Of the many topics discussed by General Cartwright on Day 1 at USNI/AFCEA Joint Warfighter Conference 2012, it was his discussion of the nexus between electronic warfare and cyberwarfare where the General grabbed my attention. This Sydney Freedberg article at AOL Defense captured the discussion briefly in the last paragraph.

“There is a nexus coming between electronic warfare and cyber,” between traditional electronic jamming and countermeasures and new-fangled hacking, Cartwright concluded. “One knocks the door down and the other goes in and does the dirty work.” The current turf wars between the electronic warfare and cybersecurity communities miss the vital point, he said. In the cyber realm, “we’ve been thinking 90 percent defense, 10 percent offense. That’s bass-ackwards for us,” he said: We need to stand ready to seize the electromagnetic offensive.

There are several questions I have been asking myself since General Cartwright spoke yesterday afternoon, chief among them being what exactly does 90% offensive cyber and 10% defensive cyber look like? Does this mean firewalls need to be reconfigured as smart honeypots, ready to go offensive as soon as an intrusion attempt is made from an unknown or unidentified system? How does this work, and is the existing security model for networked systems fundamentally wrong? General Cartwright actually used the example of protecting a computer with anti-virus software as an example of the defense first mentality in cyber, but I am not convinced that’s a good model for his ideas.

First, let me highlight that I truly appreciate General Cartwright challenging assumptions and projecting alternative futures for how cyber will impact the technologically driven military of the United States; indeed in many ways it’s refreshing to hear. With that said I am not certain that everything is as cut and dry as General Cartwright suggests, and one mans defense may be another mans offense when it comes to the cyber domain.

For example, using the same anti-virus software example, is it accurate to say anti-virus is a purely defensive model of cyber activity, or would it be more accurately to highlight the offensive capabilities triggered in response to threats. As a virus exploits a networked system, anti-virus systems are often configured to counterattack the virus immediately, preventing the execution of rogue code and isolating the rogue code towards preventing further damage to a system. The physical world analogy is to run down the bad guy and throw them in jail – which is difficult to describe as a defensive action. This raises the question, why exactly is 90% defensive and 10% offensive the wrong approach? Use of offensive military power is subject to a variety of factors regardless of domain, and given the way the US spends money on nuclear deterrence, self-defense technologies for people and platforms, and other defense capabilities applied in multiple domains (which can be anything from the investments in stealth in a submarine to jamming technologies of various kinds) – it isn’t as if the posture of US military forces is somehow divided by formulas for offensive and defensive capabilities. With that said, there is no question several nations have taken a 90% offensive and 10% defensive posture against the United States (China being one such nation), and perhaps if we were more offensive in cyber ourselves we would likely influence that balance of action for those attacking us.

Where Cartwright starts really making sense on the issue is specific to aperture exposures that will almost certainly be exploited in some way in the future. Again, from AOL Defense:

“We built the F-35 with absolutely no protection for it from a cyber standpoint,” he said. Just as historical aircraft used to have an “EMCON switch” — short for “emissions control” — that could turn off all electronic transmissions from the aircraft when it needed to avoid detection, Cartwright said, today’s aircraft need a switch that shuts off all the electronic apertures through which they can potentially receive transmissions, lest electronically savvy enemies hack into them. “As a guy who spends his life on the offensive side of cyber, every aperture out there is a target,” Cartwright said.

OK, the General is discussing deep cyber theory to a general audience, so this means something different depending upon how much your understanding is on the details. Basically what Cartwright is suggesting is that any radar is an aperture because similar to the way false signals can be fed into radar signals. The theory is an encoded signal can be sent through the data stream to a radar to exploit the integrated system. The problem is the processing isn’t there to do that yet, so there really isn’t any way to defend against it because the capability doesn’t actually exist. The General is rightly applying Moore’s Law here, but is also combining a conclusion that eventually the ability to exploit every aperture will be possible and that is what allows his theory to be promoted – and on Cyber issues the General is certainly credible enough on the issue to be taken seriously.

Indeed this is probably some legitimate fortune telling regarding challenges in 2025 and beyond, and as delays occur with JSF perhaps that is the right platform to highlight as vulnerable. But it’s also futurist and while the discussion is important (particularly in conferences like Joint Warfighter) – it’s theory and difficult to reconcile as a vulnerability that can be planned for at this time. Another real issue with Joint Strike Fighter is that all of that code will make it difficult – thus very expensive – to adapt a defensive posture against such threats in the future. Again, in a military of advanced systems with lots of code in advanced software – this is going to continuously be a challenge until the development cycle of complicated systems can be shortened significantly.

Cartwright is exactly right to forewarn on these issues, because in a sense he is exactly right – apertures are of every kind are issues that must be dealt with in the evolving cyber challenge – and the ability to turn off apertures as receivers is a defensive tripwire that may need to be integrated into future systems. When the US is heading down a networked way of war, turning off apertures is going to make that whole ‘network’ aspect of future war very difficult. A lot to think about, hopefully the video is online soon for others to watch and discuss.

Posted by galrahn in Cyber

You can leave a response, or trackback from your own site.

  • Frank Ch. Eigler

    I don’t think he was talking about apertures in the specifical physical or electromagnetic waveguide sense, but rather in the general ‘opening’ sense. It is as though there are onboard networks/devices that can receive data from the outside, but do not consider the data as possibly hostile. It is as though encryption at the boundaries is the sole defence.

  • Dee

    It is as though encryption at the boundaries is the sole defence.

    It is not as if a root certificate has not been hacked and an entire CAM compromised

    I’m not saying there is an answer, somebody right or wrong, still wrapping around the content and acknowledging that change is certain..

    Give me a Hadoop cluster and some mapping route reductions, even brute force is possible in hours

    I don’t know, still wrapping around it… lets just hope that as a consequence of the discussion adversaries are having to consider same

  • asdfsdf (from ID)

    “”As a virus exploits a networked system, anti-virus systems are often configured to counterattack the virus immediately, preventing the execution of rogue code and isolating the rogue code towards preventing further damage to a system. The physical world analogy is to run down the bad guy and throw them in jail – which is difficult to describe as a defensive action.””

    Actually, I would describe isolating and attacking a virus as an aggressive defensive action, not an offensive action. The virus is not the bad guy; the bad guy sent the virus, and you are counterattacking something already in your system. Real world analogy: CIWS.

    Offensive would be tracking virus backwards to find and target adversary systems–taking them offline with a virus causes their attacks to cease, but requires an explicit offensive action. Offense is the best defense, but requires willpower to use.

  • re: 90% offense, 10% defense.

    Is an observation that when the domain favors the offense, defense is deterrence thru regular demonstration, if not use, of offensive capabilities. I believe this is (still) true in all other military domains, from the days of Maginot lines to today’s magical thinking about missile defense (that it might be impenetrable, vice just casting doubt on a less than full-out offensive).

    Call it “Billy Mitchell” thinking. Imagine a non-kinetic “boot on the neck” of an adversary leading to the desired political outcome. What if Cyber (or its earlier analog in (a declared intent to use) human covert/clandestine action) was able to guarantee a declared political result (e.g. regime change, capitulation, or bringing say, North Vietnam to the table in its day).

    Perhaps then it turns out those with greatest deployment of a dual use technology are not only the most vulnerable, but the most able to respond to attacks, as well as attack and dominate in this domain.

    What if, say, the U.S. were to use the upcoming Iran sanctions to declare a cyber “tightening of a noose” policy on Iran? Congress passes an authorization that is a new form of War Declaration (that, unlike the old, doesn’t require the DCI/DNI to report to and take direction from the SECDEF) that has defined phases (political/statecraft, followed by non-kinetic (cyber and covert human action), followed by kinetic).

    And then the military week-by-week informs Iran (both leadership and populace) of what is going to stop working until they changed behavior. Starting with water and light in leadership areas, bank accounts for their 1% that get scrambled if not looted, shut down of air-traffic control and airport facilities, followed by general transportation mischief (scrambling shipment orders, putting perishables on un-air-conditioned trucks, etc.), traffic lights scrambled, etc. followed by other infrastructure shutdowns, all of which when they attempt to turn back on, are re-scrambled or turned back off.

    Part of the Congressional Authorization is authority for the military to issue Letters of Marque and Reprisal that authorize the anyone (after registration and guaranteed identification with the military and after declaring their objectives and posting a bond, they receive specific help against their objectives, say, lists of accounts and passwords, shipment schedules and manifests, etc.) to do mischief if not more to Iran’s 1%’s assets. Eventually all their people are cold and in the dark, and after a weeks of declining food supplies we announce that since the existing leadership did not capitulate this will not stop until we see this list of heads-on-pikes. And if they go kinetic or use deadly force against us, we’re will respond kineticly.

    When the dust settles, we have a new military service capable of using its offensive capability to both win wars, and deter others, which is the only way forward given defense in this domain is likely to be asymmetrically disadvantaged for decades, perhaps forever (as we see in the other disciplines). The Cyber threat to the free world declines to criminality and mischief as the pictures and videos of Iran’s 1% being guillotined by a hungry and angry populace circulate widely.

    In 30 years we don’t remember a time without the Cyber Force (CF, AF, Army, Navy, Marines) – which has its own service academy in the mountains overlooking Silicon Valley, 3/4s of the way to Santa Cruz.

  • Some of the anti virus company develop harmful virus to force people to buy their products. No Virus no anti virus products will sell? What do you think?