2016 Cyber Essay Contest Prize Winner – Sponsored with Hewlett Packard Enterprise
tment of Defense. As outlined in its 2015 Cyber Strategy, the DOD “is responsible for defending the U.S. homeland and U.S. interests from attack, including attacks that may occur in cyberspace.”1 The February 2016 edition of Joint Publication 1-02 (JP1-02), the DOD’s dictionary, goes on to define cyberspace as “[a] global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”2 In layman’s terms, cyberspace consists of the computers, servers, content, and infrastructure connected to, controlled by, and conducting global commerce on the Internet.
The importance of this system as well as its vulnerabilities are clear from only a cursory perusal of current events and history over the last three decades. In the tactical realm, the success of Operation Orchard, the Israeli Defense Force’s attack on Syrian nuclear facilities in September 2007, demonstrated just how quickly a cyber attack could disable an air-defense network. Operationally, the 2010 introduction of the Stuxnet virus into Iran’s nuclear facilities and subsequent delay to that nation’s weapons program highlighted cyber warfare’s ability to achieve kinetic effects that rival direct military action. Finally, the Titan Rain (2003–present) series of espionage events illuminated the usefulness of a robust cyber capability with regards to gaining possible advantages in future conflicts.3 As can be seen from just this small number of examples, cyber warfare is not only widespread and effective, but it is maturing at a rapid rate.
In order to avoid these events being seen as the Taranto or Guernica to a future cyberspace Pearl Harbor or Hamburg, the Department of Defense must begin to consolidate its currently disjointed and redundant cyber warfare efforts. It must also join these endeavors with international, interagency, and civilian security efforts. While the current DOD Strategy elucidates five strategic goals, it lacks specificity and clarity of execution. In order to eliminate these shortcomings, the Department of Defense should set the following priorities in conjunction with civilian industry to be in place by 2020. First, the U.S. government, its allies, and the computer industry should standardize the cyber warfare lexicon. Second, the DOD should place the development of both passive and active intrusion defenses at the forefront of its research-and-development (R&D) budget. Finally, the DOD should develop a scalable offensive capability that allows it to place both state and non-state actors’ systems, infrastructure, and economic resources at immediate risk.
Standardizing the Cyber Lexicon
The need for a standardized language between the Department of Defense and its partners is readily apparent from operations in other military domains. Just as land, sea, and air forces require immediately recognizable acronyms and terms to easily operate in an efficient manner, cyber warfare personnel will need a language that allows them to rapidly respond to an event or threat. In addition to being encapsulated in doctrine and publications (e.g., JP1-02), cyber-specific terms need to convey specific effects/outcomes to combatant commanders and their staffs of all services. Put another way, much like the fires officer in an Army divisional tactical operations center should be able to convey his commander’s needs to a Navy aviator on a carrier strike group’s bridge, cyber staff principals should be able to quickly explain what is happening to a joint or combined network. U.S. Cyber Command (CYBERCOM), as the designated DOD agency for cyberwarfare, should be the main proponent for this task.
At the strategic level, part of this lexicon must be a common understanding as to a given cyber attack’s severity. In an era of 24-hour news and its tendency for hyperbole, a sober and objective scale to apply to each event will be critical for the proper allocation of resources and advising of senior leaders. A proposed methodology for accomplishing this is the use of a Cyber (CY) Scale that is developed and implemented through agency memoranda of understanding and/or United States Code. The following scale provides a possible framework for U.S. government use:
• CY-1: Minor intrusion compromises unclassified but possibly sensitive data or leads to payments funneled to possible non-state actors. The recent penetrations of the Office of Personnel Management or the “ransom hack” of MedStar Health’s facilities are examples.
• CY-2: An intrusion compromises major weapon systems or trade secrets, or causes moderate impact to a specific civilian economic sector. A possible scenario for such an event would be if a state or non-state actor penetrated an international bank and caused disruption to account services for 48–72 hours.
• CY-3: Major event initiated by a state or state-sponsored actor causes serious economic impact, possibly leads to a mass-casualty (more than 15 individuals) event, and/or results in the long-term disruption of transportation networks. The catastrophic destruction of a hydroelectric dam’s turbines or disruption of the Northeastern United States’ electronic grid through the introduction of a virus are just two possible incidents that would qualify for this level of disruption.
• CY-4: A confirmed cyber attack from a state-sponsored entity compels a change to U.S. national strategy/actions that will have a lasting economic, physical, and/or military impact against the United States or major ally. Such attacks should be expected in time of conflict and, if they occur outside of overt warfare, should be treated the same as a physical act of war. The disruption of the entire U.S. electrical grid, coupled with simultaneous attacks on rail transportation and multiple nuclear power plants, would qualify as a CY-4.
The importance of developing some common lexicon and scale of events cannot be overstated. Potential adversaries, both peer and non-state actors, have openly stated their intentions to use asymmetric means to attack the continental United States in the event of future conflict. By having discussions on cyber warfare terms and elucidating a cogent ranking of cyber severity in a time of relative peace, the DOD and its interagency partners will be prepared to provide the National Command Authority with effective advice during a period of panic and chaos.
Intrusion Defenses, Reporting Procedures
To facilitate the DOD’s evaluation of cyber events, research-and-development dollars should be directed to the creation of passive/active intrusion defenses. By passive defenses, high-value servers should be equipped with electronic and physical sensors that alert agencies when someone is tampering with them. To coin a physical-security analogy, this should be akin to placing sand around a fenceline, patrolling it, and regularly sweeping the sand in order to reveal when an intruder has passed over it. While current DOD posture does follow this mindset somewhat, it is done primarily with commercial off-the-shelf systems and user training. What is needed is a DOD-specific, highly adaptive program developed, maintained, and, most importantly, limited in the sites it is used to protect.
Active defenses would be the programs used in conjunction with passive detection to immediately attack and close cyber penetrations. This is neither a novel nor new concept, but as with existent passive defenses, current DOD efforts focus on commercial, widely available programs that deal with local “infections” rather than an agency-wide counterattack that quickly seeks to eliminate vulnerabilities or attacking programs. The DOD, in conjunction with the Department of Homeland Security and law enforcement agencies, should seek to develop software and hardware solutions that would not only stop a cyber attack but seek to return key Internet nodes and systems to a functional state. With regards to civilian infrastructure, the DOD should simultaneously seek to develop hardware and industrial software that would facilitate restoration of critical services then make said products available for purchase by state and local transportation, water, electrical, and nuclear sites. Although the use of such technology should not, in any circumstances, be compulsory, the benefits of its purchase would be clear in the face of a CY-3 or CY-4 incident.
In all cases it should be made clear that the intent of developing defensive capability is not to create an “impenetrable fortress” in cyberspace. Chasing this goal would be both wasteful and nigh unachievable given current or projected future technology. Instead, the DOD should partner with civilian industry to achieve three purposes:
• Prevent a cyber emergency that would be comparable to the Allies’ Ultra/Magic success in World War II—i.e., having an adversary able to read U.S. forces’ communications in near-real time.
• Facilitate the rapid detection of malicious code that may have been placed into military hardware manufactured overseas. (While nothing so spectacular as making planes crash or weapons turn on their firing units would be likely, introducing a constant circular-era-probable factor of 100 yards or causing aircraft to burn 10 percent more fuel would pay clear dividends for an adversary operating in far shorter supply lines than U.S. forces.)
• Develop the ability to know a system has been compromised so it may be used to provide false information, compelling an opponent to adopt courses of action he otherwise would not pursue.
Supporting all three of these defensive purposes with offensive capabilities should also be a DOD priority. The fourth goal of the 2015 Cyber Strategy, to “[b]uild and maintain viable cyber options and plans to use those options to control conflict escalation and to shape the conflict environment at all stages” seemingly touches on this, but lacks specificity.4 To achieve deterrence, the DOD offensive capability should be able to conduct the following tasks either individually or simultaneously:
• Destroy adversarial systems through remote access.
• Control adversarial systems that have any connection to the Internet or local networks that DOD personnel can physically access.
• Collect and store evidence pursuant to future law enforcement investigations and prosecutions, or to justify sanctions under existent/future executive orders.
• Generate regional and national cyber events that will affect both state and non-state actors’ ability to conduct commerce, transport goods and personnel and, if necessary, provide basic needs to their populace.
The outlining of these tasks will be necessary as the DOD conducts the systems-acquisition process. Unlike defensive systems, offensive capabilities should be conducted in the classified realm, with civilian computer-industry input only sought in order to streamline the targeting process (i.e., aid in the understanding of where industrial software may have common vulnerabilities, à la Stuxnet). The DOD should be prepared to recruit, employ, and retain personnel to carry out these tasks, with the understanding that compensation will have to rival that of the civilian sector.
To support this, facilities will have to be developed that allow testing of offensive capabilities without risk that experimental malware will be “released” into the Internet at large either accidentally or because of insider threats. Finally, both senior military officers and civilians will have to be educated that cyber, like the physical realm, has a sliding scale of effects. Just as a targeting officer has a choice between using a small-diameter bomb or a 2,000-pound Joint Direct-Attack Munition, cyber staffs need to be provided with the ability to temporarily disable an adversary’s power plant or cause it to literally immolate.
The Future Is Now . . .
While the thought of a multi-million-dollar generating plant being forced to explode because of an email seems like something out of science fiction, recent events demonstrate that this is as possible as an intermediate-range ballistic missile that can put its warhead through a carrier’s deck thousands of miles away. Much like those who wish to ignore the Dong-Feng 21 missile threat previously outlined in the pages of Proceedings, there will be officers and civilians who do not believe cyber is an area worthy of scarce fiscal resources.
Unfortunately, possible adversaries have already demonstrated in Georgia, Estonia, and Ukraine that they are quite capable of targeting friendly nations’ cyber vulnerabilities as the opening phase of their military operations. Similarly, peer adversaries have maintained entire military and governmental agencies dedicated to the conduct of operations in cyberspace, with the intent of marrying those abilities to kinetic military actions at all levels.
Whether the DOD will be compelled to prioritize the standardization of cyber lexicon, defensive capabilities, or offensive systems in cyberspace is not in question. The only unknown at this point will be whether DOD does so in a timely manner or, much as Admiral Chester Nimitz was forced to rely on carriers post-Pearl Harbor, this change will be because of conditions foisted upon the United States by its opponents. Hopefully, wisdom will prevail before necessity compels.
2. Joint Publication 1-02: Dictionary of Military and Associated Terms 8 November 2010 (As Amended through 15 February 2016) (Washington, DC: Department of Defense, 2016), 58, www.dtic.mil/doctrine/new_pubs/jp1_02.pdf.
3. See Peter Singer, “The War of Zeroes and Ones,” Popular Science, 8 September 2014, www.popsci.com/article/technology/war-zeros-and-ones; Dawn S. Onley and Patience Wait, “Red Storm Rising,” Government Computer News, 17 August 2006, https://gcn.com/articles/2006/08/17/red-storm-rising.aspx; and John Avlon and Sam Schlinkert, “This is How China Hacks the U.S.: Inside the Mandiant Report,” The Daily Beast, 19 February 2013 www.thedailybeast.com/articles/2013/02/19/this-is-how-china-hacks-the-U.S..
4. Cyber Strategy, 14.