When discussing how best to leverage cyber technologies to the military’s strategic and tactical advantage, cyber professionals tend to think in one of two realms: offensive and defensive. In the defensive realm, we take for granted that software functional managers look for security holes and network administrators patch them. We expect the offensive experts to build and refine digital weapons and carry out secret data intrusions to prepare the battle space.
Offensive cyber swords and defensive cyber shields provide immense strategic value, and that work must continue. But to really make a warfighting unit more effective, we need to put more effort into a third area: cyber support.
Rarely talked about and frequently neglected, this Cinderella of the cyber world permeates everything and has significant impact on day-to-day missions.
In 2015, I deployed on a submarine under U.S. Central Command in the Middle East. What exhausted me on this deployment more than constant danger at periscope depth, reactor casualty drills, and never-ending training were the far more subtle frustrations.
For example, I did most of my paperwork on an aging laptop with a missing F5 key and a letter S that occasionally would not work. This made it difficult to log in, but I always managed to make it work eventually.
These laptops ran Windows XP—the operating system for which Microsoft ended mainstream support in 2009 and patch support in 2014 and for which the Navy signed a contract potentially valued at $31 million to provide continued special support through 2017.1
We kept records and developed training materials with the Office 2003 suite.
We navigated the boat with the Voyage Management System, the bane of the Navigation Department’s existence, It took excessive time to perform even the simplest tasks. Need to pan the chart east or west? That will take a couple of minutes. Need to check overlay coordinates? A couple more minutes. Zoom out? More objects in view to render; you really messed up now. Reviewing charts frequently devolved into an all-day affair made up of 20 percent work and 80 percent sitting around waiting for the program to do whatever simple task you just asked it to do.
For basic reference information about geographic areas or various other topics, we had Microsoft Encarta, a defunct encyclopedia that Microsoft stopped updating in 2009.2
Engineering laboratory technicians tracked reactor plant chemistry in a standardized Microsoft Access database with terribly formatted user input forms and barely interpretable output reports.
Orphaned and superseded technical publications with multiple effective dates littered the network drives, leaving it up to the reader to make sure he or she knew which held the most recent guidance.
Enumerating these small issues begins to highlight the subversive nature of the problem. Compared to an enemy actor permanently encrypting your networks or shutting down your power grids, issues such as these seem trifling. Individually, none of them will cause us to lose a war, but they are death by a thousand paper cuts.
A Navy captain recently explained to me that the Navy does not operate on “state of the art,” it operates on “state of the practice.” The former is expensive and risky, while the latter is affordable and usually has all the major kinks worked out. Therefore, the Navy always finds itself around 15 years behind the cutting-edge civilian organizations. Intuitively, this makes practical sense.
It will be our downfall.
State of the practice might work for hulls, pumps, heat exchangers, and pressure transducers, but think about what 15 years behind means in today’s digital world. Artificially intelligent bots conducted organized information warfare campaigns in 2016. Apple released the iPhone in 2007. The first tweet went out in 2006. Facebook launched in 2004.
Our world has grown exponentially more complex since 2004, and we can barely imagine life without these technologies anymore. As younger officers and enlisted sailors enter the Navy, they experience rising frustration with these little problems. I neither expect nor want a command-issued iPad under way, but it would be nice to use software that was developed after we toppled Saddam Hussein.
Cyber experts have a long list of convincing and legitimate reasons why it has taken so long to update Department of Defense networks or to acquire new software. Nevertheless, during a port call in Bahrain I sat in the Naval Support Activity food court and, in stark comparison to my boat experience, upgraded my personal laptop from Windows 8 to Windows 10 for free in about two hours.
I then downloaded my own offline copy of Wikipedia, a surprisingly meager 14 gigabytes when compressed. Not bad for nearly a thousand times as much information as Encarta. Just upstairs, petty officers played an Xbox game that rendered a million polygons 60 times a second. Our charting software choked on demands orders of magnitude smaller than that.
From this vantage point, technology-literate sailors find it hard to muster sympathy for the Navy’s adapting at the pace of cold molasses.
Consider this: Facebook updates its source code twice a day.3 Having worked alongside a couple of Department of Defense proprietary software teams over the past few years, I know we consider ourselves lucky with ten software changes a quarter. Occasionally, we even get a key operational feature we need.
Cybersecurity occupies the place of honor at the development table. Whisper the phrase “cyber vulnerability,” no matter how small, and cyber defense experts ring up all stop on everything else. One of the teams I worked with spends on average 60 percent of its budget and time patching security holes for a system on a network not connected to the internet. That same software team still has not caught up to changes in operational plans made years ago. In the years I have known them, I have seen the cyber defense experts force them to shut off useful features one by one to the point that it has threatened our ability to do our job. If defenders protect a tool so well that even authorized users cannot use it, what is the point?
Today’s sailors expect better. Putting more effort into support means that cyber experts and developers must work harder to balance security threats with operational requirements, stop making usability an afterthought, and stop treating their users as a captive audience. If the Navy and Department of Defense ignore these problems too long, they will remain constant distractions that take away from the warfighter. Eventually, our technologically savvy sailors will get fed up and leave. While defensive cyber literally keeps the lights on, and offensive cyber is sexy, we can’t afford to lose sight of the forest for the trees.
Updating Tech The Submarine Way
One of the best things the submarine community ever did was move to the technical insertion/advanced processor build (TI/APB) model for sonar and fire control.1 Modern attack submarines are enabled by some of the world’s most sophisticated hardware and software. Under TI/APB, submariners see new hardware and software builds incrementally, every two years, with complete force rollouts approximately every six years. When systems are fully implemented on every boat in the fleet, any submarine officer, sonar technician, or fire control technician can qualify on one sub then drop into a different platform’s control room almost fully trained and ready to go. The sub force has done the same thing with the common submarine radio room. These digital tools are force multipliers, and even though they have occasional headache-inducing quirks, they do not induce the same exhausting stress as fighting with long-outdated software and hardware.
1. D. Goldman, “Navy Pays Microsoft $9 Million a Year for Windows XP,” 26 June 2015, https://money.cnn.com/2015/06/26/technology/microsoft-windows-xp-navy-contract/index.html.
2. Reuters, “Microsoft to Discontinue Encarta,” 31 March 2009, www.reuters.com/article/us-microsoft-encarta/microsoft-to-discontinue-encarta-idUSTRE52U1WA20090331.
3. E. Protalinski, “Facebook Now Updates Its Code Twice Every Day,” 3 August 2012, www.cnet.com/news/facebook-now-updates-its-code-twice-every-day/.
1. J. Zimmerman, “Lessons in Innovation: The SSBN Tactical Control System Upgrade” (2016), www.secnav.navy.mil/innovation/Pages/2016/10/SSNTCSUpgrade.aspx.