Monday, December 7, 2015

Network Combat

Offensive cyber attacks.  This is what several recent posts have been dealing with and now the Air Force is providing proof that it’s all realistic and relevant.  A Breaking Defense website article discusses the Air Force’s use of a modified EC-130 Compass Call aircraft to conduct remote, wireless hacking (“manipulate” is the word used in the article) of enemy networks (1).  If true, this kind of ability to get inside an enemy’s network is immensely valuable.  Think about our own [over]dependence on networks and what successful attacks on them would do to our warfighting capability.

Let’s consider this capability from both an offensive and defensive perspective.

Offensively, the ability to remotely and wirelessly manipulate an enemy’s data and networks offers the opportunity to not only remove a great deal of command and control oversight but also to disrupt defensive AAW networks, radar and sensing networks, and general data transfer capabilities.  This could, theoretically, push combat back to the local, manual level where any given weapon has only its own immediate sensor awareness, if even that. 

Consider a hypothetical A2/AD zone.  The zone is effective due in part to the number of enemy assets physically contained in the zone but also, perhaps more so, due to the networking of sensors and weapons such that the entire zone functions as a single defensive entity.  If we can break that single entity functionality we can isolate and overwhelm select assets and areas to achieve specific objectives.  The zone becomes transformed from a single entity to a collection of individual sensors and weapons operating on their own, largely unsupported in any coordinated way.

While the article was about the Air Force’s efforts to mount such a capability from an aircraft, it’s not hard to imagine the same capability being deployed from a submarine.  A slow, defenseless aircraft is going to be limited as to how closely it can approach an enemy but a submarine is unlimited. 

Of course, the size and weight of the required equipment is unknown.  Does it require an entire large aircraft to house it or is it just an IPad hooked into a transmitter and could be mounted on any aircraft or individual soldier?  How many people are required to operate the equipment or is the process totally automated?  Could a small aerial or subsurface drone house and operate the equipment?  Those are important questions and I doubt we’ll have any public information about this for quite some time.  The fact that the Air Force chose to modify an EC-130 suggests that the required equipment, power, and manning is somewhat substantial.

Defensively, we need to recognize that what we can do, so too can our enemies do to us.  We’ve touched on this in recent posts.  We discussed EMCON concerns (see, “Combat in the Information Age”).  We need to realize that EMCON is a two way street.  Not only do we need to avoid electronic emissions as a means of avoiding detection but we need to shield our equipment from incoming signals to avoid the very remote, wireless cyber attacks that we’re talking about now.  Currently, most of our equipment is not well shielded to prevent outgoing emissions but it is woefully unshielded against incoming signals.  Every electronic device on a ship must be considered a potential portal through which an enemy can attack.

We also discussed the concept of networks as a critical center of gravity for the Navy and also as a critical vulnerability (see, "Center of Gravity").  Again, the remote, wireless attacks that we’re discussing are exactly why I specified the Navy’s networks as both a center of gravity and a vulnerability.  We need to develop far more robust protections for our networks and consider the prospect of having to fight with significantly degraded networks. 

Currently, our network capabilities and security are assumed to be a given.  We train with fully operational networks.  Just like we should be training in electromagnetically challenged environments, so too should we be training in degraded network environments.  Has any training exercise started by shutting down all the networks and then saying, “fight”?  Undoubtedly, the response would be, “How?”.  We need to train to fight without absolute dependence on networks.  In fact, we should be training to fight un-networked, if necessary.

Network vulnerability also suggests that we should be designing networks that can be segregated and isolated the moment cyber attacks are detected.  In other words, we should be designing networks that can fail in an ordered and predictable manner rather than catastrophically. 

This also suggests that we need to build redundancy into our networks.  Just as we have (or used to have) redundant systems to mitigate battle damage, so too should we have redundant networks.  While we have a degree of redundancy in our current networks (backup servers and so forth) the redundancy is aimed at mitigating physical damage not cyber damage.  In order for a network to be redundant in the face of cyber attacks it must be completely isolated physically and electrically from its redundant self.  Any cross connection (power, uninterruptible power supplies, surge protection, user terminals, etc.) offers a pathway for a cyber-damaged network to infect its redundant self.

Consider the glowing claims made for using AESA radars to not only find targets but to communicate with other platforms, transfer data, and perform a degree of ECM.  Unfortunately, this also means that AESA radars are a potential portal for enemy cyber attack.  I’m certain that these radars have no cyber attack protections built in.  Think about the multitude of antennas on a modern aircraft.  Each one is a potential portal.  Think about what would happen if a cyber attack on aircraft radars could get each radar to strobe on.  That would provide the enemy with instant locations of all our aircraft.

How realistic is any of this?  I have no idea but the Air Force seems to think it can do something along these lines so I’m sure our enemy can, too.  To the best of our public knowledge, Chinese, North Korean, and Russian cyber attack capabilities are well ahead of our own.  Heck, they should be – they’ve been practicing them daily against our systems for years.

This remote, wireless cyber attack capability not only presents a powerful opportunity for offensive exploitation but it should serve as a frantic alarm concerning our new offset strategy which proposes, in part, to depend ever more heavily on information dominance, data, and networking in lieu of traditional explosive combat power.  If we find our networks compromised, our entire offset strategy would be invalidated.  Indeed, it seems as if that portion of the strategy is already seriously at risk.  We need to re-evaluate just how much emphasis and reliance we want to put on networks.  The Chinese and Russians are certainly putting a lot more emphasis and reliance on good old-fashioned explosives.  Perhaps their cyber experience has demonstrated to them something about the future of warfare that we have not yet grasped?

  


20 comments:

  1. My wife had a thought.

    On 12/18, the new Star Wars movie comes out. As most of the IT departments in the US get sucked into movie theaters doesn't that create an opportunity for cyber attacks?

    (Just kidding..)

    ReplyDelete
    Replies
    1. I cannot imagine it would be worse than any of the previous Star Wars films, the Lord of the Rings series, and similar geeky interests.

      That said, attacking on a specific day or time to achieve maximum surprise is a possible tactic.

      A real world example was the 1973 Yom Kippur War.

      Delete
  2. CNO said, " A slow, defenseless aircraft is going to be limited as to how closely it can approach an enemy but a submarine is unlimited. "

    The sub is limited by... well... water. Can't exactly sail it overland. ;)

    Plus subs are very limited by antenna height. A mast at 20ft gives a LOS horizon of ~12-20 nm against a cell tower.

    OTOH, an EC-130 operating at 20,000ft has a LOS of nearly 200nm.

    ReplyDelete
    Replies
    1. A sub can beach on a Chinese shore (a little hyperbole there) for all practical purposes and do so undetected. To use your own statement, do you really think an EC-130 could penetrate the Chinese A2/AD zone to within 200 miles of the Chinese shore and survive???

      Please don't turn this into a one-or-the-other discussion. I simply offered the thought that a sub might make a useful platform in addition to an aircraft. I could imagine a sub approaching harbor/base facilities and wreaking all kinds of network havoc with a very low risk of detection and a very high degree of survivability.

      Delete
    2. It's possible, sure. However this sub would have to approach the harbor/base and raise a mast, which given the proximity required, would greatly increase its chances of being detected.

      If you really wanted to do this, maybe develop a swim-out UUV, with a fiber tether back to the sub. The sub would remain at a relatively safe standoff, while the UUV swam in close. The UUV would deploy a buoy antenna, which would perform the transmissions. If detected, the sub would cut the line and evade.

      However, IMHO, better to use a stealthy UAV that can stand off at significant distance from altitude. Adapt RQ-180, perhaps. Control it via SATCOM or LOS relay from further out.

      Delete
    3. Wait a minute. Back the EC-130 up! You credit the EC-130 with a 200 mile standoff effective range for this kind of network manipulation (a range that is totally unsupported by an fact, by the way - we have no idea what range we have to be at to do this) and you credit the sub with a 3 ft range (OK, you didn't actually say that but you suggest an incredibly short range. I see no reason why a sub couldn't stand 10-20 miles off (he said, having no idea how this capability actually works!). For a sub, that's total survivability.

      You seem to think a sub is at risk of detection but a giant non-stealthy aircraft is not?? How long do you think a non-stealthy, slow, HVU is going to survive deep inside a Chinese A2/AD zone? 200 miles is not much if an enemy has decided you're worth killing.

      Now, if you want to postulate a stealthy UAV design dedicated to this mission, fine. Of course, we get back again to the unrealistic assumption that UAVs will be able to blithely penetrate thousands of miles of A2/AD zone and carry out all manner of missions with total impunity.

      You also caught my note in the post about having no idea what level of power, antennas, computers, etc. are needed for this capability? We may need a sub or EC-130 just to house the equipment or we may need only a micro-miniature computer chip glued onto the back of a seagull. We have no idea. So, before you commit to a RQ-180, you might want to find out what the equipment requirements are. If you already know what they are, please share!

      Delete
    4. CNO,

      Yes, YMMV with both of those standoff distances. I was merely calculating line of sight from sub/aircraft to a ~200ft cell tower. Terrain features will further reduce this (to a much greater degree for the sub). Not all attacks will require line of sight, but it's a useful metric.

      Delete
    5. Also, 10-20 miles is the LOS standoff from mast to emitter. So unless the emitter is on the beach, the sub will have to get closer.

      Yes, there are too many communications technologies out there to make any broad generalizations.

      Delete
    6. The article does not make it clear but I'm assuming that the locus of attack would not be a tower or other centralized point but, rather, a lesser "node" like an individual aircraft, ship, or computer. Thus, a sub or aircraft would not need to get near the heart of a network - any remote node would do. Pure speculation on my part but it ties in with some other pieces of information that have appeared recently along these lines.

      Delete
  3. There seem to be a lot of assumptions:

    1. Assuming that the network is not compromised
    2. That air superiority is a given
    3. Western troops are always better armed, trained, and equipped
    4. No jamming
    5. No mines
    6. The enemy won't respond in a creative asymmetric manner and will behave as predicted
    7. In the case of many people, that American victory is always a given (despite past failures)
    8. Western weapons will always work reliably or as the manufacturer advertises

    We could make a longer list.

    These are all very dangerous assumptions to be making.

    ReplyDelete
    Replies
    1. Also assuming that EMP or microwave bursts do not shut down sensitive electronics .

      Delete
  4. From our defensive perspective, we have to realize that Software is a critical as nuclear weapons, Aegis Doctrine, submarine propellers, etc.

    I make that argument because one virus inadvertently on a USB stick with family photos could make a carrier a giant boat anchor.

    Yet we continue to ignore Information Assurance and to insist on using fielded systems that require large numbers of software upgrades.

    Would we treat a nuclear weapon or missile this way?

    So while we plan to do it to the other guys, take a look at our own systems also.

    ReplyDelete
    Replies
    1. Read how the F-35 program is foregoing IA tests on their MAINTENANCE SW so that they can keep flying.

      I can't make this stuff up, I am NOT that creative.

      http://www.pogo.org/our-work/straus-military-reform-project/weapons/2015/f-35-officials-prove-need-for-cyber-testing.html

      Delete
    2. Thanks for the heads up and the link. I hadn't seen that one. That's pretty discouraging although it falls in line with everything else we've seen.

      Delete
  5. Sorry , unrelated news about another problem with LCS and it's drone.

    http://www.bloomberg.com/news/articles/2015-12-08/littoral-combat-ship-can-t-hunt-mines-due-to-unreliable-drone

    ReplyDelete
    Replies
    1. NICO, thanks. That problem has been thoroughly documented by Mr. Gilmore at DOT&E. It's absolutely baffling why the Navy would continue to push ahead so aggressively with such a flawed system. The Navy has established an "independent" group to study the issue and make a recommendation which will, of course, be to continue production.

      Delete
  6. Very much like your point on AESA.

    Firstly from the point of adding communications redundancy and protection.

    AESA can theoretically run hundreds of LOw prob intercept data lines at once.

    With prevalance of multi arrays and duel band. We need to utilise.

    Its not going to be easy to hack. But theoretically of course possible.

    Howerver with AESA the possibility of link 22 + mega encryption is very possible.

    Only problem is as we see from the f22. Getting differing arrays to chat the each other.

    ReplyDelete
    Replies
    1. One open question I have on this is the detectability of the radiating (AESA) platform. While the probability of intercept is low, the probability of detection may be high. So, having a F-35 radiating data may not be a good idea.

      I'm nowhere near expert enough in radar, comms, electronics to offer a valid assessment of this particular issue. I can see the possibility of a problem but not the magnitude.

      Delete
    2. AESA is a very complex subject. The likely hood of detection is very low compared to traditional methods, but it all comes down to the number of frequencies each Transmit and receive module can put out, how often they are being used and of course each of their individual power output.

      The theory is that each individual pulse at differing frequencies should show up at range as little more than background radiation. It should look random with no discernible pattern and no single pulse strong enough to look coherent.

      But we know from subs passive sonar that if you can run a time laps analysis you can pull defined frequency spikes in what look like white noise.

      So basic detection of presence is theoretically possible.

      I’m sure the technology will be perfected and increased to wider frequency bands and more and more modules per array making detection more and more difficult. ( longer and longer time required )

      It’s not too much of an issue with an F35, because if you have to wait 30 minutes just to detect there is one about, its way to late.

      Even on a fast moving surface action group it’s not tactically significant, as you can’t glean data, range or even a very good bearing, but as you say, ideally you would rather no-one has a clue your even there.

      Delete