Tackling Cyber at the Tactical Edge

IHS Jane’s International Defence Review

Zeros and ones: tackling cyber at the tactical edge

Publication: International Defence Review Last posted: 2013-Nov-05

The rise of network-enabled capabilities has been a two-edged sword, offering ever-swifter decision-making and action, but also raising the spectre of vulnerability through reliance. Anika Torruella reports on how those concerns threaten strategic and tactical capabilities

Weapon systems, intelligence, surveillance and reconnaissance (ISR) equipment, communications infrastructure and assets such as aircraft and tanks, together with their respective command-and-control systems, are increasingly intrinsically dependent on sophisticated electronic componentry for datalinks and network connectivity.

These building blocks of the modern information age enable cloud services, signal layering and fusion, real-time digital information sharing and analysis, access to graphic processing unit (GPU)- linked servers, geo-location targeting, high- throughput satellite communications architecture, blue-force tracking, stealth technology, remote detection and identification, and remotely controlled engagement and evasion, tools key to situational awareness superiority, operational supremacy and information dominance.

However, while digital connectivity enables networked force multipliers, this reliance on systems and equipment has inherent exploitable vulnerabilities. Modern warfare, in many arenas, has eclipsed the need for the physical occupation of territory and access points to instigate battle strategies of disruption, confusion and delay, as they can now be accomplished in cyberspace.

Francis Cianfrocca, founder, chairman and chief executive officer of Bayshore Networks told IHS Jane's that "cyber is now recognised as one of the [domains] of war so that means that [defence departments] are very eager and very focused in acquiring expertise to manage cyberspaces".

State actors such as China, Iran, Russia, and the United States have the overt capability to control, spoof, circumvent or disrupt information systems that have strategic military value, largely anonymously. More recently, commercial off-the- shelf software has allowed nation states with even meagre conventional means of warfare, to wage theoretically bloodless offensive campaigns against well-established powers.

Military deception (MILDEC), psychological operations (PSYOP), communications interception, signals analysis and decryption, theft and destruction of information and productivity corruption have a long-established history. Lessons learned from the 2007 Estonia and 2008 Georgia-Ossetian attacks, which caused widespread economic and psychological disruptions, and the more recent information system compromises inside QinetiQ North America (2007-10), NASA, the Pentagon (2011), and Lockheed Martin illustrate that cyber attacks such as spoofing, denial of service, ghosting, website defacement, misconfigured services, keylogging, brute-force password cracks and drive-by downloads are as viable a strategic military option as physical industrial sabotage and espionage.

"That shows you the impetus for cyber war: to destabilise infrastructure. It's another [domain] of war, really, and an 1

objective that people have been pursuing that goes back to the early 1980s at least, if not even earlier. But the rise of Page Copyright © IHS 2013. All rights reserved. IHS Jane’s International Defence Review Reproduced with permission.

computer networks - which everyone knows about - over the last 10 years has just opened the attack surface and created some tremendous vulnerabilities," said Cianfrocca.

William Mabon, director of the Cyber Security Product Portfolio at BAE Systems told IHS Jane's that "it's the same kind of communication protection that people thought about in [the Second] World War. But with electronic networks, it's much more dense. The value of the information is much higher, because again, machine-to-machine communications enables much more rapid and fluid control over mission objectives and the actual battlespace environment," Cianfrocca agreed.

Cyber warfare appears to offer the proponent specific advantages over conventional physical tactics. Attacks can be launched from a remote location. Physical damage to critical infrastructures, such as civilian and media communication facilities or cellular networks can be limited and industrial sabotage can be accomplished without local access. Additionally, attacks are largely unattributable and usually bloodless - however costly to reputations and balance sheets - mitigating a nation-state response.

Military forces are still scrambling to understand and struggling to define the multi-dimensional and omni-directional nature of the information environment (IE) and cyberspace battlefield, as well as their own information-related capabilities (IRC) and the IRC of their asymmetrical and peer-to-peer adversaries (state and non-state). As a result, most current military doctrines are struggling to remain relevant with rapidly changing technology and cyber-warfare capabilities.

The NATO Cooperative Cyber Defence Centre of Excellence located in Tallinn, Estonia, was established in 2008, and in 2011 NATO approved a revised Policy on Cyber Defence and an associated Action Plan.

In 2012, a EUR58 million (USD80 million) contract was awarded to establish a NATO Computer Incident Response Capability (NCIRC) Technical Centre in Mons, Belgium. About 2,500 confirmed serious attacks on NATO computer systems installed at 55 global locations occurred in 2012 and attacks on NATO defence systems are only expected to grow more numerous, frequent and sophisticated.

This year, a core network-defence management infrastructure and analytical capability was installed at the NCIRC.

In the United States, the Obama administration classified cyberspace as strategically important to national security in 2009, and stood up the US Cyber Command (USCYBERCOM) in 2010. Then, in November 2012 the US Joint Armed Forces released a doctrine regarding Information Operations (IO) and the Information-Influence Relational Framework, which outlined key IO complementary capabilities such as Operations Security (OPSEC). It also covered: processes designed to mitigate "risks associated with specific vulnerabilities in order to deny adversaries critical information and observable indicators"; Information Assurance (IA) or protection of "infrastructure to ensure its availability, to position information for influence, and for delivery of information to the adversary"; counter-deception; physical security; electronic warfare (EW) or the use of the electromagnetic spectrum (EMS) to identify and locate threats and shape, disrupt or exploit the enemy's use of the EMS.

In addition, it expanded to cover Cyberspace Operations (CO), which denies or manipulates adversarial decision-making through information mediums such as access points, the encrypted messages, or a cyber-persona; and Military Information Support Operations, which subsumes activities previously known as PSYOPS and MILDEC. The latter is defined as "actions executed to deliberately mislead adversary decision makers, creating conditions that will contribute to the accomplishment of the friendly mission".

With increasing reliance on cyber technology, the confidentiality, integrity and availability of linked networks also increases in importance. Against this background, network resilience is key to safeguarding essential operational data and consequent information gathering and analysis. "So, what you really care more about is integrity ... protecting the integrity of the systems and protecting the availability," said Cianfrocca.

2 Traditional firewalls, next-generation firewalls and heavy encryption services build logical barriers around critical control

system networks and monitor, shape or usurp suspect or unauthorised access. However, even if very little logical Page Copyright © IHS 2013. All rights reserved. IHS Jane’s International Defence Review Reproduced with permission.

connectivity exists, malicious or unintentional misuse by an operator can compromise the systems. Or breaches may occur by an undetected piggyback through an "essential" connection.

Previous attacks have largely targeted unclassified networks and systems, which nevertheless still contained sensitive information such as military maps, troop configurations, technological schematics, source code for proprietary software and detailed papers on scientific research, testing and development. Targeted systems typically also provide logistical support to armed forces.

Recent interest in 'perimeterless' single security and data-centric architectures - designed to protect data rather than networks, improve command-and-control capabilities and encourage increased information sharing - has fuelled a desire to possibly eliminate firewalls altogether, as announced by the US Defense Information Systems Agency (DISA) in June 2013.

The Idaho National Laboratory staged 'Operation Aurora' in 2007, a simulated cyber attack that demonstrated how control of a previously internally closed control system with access to rotating machinery, such as generators, pumps, turbines, valves, switches or circuit breakers, when shifted to a networked SCADA system that enables remote operation, could be usurped and exploited to self-destruct.

Networked or digital weapons, equipment and vehicles may also be more directly susceptible to sabotage, foreign influence, and loss or corruption of command and control through the introduction of malware by whatever means.

"If you go back many years, I mean a couple of decades, soldiers especially in the special ops units, were deploying on the battlefield, or in hostile areas, with communications equipment and computers already. And this threat against us then was very low because not many people had computers," said John Bumgarner, a former US Army intelligence officer and chief technology officer at the US Cyber Consequences Unit, an independent, non-profit research organisation that investigates the strategic and economic consequences of possible cyber attacks. "Now everyone in the world pretty much has a computer and anyone in the world can potentially launch an attack."

Most of the focus so far has been on strategic-level infrastructure and attacks away from the tactical edge. However, worst-case scenarios exploit vulnerabilities in networked targeting and global positioning systems, thermal-imaging devices, communication components or internal power regulated by digital communication, information and weapon system suites, such as the PTK (Programno-Tekhnicheskiy Kompleks) aboard Russian T-90S and T-80U main battle tanks.

Certain radio-frequency identification (RFID) tags, which use UHF vulnerable to EW, could also be reprogrammed to track components or supply pallets. Even computerised shore-to-ship cranes with embedded operating systems such as Microsoft Windows XP could be exploited, disabled or damaged, with obvious strategic delays and hampering offloading operations.

"The question there," Bumgarner continued, "is 'can some unknown factor influence an operation on the ground?' And that's the big question. That's a real important question".

Cianfrocca agreed: "Communications is not just between people and people, "it's between machines and machines". He went on to say, "When you are preparing for conflict or for war, you usually think in terms of operational supremacy: having the ability to go into a conflict situation knowing that you are going to have decisive advantages. [That is currently] completely impossible in cyberspace".

Military operators often brush off the potential threat to their systems from cyber attacks, citing their long-standing understanding of the need for encryption and historically standalone, stove-piped networks. However, evidence is building

that it is unwise to be too complacent about the need to defend against emerging threats. 3

In December 2009 an unsecured downlink from a US military unmanned aerial vehicle (UAV) was intercepted by Iraqi

insurgents using a USD25 piece of file-sharing software, called 'skygrabber', originally developed to intercept satellite Page Copyright © IHS 2013. All rights reserved. IHS Jane’s International Defence Review Reproduced with permission.

television feeds. In 2010 Hizbullah leader Hasan Nasrallah claimed that intercepted video from an Israeli UAV helped the force ambush and kill 12 Israeli commandos in southern Lebanon in 1997. In December 2011 Iran claimed it hacked the GPS signal of a US Lockheed Martin RQ-170 Sentinel UAV and landed it near Kashmar about 225 km inside northeastern Iran and then 12 months later, Iranian television broadcast footage of a Boeing ScanEagle long-endurance UAV, which they claimed had been hacked by Iran.

Since the 1990s, operators have known UAVs are vulnerable to cyber attacks such as jamming or spoofing, but a third threat, the susceptibility of UAV software to malicious code, is a relatively new consideration. In late 2011 keylogging malware infected networks at US Air Force (USAF) UAV ground control stations at Creech Air Force Base in Nevada, and it proved persistent and difficult to remove.

Originally, encryption systems were considered unnecessarily cumbersome for UAVs deployed to Afghanistan in 2001 and the Remotely Operated Video Enhanced Receivers (ROVERS) that were to receive and display UAV footage were also deployed too rapidly to receive costly encryption. However, that was swiftly disproved and the United States started a fleetwide security retrofit that is expected to be completed in 2014. However, the ROVER Common Data Link (CDL) waveform, which is used to transmit video and remote instruction must also be upgraded with Advanced Encryption Standard and the triple-Data Encryption Standard and enabled to handle encrypted signals.

It is inherently difficult to provide enterprise protection for large groups made up of individuals used to ubiquitous access to the internet and despite countless trials and IT policies banning the use of removable storage devices, tight web controls and so forth, many commercial organisations have given up trying to stop infiltration, looking instead to quarantine and stop invaders causing damage or getting out of the network. That policy may prove unpalatable to military operators with lives potentially on the line.

In a survey of 200 senior IT security professionals at the 2013 Black Hat digital security conference in Las Vegas, Nevada, 52% were not confident that their IT staff could detect the presence of an attacker who attempts to breach their network or extract private data and 58% of respondents believed the United States was losing the battle against state- sponsored attacks. Worse still, 74% were not confident that their own professional network had never been breached by a foreign state-sponsored attack or an advanced persistent threat (APT), and 96% believed that the hacking landscape was going to get worse over time. Black Hat attendees typically are comprised of corporate, government, academic and underground operators and researchers.

"If you are going to be attacked, if you are concerned about attacks from adversaries, political opponents, geo-political opponents, you know, your enemies in war, it really is essentially impossible to run a very large global network without points of contact through which bad actors can enter," said Cianfrocca. "There is so much heterogeneity in these environments and so many points of contact."

Philip Lieberman, President and CEO of Lieberman Software, said in a company press release:"The majority of organisations are prepared for amateur hackers and low-level criminals, but are completely ill-equipped to deal with today's advanced nation-state foes. The most dangerous threats are highly personalised attacks designed for one-time use against specific individuals. Many state-sponsored attackers can now create perfect email attacks to insert remote control software onto corporate networks. Most corporations and government agencies would benefit from better security training, documented security processes, and enterprise-level products that can manage and secure powerful privileged accounts that grant access to critical IT assets.

"It's all about being able to have some confidence, have some knowledge that the systems you are fielding are going to be [superior]. Because you know they will be attacked, you know they will be compromised. The question is 'How do you get them back?', 'How do you make some precise statements in real time about what parts of your network are reliable and what parts are not?' And that's a very dynamic picture," agreed Cianfrocca.

4 As state-sponsored cyber attacks increase, military forces must re-examine their decision-making and response doctrine

Brazilian Defence Minister Celso Amorim announced a strategic partnership with Russia on 16 October to establish working groups involved with cyber security, space technologies, and joint technology development.

India's defence minister A K Antony announced in May 2013 the proposed establishment of a centralised national Cyber Command and Control Authority to assist with addressing the country's cyber challenges. The proposed command would come under the national security adviser.

The following month, Singapore announced the creation of a centralised Cyber Defence Operations Hub, largely in response to a growing spat with Indonesian hackers who had launched denial-of-service attacks on government and public sites. Little firm information has emerged of the exact scope and capabilities of the organisations, but the hub is to detect, identify, contain and deter evolving cyber threats to military networks and industrial infrastructures. It is an inter- agency entity, with plans to collaborate with the Singapore Infocomms Technology Security Authority, the Singapore Armed Forces, Ministry of Defence and defence technology community.

South Korea's defence ministry established a cyber-warfare command of about 400 in January 2010. In 2011 it announced the creation of a cyber-warfare school in collaboration with Korea University, which will admit 30 students a year under scholarship. Graduates must serve seven years in the Republic of Korea Armed Forces as specialists in cyber-warfare units. Current cyber-technology training of younger students occurs in 10-year programmes at Kim Il-sung Military University, Mirim University or Kim Chaek University of Technology.

According to a report by the South Korean think-tank the Police Policy Institute, the Reconnaissance General Bureau and United Front Department of North Korea has engaged about 3,000 cyber-warfare experts, about 200 of which use servers based in 19 countries to launch cyber attacks.

Despite all of this, McAfee Labs published a report in 2013 suggesting that cyber attacks on 20 March that wiped the master boot record (MBR) of 32,000 computers at South Korean financial institutions and news agencies, was "a covert espionage campaign" and a highly co-ordinated APT that targeted only South Korea, using Korean-language resources in its malware's binaries.

In its 2013 annual report to US Congress - titled 'Military and Security Developments Involving the People's Republic of China' - the US Office of the Secretary of Defense discussed expanding sets of roles and missions in support of the Chinese People's Liberation Army (PLA) including "military cyberspace capabilities that appear designed to enable anti- access/area-denial (A2/AD) missions (what PLA strategists refer to as 'counter-intervention operations')."

A February 2013 report by Alexandria, Virginia-based information security specialist Mandiant suggested that not only is the Shanghai-based 2nd Bureau of the PLA General Staff Department, known as Unit 61398, a likely government- sponsored APT, but it is also one of the most prolific APTs "that has conducted a cyber-espionage campaign against a broad range of victims since at least 2006 compromising technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails, and contact lists of 141 companies spanning 20 major industries, and "is one of more than 20 APT groups with origins in China".

In an October report surveying internet traffic on servers in 175 countries and regions monitored by internet cloud services provider Akamai, "Indonesia grew its share of observed [cyber] attack traffic, nearly doubling from the first quarter, growing to 38% and pushing China down to second place, with 33% of observed attack traffic." China and Indonesia now account for about half of global cyber-attack traffic.

In May the UK government announced its intention to invest GBP7.5 million (USD12 million) to create cyber-security research and education centres of doctoral training at Oxford University and Royal Holloway University of London. Of that, GBP5 million will be funded by the Department for Business, Innovation and Skills and GBP2.5 million in funding will

come from the Engineering and Physical Sciences Research Council as part of the UK Cyber Security Strategy (Action 5 10).

In July 2013 UK Minister for Defence Equipment, Support and Technology, Philip Dunne, announced a joint government and industry Defence Cyber Protection Partnership, which will include the Centre for the Protection of National Infrastructure, Government Communications Headquarters, the Ministry of Defence and nine companies. The latter draws in BAE Systems, BT, Cassidian, CGI, Hewlett Packard, Lockheed Martin, Rolls-Royce, Selex ES and Thales UK. The partnership intends to meet "the emerging threat to the UK defence supply chain by increasing awareness of cyber risks, sharing threat intelligence and defining risk-driven approaches to applying cyber security standards.

"As part of this commitment we are extending our National Cyber Security Programme by a further year, investing an additional GPB210 million on top of the GBP650 million provided in the Strategic Defence and Security Review in 2010," Dunne said in a speech at the 3 July National Security Summit. He went on to say "we have also allocated a further GBP70 million over the next four years from within our own budget for improving our cyber-defence capabilities".

Then, in September he underlined his perception of the importance of tackling cyber, telling an audience at the DSEI exhibition in London that "security depends crucially on the links between the electronics and defence sectors, where cyber in many ways is becoming a fourth environment along with maritime, land and air".

Part of the UK's response will see it stand up a Joint Cyber Reserve Unit that is looking to recruit civilian hackers and IT specialists on a similar footing to active reserve forces.

The USCYBERCOM is a sub-unified command of US Strategic Command and consists of Cyber National Mission Force, Cyber Combat Mission Force (assigned to the operational control of individual commanders), and the Cyber Protection Force, which helps operate and defend the Defense Department's information environment. It consists of approximately 834 active-duty military, civilians and contractors with a budget of about USD191 million for Fiscal Year 2013.

In July 2013 US Deputy Defense Secretary Ashton Carter announced plans to increase the USCYBERCOM by roughly 4,000 people in 40 teams, 27 focused on defence and 13 focused on offensive operations. Speaking at the 4th Annual Cybersecurity Summit, Army General Keith Alexander, commander of USCYBERCOM detailed five aspects of cyber security that the NSA and Cyber Command are working to improve. These comprise: training a ready force with technical skills through exercises such as Cyber Guard and Cyber Flag to develop working relationships, tactics, techniques and procedures; moving from legacy information technology architecture to a more defensible architecture, such as the cloud architecture in DISA's Joint Information Environment; shared situational awareness, which would help develop a common operational picture that could be shared with US agencies and allies; and increased government and industry collaboration, which is especially critical as industry owns and operates 85-90% of US networks. The final element is to involve authorities such as Congress to develop legislation regarding cyber security and private industry, information sharing and liability protection.

Within this new landscape an important reality must be realised: cyber warfare is neither theoretical nor imaginary. High- tech conventional warfare now operates in concert with swift, stealthy and unattributable cyber and information operations, often as a precursor to kinetic hostilities.

"Constructing a picture of the health and reliability of an operational network, be it for wartime or industry or anything, it's very dynamic because the nature of the threats is so dynamic. And that really is a new thing. That's new thinking and requires new technology," said Cianfrocca.

Military systems need to be designed to limit their exposure to disruption or destruction from cyber attacks. Infrastructure command-and-control software must be examined to limit vulnerabilities and there is a pressing need to reassess traditional warfare doctrine as governments are struggling to find proper organisational responses.

IRAN ON THE OFFENSIVE

Most of the government interest in military cyber around the world is overtly focused on 'defence' and there is still a high 6 degree of sensitivity surrounding offensive cyber capabilities. Additionally, many industry organisations, such as Cassidian - one of the UK Ministry of Defence's key cyber partners - for example, firmly told IHS Jane's that it has no offensive

One of the rare exceptions to this is Iran, which is proud of its more proactive stance. In March 2012 Iran's supreme leader, Ayatollah Ali Khamenei announced the establishment of the Supreme Cyber Council to develop and implement a cyberspace strategy. Then, in December of that year Massoud Jazayeri, the Armed Forces General Staff Basij Affairs and Defense Culture Deputy of Iran followed up by announcing the establishment of a headquarters for Iran's 'soft war' stature, which also oversees cyber defence.

Two years before, in November 2010, Iranian Students' News Agency (ISNA) reported that Islamic Revolutionary Guard Corps (IRGC) commander Hossein Hamedani said "the Basij Cyber Council has trained 1,500 cyber-warriors" and Iran has acknowledged the existence of a 'cyber corps' within the IRGC. The latter has already been linked to the July 2012 'Mahdi' cyber-espionage attacks, discovered by Russia's Kaspersky Lab and Israel-based Seculert.

Iran has also been linked to the August 2012 'Shamoon' cyber attacks that wiped the MBRs of more than 30,000 computers at Saudi Arabian oil producer Aramco, incapacitated the website and e-mail servers of Qatar-based natural gas exporter RasGas; and in October 2012 undertook denial-of-service attacks on 10 US banks. Israel-based think-tank the Institute for National Security Studies (INSS) estimates that Iran has allocated about USD1 billion to develop and acquire cyber technology, recruit and train cyber experts and invest in defensive mechanisms. Other national institutions specialising in cyber capabilities include the Technology Cooperation Officer under the president's bureau, which initiates information technology research projects and has been identified by the European Union as involved in the Iranian nuclear programme. Additionally, the MAHER Information Security Center managed by the Communications and Information Technology ministry operates rapid response cyber teams in case of emergencies and the Passive Defensive Organisation (under the Cyber Defense Command) is comprised of military personnel and government representatives and aims to develop a defensive cyberspace doctrine.

Iran's offensive cyber capabilities are understood to include installing malicious code in counterfeit computer software, blocking computer communications networks, viruses and tools for penetrating computers to gather intelligence, and tools with delayed action mechanisms or connections to control servers.

Reports from INSS, Middle East Media Research Institute (MEMRI), a not-for-profit press monitoring organisation, and Recorded Future (a forecasting and web analysis software company) have also suggested links between the IRGC and prominent Iranian and global hacker groups such as the Ashiyane Digital Security Team, the Basij, Hizbullah Cyber Army, Iranian Cyber Army, Parastoo, Qassam Cyber Fighters, Shabgard, Simorgh, and Virtual Anonymous Jihad.