This is the continuation of a story begun on our August 2015 Home Page. To
go to an archived version of that page, click here: August
2015 Home Page Archive. To return to this
month'sactual Home Page, click on the Signal Corps
orangeHome Page menu item in the
upper left corner of this page.
The problem of fighting a cyberwar is that there is no effective way of
separating warfare involving civilian targets from warfare involving military
ones… whether the fighting is being done by us towards a third party
adversary, or by them towards us. Because of this, the U.S. military must be
able to fight both a civilian cyberwar, and a military one, and in fact mix the
two fluidly as the war (or battle) progresses. At this point in time, based on how America
has structured its military, doing this would be an impossibility. That is, there is
no way in hell that the U.S. military would be allowed to insert itself into,
say, the civilian
operations of an American company, to take over that company's defense of its
cyber assets, to either defend the company from attack, or use it as a base from which to
counter attack the enemy that started the cyber war.
Can you see the problem inherent in the U.S. military helping to fight cyber
wars mounted against American civilian corporations? Yet the civilian sphere of
influence is not the only area in which enemies of America can wage cyberwar. Two paragraphs up we listed America’s economy,
political system, ability to govern and manage itself, privacy and security,
system of beliefs, and very way of life as being under threat of cyberwarfare.
What this means is that any enemy of America that wishes to can wage a cyber war
against any of these seven key areas, and because of how the American military
is organized within the hierarchy of our federal government, it would be all but
impossible for our military to step forward to take the frontline position in
fighting a cyber battle mounted against almost any of these seven key areas.
One can see the extent of this truth by looking at just one example: the case of
America’s "way of life." How can the U.S. military step in to wage cyberwarfare
against enemies trying to undermine America's way of life? By giving you the
example below, we hope to make two points: first, that America's way of life is
under attack from cyberwarfare, and second, that the U.S. military is needed to
help formulate and implement a plan to stop these attacks from breaking the
fabric that holds America's way of life together.
To keep things simple, we will use just one example of a part of America's "way
of life" that is under threat. As our example we will use the case of how
parents rear their children. Surely, all would agree that the American approach
to raising a child is part and parcel of "the American way of life."
In using this example, let us take this position: on the issue of "parenting,"
America’s way of life is under threat via cyberwar activities. Again, our view
is that the way by which American
parents bring up their children is being threatened, and it is being threatened
through the use of cyber activities being conducted by America's enemies. In
particular, the cyber activities being used to undermine this part of America's
way of life fabric are being enabled through cyber communications. One byproduct
of this is that, as a result, today external sources are able to interfere with a parent’s
efforts in rearing their adolescent child, by using cyber communication to redirect that child’s energies
away from the
traditional pursuits a parent would encourage towards things like terrorism.
In the past American parents could govern their children using age old
techniques, from praise and limit-setting to discipline and more. Today those
techniques may work for forcing compliance in homework studies, and dating, but
they have no impact on the child when it comes to the ideas and values he or she might
internalize through his interaction with the internet and social networks. One
need only look at the ability of ISIS cyber-warriors to reach out to American
youth… in their own home… in their own bedroom… without their parent’s
knowledge… and indoctrinate them to the point that they will take terrorist
actions against soft, local targets, to see the truth in this. If this is not an
example of cyberwarfare threatening the very way of life of Americans, what is?[1]
How can the U.S. military fight this?
Clearly, if the U.S. military is going to stand up an organization to fight
cyberwars, it must have a civilian component to it as well as a military one.
Cyberwar as fought by America can’t be limited to simply military matters,
because the damage the enemy does to us takes place in both the civilian and
military realm, and that damage is inflicted by actions that take place in both
civilian and military domains.
What are these domains? They are the domains that encompass data and the means
by which it is propagated.
Yes, we understand that there is a difference between military data and means of
communication, and that of civilians, as well as that used by civilian
government agencies… but when it comes to all of these forms of data (and the
forms of communication that propagate them), the line that separates them is not
just grey but fuzzy in the extreme.
Is the data and communication that emanates from the White House civilian, or
does it have a military component to it? What about the data and communication that
comes from the Office of the Secretary of State? Did the private servers that
Hilary Clinton maintained at her home in New York, on which she stored not just
her eMails but the government information (read: data) contained within the text
and attachments of those eMails... about the topics she worked on
as Secretary of State... contain data that had a military component? Does anyone
really believe that the Chinese didn’t hack those servers? Did her daughter,
when visiting, use PCs within the house that connected her to the outside world
through those servers? How does one separate the 1s and 0s that made up all of
that data… their data streams… into data and communication that was civilian
versus government versus military?
You see our point? In today’s world, all forms of government data and
communication contain elements of military data and communication, and because
of the way people use these systems both at home and at work, personal or
civilian data and communication too. There is no way to separate the three. And
that being the case, the U.S. military… if it is going to have the mission of
protecting America by stopping cyberwarfare being waged against it… needs to set
up a new paradigm that allows it to work within these three areas.
Setting up one agency to defend against (and counter) cyberwarfare aimed at
American citizens, another to defend against (and counter) cyberwarfare aimed at
our civilian and federal government systems, and a third to just handle military
cyber issues won’t work. Data and communication, the primary weapons of
cyberwarfare, are amorphous and cross all lines of society. The agency that is
set up to counter the kind of warfare that can be fought via these means must be
amorphous too.
In our view, the U.S. military needs to be the one that takes the lead when it
comes to waging cyberwar… commercial cyberwar, civilian cyberwar, government cyberwar, and military
cyberwar.
Further, we make the case that when it comes to cyberwarfare no longer should the
U.S. military be relegated to defending against and fighting battles that are
simply battlefield, state actor-to-state actor, or military-to-military
related. Now, because of the ubiquity of government data being found inside of
military data… military data being subsumed within government documents and
data… and as important, the use by America’s enemies of cyber systems able to
reach into the homes of American citizens and wage cyberwarfare directly against
them, the U.S. military needs to take the lead in designing, integrating,
building, managing and operating the systems required to stop such forms of
warfare.[2]
If you add to this issue of government versus military and civilian forms of
data and communication the matter of commercial versus
government/military/civilian data, you can begin to see why America has, to
date, developed little more than, at best, an inelegant and clumsy approach to
stopping these activities. The reason is that there is no precedent for our
federal government telling our military to build a new form of war fighting
capability where the military has carte blanche to reach into… on a daily basis…
the data and communication infrastructure of these four entities
(government, military, civilian, commercial). Put another way, as of now there is
no clear cut divide as to how the United States should respond to commercial vs.
civilian vs. government vs. military espionage… or who within the U.S. should
respond in each case.
A solution is needed. We believe that the Signal Corps should play a major role
in creating, building, implementing and managing that solution. Before looking
at how the Signal Corps can do this though, we should look more closely at
exactly who is at risk from this new type of warfare? By doing so, we will gain
a better understanding of what role the Signal Corps should play.
The Reality of Cyberwarfare
Peter W. Singer, a writer for a technology blog, tells the story of “a senior
official in the Syrian government” who, in 2006, “brought his computer with him
on a visit to London. One day, he stepped out of the hotel and left the laptop
behind. While he was out, agents from Mossad, the Israeli intelligence agency,
snuck into his room and installed a Trojan horse onto the machine, which allowed
them to monitor any communications.
“For the Syrians, that would have been bad enough, but when the Israelis began
to examine the official’s files, a photo caught their attention. It showed an
Asian man in a blue tracksuit standing next to an Arab man in the middle of the
desert. It could have been an innocuous meeting of friends, even a vacation
photo. But Mossad identified the two men as Chon Chibu, a leader of North
Korea’s nuclear program, and Ibrahim Othman, director of the Syrian Atomic
Energy Commission. When they paired the image with other documents lifted from
the hard drive, such as construction plans and photos of a type of pipe used for
work on fissile material, the Israelis came to a disturbing conclusion: With aid
from North Korea, the Syrians were secretly constructing a facility at al Kibar
to process plutonium, a crucial step in assembling a nuclear bomb. An
International Atomic Energy Agency investigation would later confirm their
suspicions.
“Troubled
by this revelation about their openly hostile neighbors, the Israelis mounted
Operation Orchard. Just after midnight on September 6, 2007, seven Israeli F-15I
fighter jets crossed into Syrian airspace. They flew hundreds of miles into
enemy territory and dropped several bombs, leveling the Kibar complex. The
Syrian air-defense network never fired a shot."
As Singer goes on to say, “The security failure wasn’t because all Syrian radar
officers turned traitor that night. Rather, their technology did. If planting
the Trojan horse into the Syrian official’s laptop was an act of cyberespionage—uncovering
secret information by digital means—Operation Orchard was its armed cousin.
Prior to the bombing, the Israelis had penetrated the Syrian military’s computer
network in such a way that they could monitor their adversaries’ actions. More
importantly, the Israelis were able to direct their own data streams into the
air-defense network. Once inside, the Israelis introduced a false image of a
radar screen, misleading Syrian radar operators into believing all was well—even
as enemy jets flew deep into their airspace. By effectively turning off Syria’s
air defenses for the night, the Israelis gave the world a chilling glimpse of
the future of cyberwar.”
Our question: how do we know the Chinese didn’t do something similar to what the
Israelis did to Syria (when the Israelis inserted malware into the Syrian
government computer network) when last year they broke into the U.S.’ own Office of
Personnel Management computer system and stole the private details of over 22.1
million government employees?
Why would they do that you ask? Who knows… perhaps such a route would enable
them to gain copies of every eMail written or stored in the servers supporting
every eMail account related to every U.S. government employee whose eMail
address was in turn stored in the OPM computer system the Chinese hacked. All
22.1 million of them. Now, wouldn’t that be useful to the Chinese?
You see the problem? While what the Chinese did may seem low level and innocuous
on the surface, one can easily see via the Israeli–Syria story the extent to
which such innocent hacking, when done at the national level, can quickly lead
to very real examples of nothing short of acts of war. This then is what we talk
of when we call this kind of activity cyberwarfare, and call for it to come
under the purview of the U.S. military… and for the Signal Corps to play a
greater role in addressing it than it does now.
Cyberwarfare: A New Kind Of Warfare
But what exactly is cyberwarfare? The mainstream media uses the term
cyberwarfare to describe everything from large-scale, Web-based crime to the
latest online maneuverings ISIS uses to promote its cause. Yet few explain in
what manner these activities hold a connection to actual military operations.
For the most part, this is not a problem, however, when nation states… including
rogue actors like ISIS that claim for themself the aura of a nation state… or
Boko Haram, for that matter… develop the ability to unleash their forces
onto a digital battlefield, they carry the potential to reshape warfare as much
as happened when a hundred years ago civilian airplanes were turned into
military machines. The fact is, technology is amorphous. It will expand to fill
any void that it finds. Develop a new technology that is good for society, and
watch… soon it will seep into and expand to fill the void left behind by some
old technology that is no longer useful in warfare. Cyber technology is doing
just that.
At the moment, over 100 of the world’s militaries have in place an organization
dedicated to fighting cyberwarfare. Of far greater concern, over 140 countries
have organizations dedicated to developing cyber weapons! The U.S. is no exception. The Fort Meade
complex in Maryland, home to the NSA and the U.S. Cyber Command (USCYBERCOM), contains more personnel
than the Pentagon. China, who embarked on this kind of an exercise long before
we did, houses its Fort Meade equivalent on Datong Road, in Shanghai. This
author has seen the Datong Road facility, and while small, it is impressive in
intensity… and might we say, security. Go to any street corner within the city,
from which you can see and take a picture of the building, and you are likely as
not to find a Chinese Communist Gong-An policeman standing there, taking a
picture of you trying to take a picture of the building. Unit 61398, the
Chinese group that is most usually linked to hacks on everything from U.S.
military communications to the New York Times’ internal eMail system, is located
in the Datong Road facility.
Classified by the Chinese military as an
Advanced
Persistent Threat Unit, while the size, scale, training and budget of
Unit
61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) may be different than that of our
own NSA and Cyber Command, their goals are the same: to destroy, deny, degrade,
disrupt, and deceive. And of course, added to this is the additional duty
of defending the homeland—in this case China—against any enemy’s use of
cyberspace, for the same purpose.
Within China, this paradigm is known as the “five D’s plus one.”
In addition to Unit 61398 the Chinese government has formed a federal level
agency known as the Central Leading Group For Cyberspace Affairs. This group
reports directly to the country's President, and works with him to set cyber
policies on all matters from cyberwarfare to the internet. Adding to this, to
assure that cyber policy is fully implemented, China recently formed a
government agency called the Cyberspace Administration of China. At the highest
level of government, it oversees all aspects of cyber policy and use, including
directing military cyberwarfare and hacking efforts. To back up China's
determination to excel in cyberwarfare, the Cyberspace Administration expanded
the Third Department of the PLA's General Staff Department by over 100,000
cyberspies, hackers and digital linguists.
Where, we ask, is such a coordinated, dedicated, single minded, mission focused
cyber affairs group in our government?
Our concern then is who within
America’s government should be spearheading this kind of mission, and what roles
it should be playing? It’s not that what those rare elements of our military's
cyber activities
are doing at present is so bad, it’s that there needs to be much more, and the
work being done needs to be much better… significantly
better.. and much better organized across all societal elements… and more
thorough if
it is going to be effective. What we have now is good for a starter, but it is
being built by the wrong people, to fight the wrong war.
For example, over the past few years the U.S. has moved aggressively against
foreign governments accused of stealing corporate secrets from major U.S. firms,
but less aggressively against the same kind of activity when the target is the
government itself. In 2014 the Justice Department filed criminal charges against
five Chinese military officers accused of involvement in hacks that targeted
U.S. Steel, Westinghouse and other companies. But no action has been taken
against China as re. the OPM hack.
One reason for this is the simple fact that the U.S. government is doing the
same… hacking into China’s systems, and stealing their data. So does this mean
that this kind of activity does not rise to the level of cyberwarfare? We can
understand that economic espionage is different than government espionage done
for military purposes, but as our earlier Israeli–Syrian story showed, the line
becomes blurry when military activities result from civilian espionage and
hacking. So, while U.S. spy agencies are supposed to not involve themselves in
economic espionage, the simple fact is that if they are to combat, say, China’s
attempts to hack Westinghouse, then they are going to be playing in an arena
that requires them to be able to mount a forceful response when the adversary
they face is a foreign, state sponsored adversary... especially if that
adversary is seeking military secrets from commercial American companies.
If you ask us, it’s time that America redefine what constitutes espionage, as it
relates to hacking, commercial espionage, government espionage, cyber security,
and cyberwarfare. The simple fact is that while we may make a distinction
between commercial and government espionage, most of America's adversaries do not. And
considering that companies like Westinghouse house within their data systems
both non-military and military secrets, of both commercial and non-commercial
kinds, trying to hang onto an old 1950s definition of what constitutes
commercial versus military espionage makes no sense.
It’s time we redefine these terms, and wherever the case can be made that the
entity involved (whether a commercial U.S. company, a private citizen, or a
government agency) has in their possession information of military utility, or
is part of some activity that could have consequences for the U.S. military or
government, then the hacking or cyber events surrounding that “entity” should
come under the purview of the U.S. military. And just so that we are clear here,
any adversary that tries to recruit through the cyber universe American citizens
to fight for their cause is doing something that should fall within the purview
of the U.S. military, because while the target in question might be an unknowing
and innocent U.S. citizen/civilian, the activity being planned for them by the
recruiting entity will impact the U.S. government and/or military.
This kind of activity is the essence of cyberwarfare; it constitutes a warring
activity, not a civilian crime. It is therefore military in nature.
As of today though, the U.S. doesn't see it this way. While things may change,
the Obama administration currently sees these kinds of activities as civilian
crimes. If America is to become serious about thwarting cyberwarfare, it is
going to have to change its view on what constitutes cyberwarfare, and who
should be fighting it. The U.S. court system is not the ideal venue within which
to challenge China's hacking of commercial American interests, never mind our
central government.
The fact is, while the United States may be adhering to unwritten rules that
separate these kinds of activities, other countries are not. ISIS is one
example, but so is China. In the case of China., the U.S. taking action against
China for its espionage with respect to Westinghouse, but not the Office of
Personnel Management, makes no sense. By playing the game this way America risks
sending a signal that it is willing to go further to defend the secrets of
American industry than it is to protect either the employees of federal
agencies, or our government as a whole.
It’s time that Washington redefine cyberwarfare, and put the military in full
charge of it.
Cyberwarfare, A Definition
To make sure we are all talking about the same thing then, let’s start with a
definition of cyberwarfare, and work on it until it fits our needs.
Cyberwarfare involves the actions of a nation-state, international organization,
group or individual, in attacking or attempting to gain access to key elements
of a nation's commercial, civilian or government infrastructure, including its
people, for the purpose of diverting those assets to its own benefit, whether in
a way that is detrimental to the commercial, civilian, government or personal
entities involved or not, where such attempt to attack or gain access is done
via computers, information systems, digital and/or analog networks, data bases,
data warehouses, or any other “cyber” means. While not a precedent to the
determination that an activity constitutes cyberwarfare, any such action that
involves active real time hacking attempts, and/or the placement of computer
command and control programs, systems, viruses, denial-of-service attacks or the
like, should immediately be considered an act of cyberwarfare against the
United States of America.
To see what we are talking about here, one need only imagine that China launches
a cyber attack on America… tomorrow. In this example, the purpose of China’s
attack is to confound America’s civilian banking and stock market processing
system(s) in a way that could cripple America’s financial sector… perhaps as a
means of lessening the economic impact of its own recent
stock market crash, and/or to maintain social stability within its own
country.
Does this kind of activity merit a military response? Our current government
would say no. Our answer would be an unequivocal yes… after all, the activity
involves a planned incursion by another country into America’s economic system,
for the purpose of causing a degradation in America’s economic strength, in such
a manner that it benefits the attacking country. As to why this should amount to
cyberwarfare, it’s because such an activity would undermine America’s true
power, as well as its world wide “quiet” power.
For starters then, we would say that the U.S. government should define cyberwar
as being of a kind that is "as harmful to modern societies as a conventional
attack," a definition we happen to have taken from a recently released NATO position paper.[3] Attacks of this nature should be assigned for a response to
the U.S. military, no matter how innocuous the attack may seem, whether it
succeeds or not, or whether the only people impacted are within America’s
commercial or civilian sphere, or not. Cyberwarfare activities do not need to
involve kinetics then to be considered an act of war… all they have to do is
threaten another country’s well being. When that happens, a response is called
for, and the American military should mount that response… whether kinetic, in
kind, or both.
To see our reasoning behind this, and our definition above, one need only look
at a recent incident involving Russia and Estonia. In our view, the actions
that Russia took to an act taken by the Estonian government, wholly within its
territorial boundaries, crossed over the threshold between civilian cyber
mischief and cyberwarfare. While no kinetics were involved, Russia’s
activities—fully underwritten and performed by the government of Russia—were
equivalent to conventional warfare.
The incident was as follows: on April 27, 2007, Estonia, a NATO member,
relocated a Soviet-era war memorial from its place of prominence in one of its
city centers to another location less obvious. Within hours a large-scale denial
of service attack (technically known as a DDoS) was mounted by Russia. The
campaign targeted the websites of Estonian government departments, banks,
telecoms, and news organizations. Many sites were completely shut down, while
others were defaced with crude remarks, profanity and more. Worse, unlike a
mischievous attempt on the part of some disgruntled hacker group to play pranks,
these attacks continued for weeks, essentially shutting down the Estonian
banking sector for over a month, as well as preventing the people from having
access to their own government. Further, attacks on the country’s telephone
infrastructure shut down the national telephone system (for both land lines and
mobile communication), thus preventing Estonians from being able to make basic
phone calls, or even call for help. And finally, to add insult to injury,
attacks on the country’s news infrastructure prevented the country’s people from
finding out what was going on.
This doesn’t rise to the level of a cyberwar, you say? Consider this then, what
would the equivalent of this kind of activity be in kinetic warfare? Our answer:
bombing of the country’s telephone infrastructure, invading the country and
taking over its banks, locking their doors and looting their vaults. And in the
case of the government, decapitating its leadership in such a way that the
people no longer had access to their elected officials… perhaps by arresting them
and confining them to their rooms until the “invasion” was over.
Clearly, while no dead bodies littered the streets of Estonia in this attack,
the impact of Russia’s actions was no different than if it had rolled tanks
down the streets of Tallinn or Tartu. In our view, this cyber crime rises to the
level of cyberwarfare.
Is the Russia–Estonia incident any different than what China did when it broke into the cyber system
that underlies America’s Office of Personnel Management? We think not.
How does one define cyberwarfare then? Earlier we offered our view, but what
exactly are the limits to this definition? To answer that question, we propose
that cyberwarfare be defined on the basis of four dimensions: the impact of a
nation’s aggressive actions against another with regard to the matters of intent to harm(as measured by the country coming under
attack), information and dataconfidentiality, the availability of data, and the nation’s
integrity.
Again, examples will help us make our point.
As we mean it here, confidentiality refers to the principle
that sensitive data should be kept out of the wrong hands. For ex-military
Officers, we Signal Corps guys understand this. After all, we were the first to
propose that confidential information be classified according to its level of
confidential importance. In a cyber attack, breaches of confidentiality form the
most common type of cyber attack. If we use the case of the claim that the Chinese hacked
Lockheed’s systems and stole blueprints for the new F-35 aircraft, we can
see this truth coming home to roost.
The simple fact is, if it weren’t for cyberwarfare, getting its hand on such
information would have required kinetic military action… whether via drugs and
prostitution (low level kinetics, but kinetics nevertheless), or an invasion. As
to the importance of what the Chinese accomplished, without doubt this attack
produced a massive, real strategic loss for the U.S. Already the Chinese have
begun to use the information it stole to
improve their aircraft weapon systems.
But perhaps more importantly, they are using the information to build better
defense capabilities into their air defense systems… to thwart those
capabilities they now know the F35 contains.
Is this not then an act of war, for
one country to take such information by stealth and deceit from another? And if
your answer is that it is nothing more than routine espionage, then doesn’t the
level of confidentiality (from a military perspective) as defined with respect
to how America classifies this information, not the Chinese, raise this action
to the level of an act of war? And if you still continue to say that this form
of espionage is nothing but routine and nowhere near an act of war, then doesn’t
the fact that the Department of Defense was the intended victim make it, again, an
act of war?
In our view, this is no different than what Bradley Manning did when
he released confidential military secrets… and he’s sitting in jail for his
actions… a military jail, because he performed a traitorous act… i.e., an act of
war against his own country. Well, if you are a country and perform such an act,
and, because you are a country instead of an individual, obviously not a
member of the U.S. military, then instead of your act being traitorous, isn’t it
an act of war?
Yes, it is... and even more to the point, the fact is, as the law stands today, confidentiality breaches
are treated as crimes. This means that when they occur within the realm of
military secrets they constitute an act of war.
The next criteria we would focus on that helps explain when cyber activities
constitute an act of war deals with the concept that data must be allowed to be
available to its users. In the case of the DDoS campaign by Russia against
Estonia, we can see an example of an attack that compromised the availability
of data... originally made available by the Estonian government for use by its citizens...
to the Citizens of Estonia.
Whether taking down the country’s phone system, disrupting the dissemination of
news, or shutting down the country’s banking system, what Russia did was prevent
the government of Estonia from making available to its citizens all of those
services which they had previously authorized, and on which its people depended
(on the availability of information and data) in order to conduct their lives.
On this basis, Russia’s actions were an act of war, as it struck at the heart of the
very services a government exists to provide to its people.
So why didn't the event in Estonia trigger a NATO response, considering that
Estonia is part of NATO? The answer is that while they were egregious, NATO
didn’t feel that Russia’s actions went so far as to affect the integrity of the
country and its data. Integrity then becomes the third principle which we look
to in our effort to define cyberwarfare. Specifically, two forms of integrity
are needed, and when one or both of these two forms are violated via cyber
activities, an act of war exists. They are the integrity of the nation, and the data
the nation promotes the existence of... whether of a military, civilian,
government, commercial, or personal nature.
As far as NATO was concerned, while the integrity of the data Russia messed with
may have been compromised, the integrity of Estonia was not affected by Russia’s
actions. The country went on to govern, and therefore all was fine.
We think this kind of thinking is wrong.
While we understand the concept that NATO’s threshold as regards impacting the
integrity of a nation deals with those kinds of things that affect a state’s
ability to govern—as regards the result of a conventional kinetic attack—in our
view this is too myopic and restrictive a viewpoint to take in today’s world.
The ability of a
nation to govern, as well as the integrity of its data, is critical to a
nation’s ability to preside over, regulate and administer its people. So too is
the government’s ability to insure that the data its people depend on in order
to run their lives continues to be made available as and where needed… again, whether
it’s the kind of data that has to do with a citizen’s bank account, or the data
that enables a power plant or other industrial control system to work. If
another country steps in and attempts to govern where and when a country’s
people can gain access to the data they need to live, then they are usurping the
authority of the government of the nation being attacked. In other words, the
attacking country is challenging the integrity of the country being attacked.
It’s in this realm then where the concept of both national and data integrity
becomes important, and should play a part in helping to define when cyber crime
has elevated itself to the level of cyberwarfare.
Need we say more on this issue? In our view, data can be manipulated, and it is easier for one
country wishing to enact war against another to attack the data of the target
country, then to dispatch bombers to fly over its capital and reign terror from
above. The integrity of a nation’s data impacts the country’s leaders’ ability
to continue to govern. In this regard, it becomes the essence of the concept
that defines when cyber activities become activities of war.
It matters not whether the actor that mounts a cyberwar against the U.S. is a nation state or an
extremist group, when it comes to America, such acts should be addressed by the
U.S. military, not some cobbled together group of government
agencies or civilian businesses contracted for that purpose. As a capitalist,
this author likes civilian businesses... but not so much that he would want them standing on
the front line defending this country against cyberattacks. That's the U.S. military's job, and we
think that when it comes to cyberwarfare, the Signal Corps should be running the
show.
Why The Signal Corps?
O.k., you say… so America needs to redefine what constitutes cyberwarfare, and
begin fighting it from within the realm of the military. But why promote the
Signal Corps to lead this charge? Don’t we already have these capabilities
inherent in the NSA and Cyber Command?
Our answer: to some extent yes… and to some extent no. More importantly however,
to whatever extent it exists it is not enough to prevent the kind of
cyberwarfare activities China is mounting against us, or for that matter ISIS,
Russia, Iran, or any other actor out there that finds our way of life
threatening to their own.
Worse, for the kind of cyberwarfare activities America needs to cultivate to
work when put into practice, these activities will need to be integrated across
all elements of our society, not just our military. This means we need
cyberwarfighting capabilities able to be used in defensive and offensive
capacities on cyber activities that deal with our military, as well as within
government areas, civil society, and within America’s commercial sectors, with
individual commercial players. The NSA is inappropriate for this kind of power
play, as is Cyber Command.[4]
You can see the reasoning behind our saying this by
considering the following.
In 2010, when the U.S. Cyber Command was established, its mission was only
loosely defined. Since then it has cleverly promoted itself via the media, in
order to gain visibility as well as authority over those areas it seeks to have
control over.
On the surface, there is nothing wrong with a military group promoting itself…
however, such activities hardly represent best case means for developing a
mission that will address the strategic problems America faces, especially when
it comes to cyberwarfare.
For example, leaving it up to the Marines to decide which battles it will fight
is not the best way of assuring that America fields the best, fully integrated,
unified fighting force to address any particular battle. That kind of decision
is made at a higher level, not at the branch level. Similarly, leaving it up to
the boys in Cyber Command to decide what their mission will be, and how they
will fight it, falls far short of what America needs if it is going to take the
concept of cyberwarfare seriously.
For the men of Cyber Command, the challenges they face go far beyond the
complaints they now speak of when they talk of recruiting problems, and how they
have little to offer new recruits when it comes to turning these people into
career cyberwarriors. Rather, the real problem Cyber Command faces if it wants
to be the lead player in conducting cyberwarfare for America has to do with how
it will develop a fulsome, effective strategic cyberwarfare capability able to
perform the tens-of-thousands of tactical missions that need to be implemented
daily, if the mission is to be achieved.
The reason we say this is because for the strategy to be
effective in achieving the mission, the tactical component being performed must
carry across—as well as through—every military unit the U.S. has on hand (i.e.,
from the Coast Guard to the Army, Navy, Marines, Air Force, ROTC programs, and
beyond), as well every government agency (at both federal, State and municipal
levels), as well as the management organizations that operate every industrial
control system of importance to America (i.e. from dams and electric grids, to
civilian navigation aids, etc.), to the well over 5,000 commercial American
companies whose disruption (by cyber means) has the potential to bring America
to its knees, as well as... are you ready... the 17,985 state and local law
enforcement agencies and the over 120,000 uniformed personnel they field.[5]
The existing Cyber Command does not have this capability, nor is its mission
attuned to these needs.
Winning
at Cyberwarfare then requires that America has an organization that is able to
wage cyberwarfare in conjunction with and through all of these players…
and while the Cyber Command that has been set up may be able to play a role in
some of these areas, it certainly wasn't constituted to do the job we are
outlining here, nor is it the right organization to be leading this kind of a
military charge.
Who is the right military organization to take this role? The U.S. Army Signal
Corps is. The simple fact is, the Signal Corps is the only organization
that has, since its inception, worked through and with every element of
America’s military, as well as its government infrastructure and civilian
enterprises, not to mention America’s universities and research institutions, to
achieve its mission. Upgrading America’s cyberwarfare capabilities to embrace
all elements of our military, as well as both federal and State government
agencies, and civilian enterprises, is a necessity. Protecting these groups in
time of war (cyberwar) is a necessity. Waging war (cyberwar) through the
infrastructures these elements maintain is also a necessity. And finally, having
one U.S. military group able to do all of this as a unified force is an absolute
necessary.
The future direction of America’s cyber force cannot be left to happenstance.
Waging cyberwar is about much more than merely conducting cyber activities,
social media campaigns or hacking into another countries’ computers… it’s about
integrating cyberwarfare activities across all four of the previously
mentioned sectors, from America’s entire military to its federal, State
and municipal government sectors, and our country’s key civilian and commercial enterprises
(what we will call the “Four Critical Sectors”). It also involves everything
from taking offensive action in each of, and in conjunction with, these Four
Critical Sectors, to defense of them and more, as well as defense of every form
of digital infrastructure in between.
For the Cyber Command to gain this kind of clout would take decades. The Signal
Corps, on the other hand, having integrated its work and efforts with each of
the Four Critical Sectors since its formation on June 21, 1860, knows how to do
this, and has already proven its abilities in this regard. The Signal Corps
knows what it’s like to integrate civilian and military efforts to achieve a
national goal… especially during warfare. Taking responsibility for waging
cyberwar—something that is little more than a natural extension of the Signal
Corps' usual duty of overseeing wartime communications in the first place—would
come naturally to... the Signal Corps.
We say again, Cyber Command cannot do the work needed to build an effective
strategic and tactical response capability able to cover the Four Critical
Sectors, and the NSA has no place in this form of military activity. As it
stands today, the Cyber Command is little more than a nascent force of digital
warriors. It has no national strategy to speak of, nor does it have inroads into
the top level management groups that drive the Four Critical Sectors. While it
fills an important role and provides a critical service, its activities fall far
short of what is needed to put together a nationwide, fully integrated
cyberwarfare capability… from defense to offense, across all Four Critical
Sectors.
Looking back on the history of the Cyber Command, we can see this to be the case, as
when they were a nascent organization they struggled to find an institutional champion that would give them
cover. Eventually they found their champion, in the form of the U.S.
Special Operations Command. That’s good, as regards helping America to develop a
base level of cyber force capabilities… but again it falls far short of what is
needed for our nation as a whole to be able to wage cyberwarfare, or protect
itself against it.
As it stands today, both Cyber Command and its parent, Special Operations
Command, are at their operating core small teams of highly skilled specialists.
They do a great job at what they do… superb, in fact… but they are not up to the
task of being the responsible party that is needed to build and manage for
America a new 22nd century Cyberwarfare capability. At best what they are
qualified to do is carry on with their goal of mounting irregular warfare within
the cyber area.
Part of the reason for this is that Cyber Command was formed, like the early
Special Forces teams, around the idea that they would eschew large force
capabilities for small scale organizational cohesion centered on a unified
operational strategy, based on specialized but limited capabilities drilled into
their mindset via institutionalized training. This makes the people of Cyber
Command specialists in the field of small scale, pinpoint warfare… but not at
large scale battle scenarios. And while there is clearly a need within
cyberwarfare for men who can target and hack into, say, the personal server of a
country’s Secretary of State… there is also a need for people who can design and
implement nationwide programs intended to prevent dams from self-emptying when a
malware program is turned on, or military aircraft from having their internal
guidance systems hijacked when they fly too close to an enemy ship.
The reader can gain some insight into the shortcomings of Cyber Command by
looking at its structure, and its plans for growth:
On September 14, 2014, the first American Army Cyber Protection Brigade became
active. The unit was created to provide a base level of competent personnel able
to set up and maintain network defenses for the military. No mention was made in
their mission of the need to support federal, state or municipal governments,
America's commercial sector, or help protect civilians against cyber recruitment
or attacks from foreign enemies. Nor was any mention made as to the need to
protect America's industrial infrastructure (dams, telecom networks, electric
grids) against attack. Instead, the goal was simply to recruit and staff a
number of experienced personnel who could investigate and deal with military
cyber intrusions.
Structurally, the unit was originally set up with a core brigade of twenty cyber
protection teams. Each contained 39 military and civilian network security
experts. Most of these were classified under MOS (Military Occupational
Specialty) 25D, Cyber Network Defender. At the present, there seems to be about
700 troops with the 25D MOS. Supplementing this group are a few civilians.
By
now the astute reader will see an obvious problem with this structure... in
addition to the mission being lacking in scope, and the size of the unit being
absurdly small if America is to be protected from cyber attacks, is the obvious
fact that 25D troopers will leave the military at the first chance they get...
since people with this kind of skill set could easily make 5 to 9 times more money in
the civilian sector than they could ever make in the military.
That problem aside, the unit suffers from inadequacies in other ways. Like the
Special Forces brigades that the group was patterned after, it is intended that
Cyber Command be a small, highly skilled fighting unit. Where Special
Forces brigades (called groups) usually contain only 1,500 troops, versus
regular combat brigades having over 4,000 personnel, the new Cyber Protection
Brigades will have in the order of 1,100 personnel. Because of this, the Cyber
Protection Brigades will need to depend on the integration and inclusion of massive numbers of
civilian contractors, if the job is to be done. In our view, while this may be a good way to provide food
and housing for combat troops... hiring civilian contractors... it is not a
useful means by which to fight a cyberwar. After all, does America really want
Verizon trying to stop ISIS from recruiting its sons and daughters?
Finally, even if changes are made to try to address these, and the many other
problems we see in the way in which the new U.S. Cyber Command is being
constituted, there will always be the problem of the unit being intended to be
little more than a blip on the screen of the overall military's
TOE. After all, it is an Army unit, and as such is intended to serve little more
than the Army's needs. At the moment there are only 40 cyber-teams operating. By
2016 plans are to have no more than three Cyber Protection Brigades, at max.
This is nowhere near the force projection size required to allow America to
fight the number and types of cyberwars it will face.
More important than all of this though is the fact that absolutely no one in our
government is looking at the big picture. Instead of building a national
cyberwarfare fighting capability that can handle the needs of the Four Critical
Sectors, what our government... and the Pentagon... is doing is allowing individual military groups to develop
their own capabilities. In other words, the path being followed will end up with
each branch having its own cyberwarfare capability, with none being built to
address the nation's needs as a whole
One need only look at the U.S. Navy to see it trying desperately to get into the
game.
In 2009 the U.S. Navy created what it called an "Information Domination Corps."
Behind this new unit was a new headquarters (assigned to the 10th Fleet), with
over 40,000 people re-assigned to staff it. Intended to be a cyberwar command,
its purpose was to deal with intelligence and network security issues within the
Navy environment. So, while this effort ended up giving the navy a more
powerful and secure position in cyberspace, it contributed absolutely nothing to
the cause of fighting cyber attacks that might target America as a whole. Little
more than internal, branch specific network security forces, while both the Army
and the Navy may parade their new cyber commands as being part of a national,
military cyberwarfare capability, they are not. America remains unprotected
against cyberwarfare... no matter what the Army, Navy, or even the 800 men who
work within the U.S. Marine Corps' Forces Cyberspace Command may tell you.
In terms of core capabilities, force accession, and tradition, the force
projection capabilities needed by any military group America might stand up to
provide the cyberwarfare capabilities we so desperately need does not
exist. Such a capability could, however, be stood up by the Signal Corps, if our
government ever got around to being serious about preparing for cyberwar. The
Signal Corps has a long and glorious history in the realm of science,
technology, data, information, communication, encryption, decryption,
transmission, reception, system and network design, and much, much more. It has
over 150 years of working with all elements of American society, from the
military to government and civil society, and America’s commercial sector, and
it could do the job if called on to do so.
America would do well to start today to build a fully formed, coherent
cyberwarfare capability. It could do this best by assigning both the strategic
and tactical missions outlined above to the U.S. Army Signal Corps. This would, of course,
require that Congress grant non-traditional authorities to the Signal Corps, as
well as non-traditional lines of reporting, but at least on this issue the
precedent has already been set. During World War II Congress assigned to the
Signal Corps simultaneous lines of reporting to the Secretary of War (as head of
the then Department of War) as well as the Secretary of State. Any unit that can
satisfy the needs of these two traditionally contending agencies, not to mention
the Army itself, and the Joint Chiefs, and keep all sides happy, is qualified to head a new Department
of Cyberwarfare (… or National Cybersecurity Force, if you like).
Cyberwarfare Is Civilian Warfare
Finally, as to what one can expect such a new Department of Cyberwarfare to do,
all that is required is to recognize that cyberwarfare is, for the most part,
civilian warfare. The actions America’s cyber enemies take will, in most
instances, be aimed at the United States’ civilian sector, not its military
sector. One can see this in Russia’s actions when it attacked Estonia. For
traditional military men, civilian targets are seen as “soft targets,” but don’t
let that fool you. The goal will be to cripple America’s ability to fight back,
militarily and otherwise.
Fight back against what, you ask? Fight back against any activity an American
enemy may conceive of, as a means of bringing our country to its knees. Although
it will happen, what we will find ourselves fighting against will rarely be
attacks on our military infrastructure, but more normally our national
infrastructure, grids, communication systems, finance systems, ability for
American commercial enterprises to conduct business, and perhaps worst of all,
the numerous spurious means that exist by which our enemies can mount propaganda
efforts to sow doubt within and topple our society.
To wage this kind of cyberwar America’s new Department of Cyberwarfare will need
to be at a Branch level within the Department of Defense, on an equal footing
with the other 5 Branches, and develop means for both attacking America’s enemy’s soft targets, as well as
protecting our own. In terms of what we can expect this new Branch of the
military to do, by now we all know that Clausewitz was right; for every
tactic and strategy one side develops, the other side will try to counter it.
This new Branch will be tasked with countering both the enemies initial efforts
at cyberwarfare, as well as countering their counter efforts.
Such an approach to fighting a war will require tens-of-thousands of
programmers, with program development facilities and labs akin to that which companies like
Microsoft maintain. While no specifics are available about Microsoft's staffing
level, this author has been told that Microsoft has 43,680 software engineers
and developers on staff at this time. They are further supported by over 390,000
additional developers who work under contract with Microsoft, from countries like
India, China the Philippines and more. It would not be out of the ordinary then to expect that a new
Branch constituted as a
Signal Corps Department of Cyberwarfare might need to employ in excess of
150,000 cyber-software experts, when fully formed.
Properly staffing a new Branch like this then is important, because unlike in traditional combat roles, where front line soldiers are only
needed when the country goes to battle and there is a need for people to pull
triggers, in cyberwarfare the development experts needed will have to be on hand and
working from the get go... that is, long before a cyberwar or cyber-battle ever
starts... just to make sure that what the enemy is developing
as a cyber weapon America is fully able to counter, regardless of whether it is placed in the
field by the enemy or not. This point should not be forgotten: waiting until the
enemy has emptied every one of America’s dams before bringing on board software
developers able to ferret out and counteract the kind of malware that can cause
such incidents is not a viable means for a nation to fight a cyberwar.
In conclusion, we can say with certainty that dynamic cyberwarfare will take place in areas involving soft targets. To
best fight this kind of war America will need a new Department of Cyberwarfare,
constituted as a 6th Branch of the military. In doing its job, this Branch will need to
interface with civilian networks and operators, as well as the other Branches of
the military, since all of these and more will be the
targets of America’s enemies.
As to why we think the Signal Corps should head this new Branch, again, the
Signal Corps’s historic experience in working in the areas of communication,
data, security, et al will be of
great advantage. Consider if you will the simple example of the Signal Corps’
Monmouth labs and how they have, down through the ages, worked with civilian
companies to transition the research done at Fort Monmouth into production, so
that useful, reliable, combat ready information technology products came to the field when they were
needed, as they were needed, and in a cost effective manner. In the past, all
manner of systems were developed in this manner by the Signal Corps, from radar to communication
systems, targeting systems, and more. In the future, the software solutions
needed to win a cyberwar can just as easily be developed this way too.
Continuing to press our case, the Signal Corps has experience working with
private contractors, and they too will be needed to provide much of the development
and logistical support required to place the Department of Cyberwarfare’s
software tools in the field. So, whether it’s working across national
boundaries, coordinating cyber defense and offense with the Four Critical
Sectors, developing new cyber weapons, finding ways to get them into the enemy’s
systems and networks, or mixing cyber technologies with other battlefield
technologies to make them even more effective, America needs a Department of
Cyberwarfare, and we believe the Signal Corps is not only well placed but the
only military group able to take on this role.
Notwithstanding all of this, it does give one pause to think of the incredible irony that a
Department of Defense DARPA project that first helped bring ubiquitous, high
speed communication to the world—the internet—has now come full circle to the
point that it requires that same Department of Defense to develop a means of
combating the kind of abuse the system it gave to us makes possible: cyberwarfare.
Footnotes
[1] The following are quoted examples of ISIS' recruitment of children,
right under the eyes of their own parents. The examples were taken from CNN online,
march 11, 2015, Propaganda and military training, By Jethro Mullen:
“The decision of three British teenage girls to travel to Syria last month was a
stark example of ISIS' ability to attract young Westerners.
“Another young British woman who left Scotland to join ISIS in 2013 now appears
to write a blog about her life under the extremists' rule, describing perks and
offering reassurances to those who might follow in her footsteps.
“Western officials, though, say that ISIS is pushing a false narrative of what
things are really like in its territory.
“But officials also admit they're struggling to counter the relentless wave of
propaganda churned out on social media by ISIS members and supporters.
“ ‘There's no question what we're combating with ISIL's propaganda machine is
something we have not seen before,’ U.S. State Department spokeswoman Jen Psaki
told CNN last month.” - To return to your place above,
click here.
[2] In this regard, organizations like the NSA, which have
taken on a life of their own, should be made subservient to the U.S. military,
as they were originally intended to be. In the process, the U.S. military can
then take over oversight to assure that the NSA’s activities stay outwardly
focused on America’s enemies, rather than internally in support of civilian
espionage intended to support of societal police activities and crime. Leave
crime suppression via espionage up to civilian agencies and the courts, and get
the NSA out of this area of influence. Unless it amounts to the equivalent of
warfare against America—cyber or otherwise—the NSA does not belong in it. - To return to your place above,
click here.
[3] Quote taken from documents published by and in the summit
meeting of NATO Heads of State and Government, held in Newport, Wales, United
Kingdom, on 4 - 5 September, 2014. - To return to your place above,
click here.
[4] To integrate military cyberwar fighting capabilities with
American commercial players, so that their activities are protected too, the
U.S. military will need to form a new special branch unit to handle this
military–to–civilian interfacing. Such a unit, while it should be established under the
auspices of the U.S. Army Signal Corps, should constitute a new, 6th Branch of
the military. While somewhat radical in design, there is a need to consolidate
all of the cyberwarfare activities of the existing 5 Branches under one
coherent, unified command effort. Thus, a new cyber command branch is needed,
rather than a bunch of new commands, i.e. one per Branch. Further, a structure
of this type would be far better for the government, civil and commercial
sectors of American society than asking ech of these areas of interest to trust the
NSA with access to their sensitive data, information and communication
protocols. Finally, the existing Cyber Command, being a combat arm of the Army,
holds far too restricted a position within the overall U.S. Government, civil
society, and commercial sectors to be
appropriate as the agency to head such an undertaking. - To return to your place above,
click here.
[5] State and local law enforcement agencies are crucial to
cyberwarfare, as the men in uniform that these agencies field are the first to
hear of a cyber-related problem. They are the first to hear that little Johnny
is talking about joining ISIS, and the first to hear that the local bank
branch's eMail system was hacked, etc., etc. - To return to your place above,
click here.
Sources
What Constitutes Cyber Warfare, Popular Science, September 8, 2014.
Data Security; These 5 Facts Explain the Threat of Cyber Warfare,
online blog, Ian Bremmer, June 19, 2015.
The Other Quiet Professionals; Lessons for Future Cyber Forces from the
Evolution of Special Forces, Rand Corporation, Christopher Paul, Isaac R.
Porche III, Elliot Axelband
US not accusing China in data theft, won't retaliate, Fort Wayne
Journal Gazette, 22 July 2015.
Like this article? Let us know by helping us with our scholarship fund efforts. A $30.00 donation to our
Scholarship Fund
will help us get one step closer to helping another deserving High School
graduate attend college. Your donation is tax deductible and your kindness
will go father than you think in making
it possible for another young American to fulfill their dream of a college
education. Thank You!
Original Site Design and Construction
By John Hart, Class 07-66. Ongoing site design and
maintenance
courtesy Class 09-67.
Content and design Copyright
1998 - 2015 by ArmySignalOCS.com.