Back before the wars in Afghanistan and Iraq, before military thinkers and policymakers became obsessed with counterinsurgency, the idea of the day was the Revolution in Military Affairs, or RMA. RMA, a doctrine that emphasized modern information, technology and communications, was sparked by Soviet analysis of the West’s move towards more reliance on precision targeting and coordination.
The reclusive and enigmatic “Yoda” of the Pentagon, Andrew Marshall, was poring through Russian language journals and presumably secret communiques. He was intrigued by the Soviet identification of a “Military Technical Revolution.” Europe throughout the Cold War occupied the center of the chessboard. On one hand, grand strategy revolved around a massive preemptive blitz of tanks and troops supported by air and even tactical nuclear weapons, emanating from the Soviet bloc, and on the other hand, arms buildup and nuclear deterrence from the West.
When Russian and Chinese thinkers witnessed an actual invasion using massed weapons and troops, supported by air and stand-off cruise missiles, as a U.S.-led coalition easily pushed Iraqi forces from Kuwait, they believed they saw the future of modern warfare. A combination of precision-guided weapons, networked intelligence, surveillance, and reconnaissance (ISR), and modern command and control would be a force multiplier while eliminating the fog of war.
Arthur Cebrowski was the chief proponent of the new Network-Centric Warfare (NCW). His 1998 paper, Network-Centric Warfare: Its Origin and Future Proceedings, written while he was still director for Space, Information Warfare, and Command and Control, is imbued with the excitement of the halcyon days of the internet boom. Reading it today, one is struck by the enthusiasm for networking that was the dot-com boom:
“We are in the midst of a revolution in military affairs (RMA) unlike any seen since the Napoleonic Age, when France transformed warfare with the concept of levée en masse. Chief of Naval Operations Admiral Jay Johnson has called it ‘a fundamental shift from what we call platform-centric warfare to something we call network-centric warfare’, and it will prove to be the most important RMA in the past 200 years.”
In his Pentagon briefing upon taking the director role, Cebrowski said: “If you are not interoperable, you are not on the net. You are not benefiting from the information age.”
When modernized militaries next engage in combat, expect a debilitating cyber-attack, giving the adversary an asymmetric advantage. The move to Network-centric warfighting by the U.S. military set the stage for an inevitable cyberwar.
The tenets of NCW, once again, are: Eliminating the fog of war through a sensor grid, and a combination of precision-guided weapons, ISR, and command and control. The U.S. military, and other militaries around the world on both sides, were late to the computer and networking game (now dubbed “cyber”) but determined to catch up. A global information grid was sketched out. Satellites for reconnaissance and communication were launched. Precision GPS systems deployed. Drones for ISR and weapons delivery to targets were built in ever increasing numbers. A high altitude drone, the Global Hawk, was deployed not only to replace the 50s vintage U2 platform but to add a layer to the ISR and command and control from land, sea, and air systems.
But, while weapons systems were being networked, the operational networks of the Pentagon crawled along at a pace much slower than in the commercial space. Transformation encompassed putting PCs on every general’s desk and empowering operations and planning personnel with PowerPoint tools. By 2008 most enterprises had already discovered and addressed the disruptive nature of “being networked.” Viruses spread by floppy disks and then the internet were addressed with anti-virus software. Worms such as Code Red, SQL Slammer, and Nimda, had had their impact. Firewalls were locked down to “deny all except that which is explicitly allowed.” Intrusion Prevention was deployed to block worms and network-based attacks. To avoid data loss, end-point controls were established to block the use of unauthorized USB devices. Vulnerability and patch management systems were almost universally deployed.
The Pentagon had its wake-up call, according to William Lynn, then Assistant Secretary of Defense for Cyber, in 2008 when the Agent.btz worm spread from a forward operations base in the Middle East throughout SIPRNet, the top secret military network. The cleanup effort, labeled Buckshot Yankee, took nine months and involved re-imaging millions of PCs at a cost of $1 billion. We can learn a few things by reading between the lines. In 2008 the Pentagon did not have device control systems deployed. We also know this from the way Bradley Manning ex-filtrated the State Department cables from a SCIF in Iraq by burning them to a Lady Gaga cd via USB port. In addition, we know that the Pentagon did not have the ability to remotely update its PCs as the operation was accomplished locally at each facility.
It is interesting to note that the commander in charge of the Joint Functional Component Command for Network Warfare (JFCC-NW) that first saw Agent.btz crossing SIPRNet was Keith Alexander. As the military and federal government caught “cyber fever” and scrambled to shore-up defences there was also a land grab to claim the cyber domain. Then-Secretary of Defense Robert Gates addressed the scramble, directing the Air Force and Navy to stand aside and then combining JFCC-NW and the Joint Task Force- Global Network Operations (JTF-GNO, also led by Alexander). Gates eventually appointing Alexander to head U.S. Cyber Command (in addition to the NSA), which became operational October 31, 2010.
But the parallel between the Pentagon and the measures that industry has been taking to address the rise of cybercrime, espionage, and attack, continues. The Pentagon came to the game late and reacted with uncommon speed to the threats that accompanied a move to NCW, but with one glaring omission.
Software assurance, the practice of designing and testing software to exclude vulnerabilities, has been apparently neglected completely by the Pentagon and the defense contractors that supply it with precision weapons, ISR, and command-and-control capabilities. With the famous Trustworthy Computing Memo written by Bill Gates, Microsoft embarked on a massive SA effort in 2002 when it became apparent that vulnerabilities in Windows and its applications represented an existential threat to its market. Software development was halted for a full year as every engineer was trained in the methods of code scanning and secure software design practices. While not perfect, that effort paid off eventually. A decade later, the latest versions of Windows are relatively good.
The Pentagon made a mistake common to many manufacturers. They assumed that because their systems were proprietary and distribution was controlled there would be no hacking, no vulnerabilities discovered, and no patch-management cycles to fix them. This is security by obscurity, an approach that always fails over time.
Evidence of the lack of software assurance within the defense industrial base abounds. Drones in Iraq and Afghanistan sent their video feeds in the clear; something discovered when insurgent laptops were captured with drone videos on them. There is apparently no verification of GPS signal authenticity as drones have been captured by both Iran and North Korea by overwhelming GPS signals with spoofed information. And encryption keys are apparently accessible on those captured drones.
In one experiment run by the Air Force, three million lines of proprietary code were scanned for vulnerabilities. They found one “software vulnerability” per eight lines of code, one high vulnerability” per 31 lines of code, and one critical vulnerability” per 70 lines of source code.
Cyberwar is Here
Modern precision-weapon systems rely on software for target acquisition and flight control. The F-35 Joint Strike Fighter, the most sophisticated weapons platform ever built, contains 9 million lines of code with another 15 million lines of code in the logistics support system required to supply it with spare parts. Apply the above number for vulnerabilities and there exists potentially 128,000 critical vulnerabilities in the most expensive fighter jet in the U.S.’s arsenal.
Does security by obscurity hold for weapons platforms? Not if the adversary is actively engaging in cyber espionage to get copies of software source code. According to Ellen Nakashima, sources provided the Washington Post with a confidential report to the Pentagon that itemized over a dozen weapon systems that had suffered from Chinese cyber espionage. These included: the advanced Patriot missile system (PAC-3), the Terminal High Altitude Area Defense (THAAD), the Navy’s Aegis ballistic-missile defense system, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter, the newly minted Littoral Combat Ship, and yes, the F-35 Joint Strike Fighter.
Just as hacking of vulnerable systems has moved from widely deployed and relatively inexpensive Windows PCs to medical equipment, automobiles, and industrial control systems, the weapons platforms that are the basis of NCW are surely vulnerable and surely going to be targeted. When modernized militaries next engage in combat expect a debilitating cyber-attack, giving the adversary an asymmetric advantage. The move to Network-centric Warfighting by the US military set the stage for an inevitable cyberwar.
[Photo: Flickr CC: UNC-CFC-USFK]