I’m well over a month late writing about the July 2015 issue of USNI Proceedings. Simply put, it contains three of the finest pieces about operating under cyber-electromagnetic opposition I’ve read in a long time. I’ll be talking about two of them today and the third one later this week.
First up is LCDR Brian
Evans’s and Pratik Joshi’s outstanding article “From
Readiness to Resiliency.” Evans and Joshi note that past Navy cyberdefense
efforts primarily focused on unit-level compliance with information assurance measures
such as firewall configurations, network configuration management and behavior
monitoring, physical security protections, and regular ‘hygiene’ training for
users. While these kinds of measures continue to be critically important in
that they deny adversaries ‘cheap and easy’ attack vectors for exploiting Navy
networks and systems, the authors observe that no
cyberdefense can hope to keep an intelligent, determined, and adequately
resourced adversary out forever. According to the authors, last fall the Navy’s
nascent Task Force Cyber Awakening concluded (correctly I might add) that the Navy’s
systems, networks, and personnel must able to continue operating effectively,
albeit with graceful degradation, in the face of cyberattacks. In other words,
they must become resilient.
Evans and Joshi essentially
outline a concept for shipboard “cyber damage control.” They describe how the
longstanding shipboard material readiness conditions X-RAY, YOKE, and ZEBRA can
also be applied to shipboard networks: crews can proactively shut down selected
internal and external network connections as tactical circumstances warrant, or
they can do so reactively if cyber exploitation is suspected. The authors outline
how crews will be able to segment networks and isolate mission-critical systems
from less-critical systems, or isolate compromised systems from uncompromised
systems, much like damaged compartments can be isolated to prevent the spread
of fire, smoke, or flooding. The authors go on to discuss how damage isolation
must be followed by repair efforts, and how knowledge of a system’s or network
segment’s last known good state can be used to recognize what an attacker has
exploited and how in order to aid restoration. It stands to reason that affected
systems and network segments might additionally be restorable by crews to a
known good state, or at least into a “safe state” that trades gracefully
degraded non-critical functionality for sustainment of critical functions.
It’s important to keep
in mind, though, that resilience requires more than just technological and procedural
measures. When I was an Ensign on USS First Ship in 2001, many crewmembers
would tell me of the “Refresher Training” at Guantanamo Bay that Atlantic Fleet
ships went through up until budget cutbacks ended the program in the mid-1990s
or so. At REFTRA, the assessors would put ships through exacting combat drills
in which chaotic attacks, major damage, and grievous casualties were simulated
in order to expose crews to the most stress possible short of actual battle.
According to some of the senior enlisted I served with, it wasn’t unusual for
the assessors to “cripple” a ship’s fighting capacity or “kill off” much of a
watchteam or a damage control party to see how the “survivors” reacted. Some
ships were supposedly tethered to Guantanamo for weeks on end until the
assessors were convinced that the crews had demonstrated adequate combat
conditioning—and thus a greater potential for combat resilience. This kind of training
intensity must be restored, preferably by shipboard leaders themselves, with
the 21st Century addition of exposing their crews to the challenges
of fighting through cyberattacks. Perhaps a scenario might involve intensive
simulation of system malfunctions as a pierside ship rushes to prepare to
sortie during an escalating crisis. Or perhaps it might involve simulated
malfunctions at sea as “logic bombs” or an “insider attack” are unleashed. Evans
and Joshi allude to the cyber-conditioning angle in the fictional future
shipboard training drill they use to close their article. One hopes that Task
Force Cyber Awakening is in fact exploring how to develop the psychological
aspect of resilience within the fleet.
This leads nicely into
the July issue’s other excellent technical article on network resilience, CDR
John Dahm’s “Next
Exit: Joint Information Environment.” CDR Dahm argues that even if the
Defense Department were to successfully consolidate and standardize the
services’ information infrastructures within the most hardened of citadels,
this Joint Information Environment (JIE) would still only be as
combat-effective as the security of the communication pathways connecting that
citadel to force in the field. He relates a fictional saga in which a near-peer
adversary wins a limited war by severing the U.S. military’s satellite
communications pathways as well as the oceanic fiber optic cables connecting
Guam and Okinawa to the internet. He correctly notes that the “transmission
layer” connecting deployed U.S. forces and theater/national intelligence,
surveillance, and reconnaissance assets with the JIE presents the most
vulnerable segment of the entire JIE concept. He alludes to the fact that a
force that is dependent upon exterior
lines of networking is essentially setting itself up for ruin if an
adversary lands effective physical, electronic, or cyber attacks against any
critical link in the communications chain. He closes by observing that “the
communications necessary to support a cloud-based network architecture cannot
simply be assumed,” with the implication being that the JIE concept must be
expanded to encompass the transmission layer if it is to be successful in a
major war.
We know that just as
there can never be such a thing as an impregnable “information citadel,” there
is no way to make any communications pathway completely secure from disruption,
penetration, or exploitation. We can certainly use measures such as
highly-directional line-of-sight communications systems and low probability of
intercept communications techniques to make it exceedingly difficult for an
adversary to detect and exploit our communications pathways. We can also use
longstanding measures such as high frequency encoded broadcast as a one-way
method of communicating operational orders and critical intelligence from
higher-level command echelons to deployed forces. But both reduce the amount of
information flowing to those forces to a trickle compared to what they are used
to receiving when unopposed, and the latter cuts off the higher echelon
commander from knowledge that the information he or she had transmitted has
been received, correctly interpreted, and properly implemented. And neither
method is unequivocally free from the risk of effective adversary attack.
What’s needed, then, is a foundation of resilience built upon a force-wide
culture of mission
command. That may be outside the JIE concept’s scope, but it will be
integral to its success.
The views expressed herein are solely those of the author
and are presented in his personal capacity. They do not reflect the official
positions of Systems Planning and Analysis, and to the author’s knowledge do
not reflect the policies or positions of the U.S. Department of Defense, any
U.S. armed service, or any other U.S. Government agency.
No comments:
Post a Comment