Western Pacific, 2130Z, 5 July On board USS Theodore Roosevelt (CVN-71)
Commander Paul Jones reread the admiral’s orders with a sense of disbelief: “Conduct operations to achieve and maintain sea control in the Whiskey operating area.” Open conflict had begun on his watch, 24 hours earlier. A surprise attack—in the form of a missile swarm—had caused a U.S. destroyer operating 1,000 nautical miles away to vanish from the common operating picture (COP) display in the carrier strike group’s (CSG) tactical flag command center (TFCC). Jones felt sick at the thought of it, but quickly dismissed the feeling as the off-going CSG battle watch captain (BWC) began his turnover brief.
When the BWC reported the CSG CyberSafe condition as “Yoke,” with no detected compromises of mission-critical systems, Jones reflected on the fact that he still didn’t understand all the technical stuff that happened when he set Yoke barely 24 hours ago. The off-going watch also reported that SharkCage network sensors detected a generator control system attempting to beacon off the carrier, but the signal back to the malicious domain was blocked at the ship’s network boundary. Distributed denial of service (DDOS) attacks also were ongoing against commercial data transport companies serving the Department of Defense, including commercial wideband satellite providers, which probably explained some of the bandwidth reductions.
At the conclusion of the brief, Jones assumed the watch, “Attention in TFCC, Commander Jones assumes the watch as BWC.”
Taking his first sip of coffee, he surveyed the COP, struggling with how to achieve sea control across such a broad operating area. Additional assets wouldn’t arrive for another day; however, this ensured the CSG got all the available—if extremely limited—satellite communication bandwidth. In addition to jamming communications, the adversary clearly was interfering with the intelligence satellites, as all the feeds had dried up. Limited bandwidth and lack of intelligence were going to complicate locating the adversary, a prerequisite for sea control. By his second sip of coffee, Jones knew the outcome of this conflict would hinge on one thing: information.
In that case, Jones thought, a good place to start would be with the intel watch officer. He was picking up his handset to ask about adversary activity when the information warfare commander (IWC) burst through the TFCC door followed closely by a direct-support linguist.
The IWC began speaking before he was through the door: “Pull up the information warfare watch officer’s display!”
As the display appeared, the unfamiliar shapes and foreign language caught Jones off guard.
“What am I looking at?”
He was shocked at the IWC’s response. “The Red COP. In real time. Courtesy of Tenth Fleet.”
As soon as the linguist finished translating the Red COP, Jones called the admiral.
It felt as if the admiral was in TFCC before Jones could put down his handset. Jones provided a brief of the tactical situation, focusing on a Red surface action group entering the western portion of the Whiskey operating area. The Red force appeared to be attempting to move outside the island chain, possibly hunting for the CSG while U.S. reinforcements were still en route. Regardless, with the position of the Red surface action group established, the CSG Commander decided to strike.
Jones had never seen a strike plan come together so quickly. In minutes, it was decided the strike would occur in two phases. The first phase would be an antisurface SM-6 salvo fired by the CSG’s destroyers on a western attack vector. The second would comprise an F/A-18 strike package launched from the carrier on a northern attack vector. The concern was how early the aircraft would be detected, as the effectiveness of the SM-6 salvo would be unknown at that point. The IWC addressed these risks by convincing Tenth Fleet to inject false data into the Red COP, luring the surface action group into a position where the strike fighters could use a nearby island for cover. Furthermore, Tenth Fleet would try to synchronize additional confusion on board the Red ships with the second phase of the strike.
With the admiral’s approval, Jones went to work issuing the required orders. Almost instantly, two new tracks appeared on the Red COP. The linguist confirmed these were first indicated as unknown tracks, and then later changed to represent a U.S. carrier and escort. Once the tracks were tagged as U.S. warships, it wasn’t long before the Red surface action group altered course. An hour later, the position of the Red surface action group allowed the carrier to launch the F/A-18s. As the Super Hornets flew to their designated position, the minutes seemed like hours.
Then, at the designated time, the surface warfare commander’s report came in—“Missiles away!”
At that point, events became almost surreal. As Jones watched the COP, the SM-6s streaked across the display, disappearing as each connected with the symbol for a hostile ship.
As the Super Hornets began their attack run under the cover of jamming provided by EA-18 Growlers, it looked as if the SM-6s had been ineffective. Then one of the ships vanished from the Red COP. Hopefully that meant a kill, he thought. It didn’t take long before the F/A-18s delivered the second blow. The battle damage assessment by one of the aircraft confirmed one Red vessel sunk, one moderately damaged, and one severely damaged, with visible fires on board. Both surviving vessels were reported on a westerly course exiting the Whiskey operating area, confirmed by indications on the Red COP.
As Jones sipped the last of his now-cold coffee, he thought of his earlier prediction. This conflict did hinge on information. And cyber operations were critical to that fight—and critical to the CSG’s maritime superiority mission.
Cyberspace Operations for the Tactical Operator
A number of cyber capabilities highlighted in this fictitious scenario would improve maritime warfighting effectiveness. While the story is crafted around CSG operations, the cyber capabilities depicted would be applicable to any maritime tactical force.
Procedures and Status
Tactical operators benefit greatly from clear, streamlined procedures and status indications. Cyber procedures should allow tactical operators to perform sequenced actions to secure or defend ships’ equipment (including hull, mechanical, and electrical systems) from cyberspace threats without a need to understand the underlying technical details (Commander Jones’ “technical stuff”). For example, the story’s CyberSafe conditions could convey the extent of off-hull connectivity and isolation of non-mission-critical systems. To enable tactical operators to perform cyberspace procedures easily, automation of sequenced technical actions to modify the cyber-defense posture of single or multiple systems would be necessary.
In addition, tactical operators need the ability to report cyber status succinctly, from individual equipment up to whole CSGs, in terms meaningful to commanders and other tactical operators. The proposed CyberSafe conditions show how cyber status could be defined to enable clarity and concision. Such reporting must extend beyond verbal reports; therefore, visualization capabilities that clearly display operationally relevant cyber status should be available to tactical operators.
Mission Assurance
Department of Defense Directive 3020.40, “Mission Assurance,” defines ensuring the continued function and resilience of systems in the face of adverse operating environments or conditions as critical. As a result, any mission-essential system must be built with redundancies or alternative systems to provide mission assurance sufficient for the threats and vulnerabilities relevant to that system.
The CSG information warfare team’s ability to detect and block the Red beaconing activity showed their capability to provide mission assurance. The team mitigated the malware without having to shut down the generator, allowing mission essential functions to continue. Tactical operators expect that kind of mission assurance in cyberspace, even for equipment not usually considered part of a traditional server-workstation network, such as the generator control system mentioned.
Commercial service providers also have a role to play in mission assurance. A significant portion of the Navy’s data transport—both terrestrial and satellite—travels on commercially leased circuits. The expectation of tactical operators is that these commercial entities are capable of assuring sufficient availability and reliability for data transport, data hosting, and cloud services. As a result, mission assurance requires that availability and reliability provisions should be included in service contracts.
High-Quality Tactical Intelligence
Cyberspace provides unique opportunities to collect intelligence on the tactical activities of an adversary. In the story, the ability to access and observe the Red COP remotely provides the detailed intelligence the CSG commander needs to enable action. Real-world tactical operators desire such accuracy and precision, and cyber operations can provide it in near-real time through access to an adversary’s tactical systems.
Gaining access to such tactically detailed intelligence is challenging and is only facilitated by high-quality intelligence about the target network, elements not discussed in the story. Clearly, protection of capabilities and access during periods of steady-state operations is critical. However, during times of crisis, tactical operators expect that protective barriers, such as compartmentalization, should not restrict the employment of relevant capabilities or the flow of intelligence to support the tactical fight.
Seamlessly Integrated Effects
Tactical operators value cyberspace capabilities when the effects generated are operationally significant and easily integrated and synchronized with effects produced in other domains. In the story, the CSG and Tenth Fleet IW team injected false tracks into the Red COP to create advantageous positioning for the F/A-18 strike. The scenario also illustrates the integration and synchronization of cyberspace capabilities that are not organic to the tactical unit—the Growlers limit Red sensor effectiveness, but the information warfare team confused the Red COP first. Absent integration and synchronization with capabilities across other domains, the potential of cyberspace capabilities will not be fully realized.
To achieve this, tactical operators must be able to call for cyber fires that generate effects to advance the mission objectives. Who controls the capability or holds the relevant release authorities should be resolved before the shooting starts.
Tactical Perspective for the Cyberspace Operator
Cyber Isn’t Special
Cyberspace operations and capabilities should not be considered separate from traditional maritime warfare. Cyber operators must embrace a tactical operator’s perspective, driving to integrate their own capabilities with every applicable aspect of maritime warfare. Defensive cyber capabilities must be viewed as critical to a tactical unit’s self-defense, while offensive ones support achieving the commander’s intent.
Furthermore, information warfare teams should seek to plan, communicate, and execute cyberspace operations using the concepts and lexicon of traditional maritime warfare. Continuing to treat cyberspace operations and capabilities as special will significantly hinder integration and synchronization with actions in other domains, fail to address tactical operators’ expectations, and diminish effective contribution to maritime warfare.
Education is Key
Cyberspace is a dynamic domain, with constantly changing technologies and an ever-evolving operating environment. The immaturity of cyberspace warfighting results in frequent changes to tactics, techniques, and procedures. As a result, cyberspace operators must commit to continual learning to remain operationally effective. But formal education programs are insufficient to handle the volume or rate of change required. Achieving the high velocity learning necessary for effective cyber operations requires operators with the initiative to educate themselves across a range of relevant topics.
Information warfare professionals must commit not only to learning, but also to teaching. Effective cyberspace operators must be prepared to educate the tactical operators around them how to integrate cyber capabilities with other domains and to be clear about cyber limitations and complexities. Operators must understand the significant time and resource investments required to develop and maintain reliable access to and capability in a target system.
Cyberspace operators must be ready to educate each other as well as tactical operators on new technologies, threats, emerging capabilities, and evolving tactics, techniques, and procedures. Ever-emerging challenges within the domain often make peers the best source of knowledge for other operators.
Convergence: One Fight, One Team
Sea power and cyber power are converging as traditional maritime warfighting becomes increasingly dependent on information systems and networked capabilities. Both tactical and cyberspace operators have work to do to take advantage of this convergence for maritime warfighting. Tactical operators must demand the integration of cyberspace operations with those occurring in other domains. Cyber operators similarly must drive the evolution of authorities and concepts that integrate—not isolate—cyberspace with warfighting in other domains. Tactical and cyber operators should look to each other as warfighting experts.
As Admiral John Richardson’s “A Design for Maintaining Maritime Superiority (Version 2.0)” makes clear, the competitive space has expanded—including into cyberspace—and margins of victory are razor thin. The Navy successfully adapted to the emergence of the undersea and air domains, as fast as or faster than its adversaries, becoming the leading innovator of maritime warfare capabilities and concepts within both areas. Cyberspace must prove no different if the Navy is to strengthen its power and reach.