bring Hacking for Defense to the Australian military already. So if you’re out in Australia, we’re coming to a base near you. BMNT is bringing it out there. If you are a member of the military or intelligence community and you have a particularly difficult problem and you don’t have the capacity to solve it yourself, they should go to H4DI.org and register as a problem sponsor. Darren Halford who runs H4DI.org will help them curate the problems and then get it in to the hands of the right university who can help them solve the problem. We want as many problems as the national security ecosystem can give us and we want to put as many talented graduate students against them as we can. But it has to start with a problem. So for anyone who has a challenge they want looked at, they should go to H4DI.org and start the process.

MM: Obviously the program sponsors and liaisons are very helpful for building this Hacking for Defense system but there are other innovation initiatives happening within the defense community or outside of it. What other organizations have you been working with and what sort of support, whether it’s financial or advocacy or guidance, have you been getting from outside the Hacking for Defense Initiative?

CT: Everyone has been supportive. [Defense Innovation Unit: Experimental] DIUx has been fantastic to us. The Defense Innovation Board has been very involved; Josh Marcuse and Aaron Schumacher from the Defense Innovation Board have been exceptionally supportive of us. The Defense Entrepreneur’s Forum (DEFx), run by Jim Perkins and Ben Taylor, have been all over us. They serve as mentors for us, they get the word out to the innovation community. They very much welcome this new thing into their innovation meadow and we all try to help each other make progress together. I can’t say enough about the Defense Innovation Board, DIUx, the Defense Entrepreneurs Forum, and the Vice Chairman of the Joint Chiefs of Staff General Selva’s office has been exceptionally supportive. And of course our friends at MD5: Jay Harrison, Joe Schuman, and Libbie Prescott have been fantastic to us, as has everyone out at Stanford. It’s a rockstar crew and we couldn’t be happier to be working with all of them.

MM: As you approached these organizations for the first time, were they receptive right off the bat and wanting to work on partnerships and provide support or was it something that you need to sell?

CT: It was not a difficult sell but I’ll tell you what sold everybody is inviting everybody to our opening class at Georgetown. We had 20 students but 113 people in the classroom. And they were all curious about how this Hacking for Defense program was going to work. At the end of the class, everyone was on board. We have routinely 80 people in the classroom every week for 13 weeks working on helping us get better. The corporate partners are fantastic, too. They step up every time. Once the different islands of innovation, like DIUx and Defense Innovation Board, saw it? Sold. It was kind of like finding a kindred spirit in the national security innovation wilderness.

MM: It’s very interesting what you’re working on but we’ve started to reach the end of our interview. As is Sea Control tradition, from time to time, I want to know more about what you’re reading. What things have you been reading recently that will either help the audience learn the ideas behind Hacking for Defense or even unrelated topics?

CT: Since we’re still in the semester, I am focusing on the books that we are using for Hacking for Defense. One of them is called Value Proposition Design by Alex Osterwalder. Steve Blank’s book The Startup Owner’s Manual is one of our texts and it is fantastic. His other book, Four Steps to the Epiphany, is also great. As I mentioned before, it’s important for students to understand how to better have conversations and elicit information so Talking to Humans is a great book. Personally, I just finished Ed Catmell’s book Creativity, Inc which was just amazing to me. I thought it was one of the best books on not only business management but also on how to think through problems. For national security stuff, I’ve become addicted to the Cypher Brief. They do really smart stuff by really smart people. It’s different from what everyone else is doing. I read it every morning.

MM: Everything you’re working on is wonderful. It’s exciting to me personally. I may go down the hall tomorrow when everyone is back to work after Patriot’s Day and talk to the people at the Security Studies Program at Fletcher about maybe trying to start a course like this. Thank you very much for the work you’re doing on behalf of the nation and world security. Thanks for being on Sea Control today.

CT: It’s absolutely my pleasure. Thank you.

Chris Taylor, a global business leader and entrepreneur, is a two-time national security industry CEO. A veteran of 14 years in the Marine Corps, he has an MBA from the College of William & Mary and an MPA from the Harvard Kennedy School of Government. Chris serves as an adjunct associate professor of national security studies at Georgetown University’s School of Foreign Service Security Studies Program where he teaches “The Business of National Security” and “Hacking for Defense.”

Matthew Merighi is the Senior Producer for Sea Control. He is also Assistant Director of Maritime Studies at the Fletcher School at Tufts University and CEO of Blue Water Metrics.

The Threat, Defense, and Control of Cyber Warfare

NAFAC Week

By Lin Yang Kang

The Internet has grown phenomenally since the 1990s and currently has about 3.5 billion users who make up 47 percent of the world population.1 Out of the 201 countries surveyed, 38 percent have a penetration rate of at least 80 percent of its population.2 The ubiquity and reliance on cyberspace to improve the efficiency and capability of government, military, and civilian sectors lead to the Internet of Things (IOT) for day-to-day operations and in this pervasiveness of the use of Internet lies the potential for devastating cyber-attacks.

This paper seeks to discuss the crippling effects and dangers of cyber-attacks and outline the defensive responses against and control of cyber warfare.

The lethality, and hence appeal of cyber warfare, lies in its asymmetric3 and stealthy nature. Little resource, such as teams of experienced hackers, is required to render a disproportional amount of devastating damage to the core and day-to-day operations of both the government as well as the military. Unlike conventional warfare where a military build-up and transportation of resources are tell-tale signs of preparation, cyber-attacks can be conducted without warning. In this regard, it is akin to covert operations, such as the use of Special Forces or submarines, with added advantage of not exposing soldiers to the risk of harm. Coupled with the inherent difficulty in pinpointing attribution,4 subjects of a cyber-attack are left with the choice of either doing nothing except to try to recover or to retaliate against the suspected attacker without concrete proof and lose moral high ground, neither of which is optimal.

An example of a well-coordinated attack demonstrating the covert nature of cyber warfare occurred in 2007 when the Estonian government and government-related web-services were disabled.5 Though no physical damage was inflicted, it created widespread disruption for Estonian citizens. While Russia was the suspected perpetrator, it was never proven or acknowledged. In 2010, it was discovered that Iranian nuclear centrifuges that are responsible for enriching uranium gas had been infected and crippled by a malware, codenamed “Stuxnet.”This successful insertion of this malware effectively set the Iranian nuclear program back for a few years and demonstrated an effective and non-attributable way7 to pressurize if not exert will without the use of military might as it achieved what the United Nations Security Council (UNSC) had hitherto failed to do, i.e., curtail the development of nuclear weapons by Iran.

The above examples illustrate the potential damage of small-scale and limited cyber-attacks. Extrapolating from these examples, it is conceivable that the damage from a successful large-scale cyber-attack on a well-connected country that relies heavily on IOT can range from disruption of essential services, crippling confusion and even operational paralysis of both government and the military. For the government, a cyber-attack across every essential means and aspects of daily living including but not limited to destruction of financial data, records and transactions, forms of travel, communication means, and national power grid create chaos and confusion resulting in psychological shock that will in turn sap the will and resilience of the citizens. For the military, the irony is that the more modern and advanced a military is with its concomitant reliance on technology and network centric warfare, the more vulnerable it is to a potential cyber Pearl Harbor attack that will render its technological superiority over its adversary impotent. Given the symbiotic relation between the government and the military, a successful simultaneous cyber-attack on both government and the military can achieve Sun Tze’s axiom that the supreme art of war is to subdue the enemy without fighting.

Given its unique nature and unmatched demonstrated potential for lethality, it is understandable the attractiveness of cyber warfare as an instrument of choice for all players, both state and non-state actors and even individuals. As with all other forms of warfare, the need for defense against should be proportional to the threat. It is a game of cat and mouse,8 where hackers seek to find security vulnerabilities while defenders attempt to patch them up as soon as they are exploited and redirect the attackers to digital traps, preventing them from obtaining crucial information or cause damages. Specialized cyber warfare military branches have been formed in many countries, and extensive cyber defensive measures and contingency plans are being developed by government, military, and civil sectors of states. Through inter-cooperation, potential attacks could be resolved in the shortest time possible and minimize disruption, while preventing future attacks. As the world begins to witness the increasing use of cyber warfare as a weapon, cyber-attacks may not be as easy to conduct as before as states that understand the lethality of such attacks seek to safeguard their nation.9

Beyond defense at the national level, there is a lack of well-defined norms on the rules of cyber warfare as the international law community is still interpreting how current law of war can apply to cyber warfare. Recently, Tallinn Manual 2.0 was published by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDOE) and is to date the most detailed study of how existing international laws can govern cyber operations.10 However, it currently serves as a reference and is non-binding. It is crucial for nations to iron out the rules for cyber warfare together and abide by it, ensuring that it will not affect the lives of civilians and minimize potential damages to non-military installations by cyber-attacks and cyber warfare.

Cyber warfare is a real and growing threat which has the potential to create disruption that the world has yet to witness. As nations become even more reliant on cyberspace as it ventures into automation and smart cities, they need to invest adequately in cyber defense and ensure that this new frontier is well-guarded. Apart from dealing with it domestically, on an international level, rules of cyber warfare need to be clarified and be abided by the international community to safeguard civilians. Cyber warfare may be threatening, but if the international community abides by clarified rules of cyber warfare and has sufficient cyber defensive measures established, the potential devastation caused by cyber-attacks could be minimized.

Yang Kang is a naval officer from the Republic of Singapore and a freshman at the Nanyang Technological University (NTU) in Singapore currently studying Electrical and Electronics Engineering. Before attending NTU, Yang Kang underwent midshipman training in Midshipman Wing, Officer Cadet School of the Singapore Armed Forces and was appointed Midshipman Engineering Commanding Officer during the Advanced Naval Term, his final phase of training.

Bibliography

Barker, Colin. “Hackers and defenders continue cybersecurity game of cat and mouse.” ZDNet. February 04, 2016. Accessed March 28, 2017. http://www.zdnet.com/article/hackers-and-defenders-continue-cyber-security-game-of-cat-and-mouse/.

Davis, Joshua. “Hackers Take Down the Most Wired Country in Europe.” Wired. August 21, 2007. Accessed March 21, 2017. https://www.wired.com/2007/08/ff-estonia/.

Geers, Kenneth. Strategic cyber security. Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2011.

Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired. November 03, 2014. Accessed March 21, 2017. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

“Cyber Warfare Integral Part of Modern Politics, New Analysis Reaffirms.” NATO Cooperative Cyber Defence Centre of Excellence. December 01, 2015. Accessed March 15, 2017. https://ccdcoe.org/cyber-warfare-integral-part-modern-politics-new-analysis-reaffirms.html.

“Global Cybersecurity Index & Cyberwellness Profiles Report.” April 2015. Accessed March 23, 2017. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

“NATO presents the Tallinn Manual 2.0 on International Law Applicable to cyberspace.” Security Affairs. February 05, 2017. Accessed March 25, 2017. http://securityaffairs.co/wordpress/56004/cyber-warfare-2/nato-tallinn-manual-2-0.html.

“Internet Users by Country (2016).” Internet Users by Country (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users-by-country/.

“Internet Users.” Number of Internet Users (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users/.

“The Asymmetric Nature of Cyber Warfare.” USNI News. February 05, 2013. Accessed March 20, 2017. https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare.

“The Attribution Problem in Cyber Attacks.” InfoSec Resources. July 19, 2013. Accessed March 25, 2017. http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/#gref.

1. “Internet Users.” Number of Internet Users (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users/.

2. “Internet Users by Country (2016).” Internet Users by Country (2016) – Internet Live Stats. Accessed March 20, 2017. http://www.internetlivestats.com/internet-users-by-country/.

3. “The Asymmetric Nature of Cyber Warfare.” USNI News. February 05, 2013. Accessed March 20, 2017. https://news.usni.org/2012/10/14/asymmetric-nature-cyber-warfare.

4. “The Attribution Problem in Cyber Attacks.” InfoSec Resources. July 19, 2013. Accessed March 25, 2017. http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/#gref.

5. Davis, Joshua. “Hackers Take Down the Most Wired Country in Europe.” Wired. August 21, 2007. Accessed March 21, 2017. https://www.wired.com/2007/08/ff-estonia/.

6. Zetter, Kim. “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired. November 03, 2014. Accessed March 21, 2017. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

7. The United States and Israel were allegedly responsible for this cyber attacked but as with the Estonian example, it was never proven or acknowledged.

8. Barker, Colin. “Hackers and defenders continue cybersecurity game of cat and mouse.” ZDNet. February 04, 2016. Accessed March 28, 2017. http://www.zdnet.com/article/hackers-and-defenders-continue-cyber-security-game-of-cat-and-mouse/.

9. “Global Cybersecurity Index & Cyberwellness Profiles Report.” April 2015. Accessed March 23, 2017. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.

10. “NATO presents the Tallinn Manual 2.0 on International Law Applicable to cyberspace.” Security Affairs. February 05, 2017. Accessed March 25, 2017. http://securityaffairs.co/wordpress/56004/cyber-warfare-2/nato-tallinn-manual-2-0.html.

Featured Image: U.S. sailors assigned to Navy Cyber Defense Operations Command man their stations at Joint Expeditionary Base Little Creek-Fort Story, Va., Aug. 4, 2010. NCDOC sailors monitor, analyze, detect and respond to unauthorized activity within U.S. Navy information systems and computer networks. (U.S. Navy photo by Petty Officer 2nd Class Joshua J. Wahl)  

The Fight to Know

By Jack Whitacre

The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2

Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis  argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.

Oceanic Applications

Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.

In 2016, The Economist and The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.

On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system). New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.

Preparing Cyber Leaders

Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.

 (March 25, 2011) – Aerographer’s Mate 3rd Class Nick Pennell, a watch stander at the Naval Oceanography and Anti-Submarine Warfare Center, looks over a Japan Self-Defense Force Mobile Operations sheet at Commander Fleet Activities Yokosuka (CFAY). (U.S. Navy photo by Mass Communication Specialist 3rd Class Mikey Mulcare/Released)

Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7 By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.

The Polaris of Programming

Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.

Conclusion

When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.

An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.

References

1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8

2. Charles Seife, “Decoding the Universe,” p. 8

3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143

4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.

5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp

6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4

7. Ibid.

Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)