Of the many topics discussed by General Cartwright on Day 1 at USNI/AFCEA Joint Warfighter Conference 2012, it was his discussion of the nexus between electronic warfare and cyberwarfare where the General grabbed my attention. This Sydney Freedberg article at AOL Defense captured the discussion briefly in the last paragraph.
“There is a nexus coming between electronic warfare and cyber,” between traditional electronic jamming and countermeasures and new-fangled hacking, Cartwright concluded. “One knocks the door down and the other goes in and does the dirty work.” The current turf wars between the electronic warfare and cybersecurity communities miss the vital point, he said. In the cyber realm, “we’ve been thinking 90 percent defense, 10 percent offense. That’s bass-ackwards for us,” he said: We need to stand ready to seize the electromagnetic offensive.
There are several questions I have been asking myself since General Cartwright spoke yesterday afternoon, chief among them being what exactly does 90% offensive cyber and 10% defensive cyber look like? Does this mean firewalls need to be reconfigured as smart honeypots, ready to go offensive as soon as an intrusion attempt is made from an unknown or unidentified system? How does this work, and is the existing security model for networked systems fundamentally wrong? General Cartwright actually used the example of protecting a computer with anti-virus software as an example of the defense first mentality in cyber, but I am not convinced that’s a good model for his ideas.
First, let me highlight that I truly appreciate General Cartwright challenging assumptions and projecting alternative futures for how cyber will impact the technologically driven military of the United States; indeed in many ways it’s refreshing to hear. With that said I am not certain that everything is as cut and dry as General Cartwright suggests, and one mans defense may be another mans offense when it comes to the cyber domain.
For example, using the same anti-virus software example, is it accurate to say anti-virus is a purely defensive model of cyber activity, or would it be more accurately to highlight the offensive capabilities triggered in response to threats. As a virus exploits a networked system, anti-virus systems are often configured to counterattack the virus immediately, preventing the execution of rogue code and isolating the rogue code towards preventing further damage to a system. The physical world analogy is to run down the bad guy and throw them in jail – which is difficult to describe as a defensive action. This raises the question, why exactly is 90% defensive and 10% offensive the wrong approach? Use of offensive military power is subject to a variety of factors regardless of domain, and given the way the US spends money on nuclear deterrence, self-defense technologies for people and platforms, and other defense capabilities applied in multiple domains (which can be anything from the investments in stealth in a submarine to jamming technologies of various kinds) – it isn’t as if the posture of US military forces is somehow divided by formulas for offensive and defensive capabilities. With that said, there is no question several nations have taken a 90% offensive and 10% defensive posture against the United States (China being one such nation), and perhaps if we were more offensive in cyber ourselves we would likely influence that balance of action for those attacking us.
Where Cartwright starts really making sense on the issue is specific to aperture exposures that will almost certainly be exploited in some way in the future. Again, from AOL Defense:
“We built the F-35 with absolutely no protection for it from a cyber standpoint,” he said. Just as historical aircraft used to have an “EMCON switch” — short for “emissions control” — that could turn off all electronic transmissions from the aircraft when it needed to avoid detection, Cartwright said, today’s aircraft need a switch that shuts off all the electronic apertures through which they can potentially receive transmissions, lest electronically savvy enemies hack into them. “As a guy who spends his life on the offensive side of cyber, every aperture out there is a target,” Cartwright said.
OK, the General is discussing deep cyber theory to a general audience, so this means something different depending upon how much your understanding is on the details. Basically what Cartwright is suggesting is that any radar is an aperture because similar to the way false signals can be fed into radar signals. The theory is an encoded signal can be sent through the data stream to a radar to exploit the integrated system. The problem is the processing isn’t there to do that yet, so there really isn’t any way to defend against it because the capability doesn’t actually exist. The General is rightly applying Moore’s Law here, but is also combining a conclusion that eventually the ability to exploit every aperture will be possible and that is what allows his theory to be promoted – and on Cyber issues the General is certainly credible enough on the issue to be taken seriously.
Indeed this is probably some legitimate fortune telling regarding challenges in 2025 and beyond, and as delays occur with JSF perhaps that is the right platform to highlight as vulnerable. But it’s also futurist and while the discussion is important (particularly in conferences like Joint Warfighter) – it’s theory and difficult to reconcile as a vulnerability that can be planned for at this time. Another real issue with Joint Strike Fighter is that all of that code will make it difficult – thus very expensive – to adapt a defensive posture against such threats in the future. Again, in a military of advanced systems with lots of code in advanced software – this is going to continuously be a challenge until the development cycle of complicated systems can be shortened significantly.
Cartwright is exactly right to forewarn on these issues, because in a sense he is exactly right – apertures are of every kind are issues that must be dealt with in the evolving cyber challenge – and the ability to turn off apertures as receivers is a defensive tripwire that may need to be integrated into future systems. When the US is heading down a networked way of war, turning off apertures is going to make that whole ‘network’ aspect of future war very difficult. A lot to think about, hopefully the video is online soon for others to watch and discuss.