Offensive cyber operations (OCO) and defensive cyber operations (DCO) currently too centralized, primarily at combatant commander (CoCom) or national command authorities (NCA). This centralization is understood given the desire to ensure that the United States could maintain a competitive edge over potential adversaries. In addition, given how powerful and destructive cyber capabilities can be, treating them as a strategic weapon that would have significant consequences if misused, also is understood.
Now, many years after the United States has been using these capabilities and developed policies, commands, and a workforce to yield them, it is time to realize that every use of a cyber capability is not of strategic significance. Cyber weapons, and the personnel to wield them, need to be in the hands of the commanders that need them at the tactical level—for the U.S. Navy, this would be at the carrier strike group (CSG). The following story is a fictional one, but one that could become closer to reality if naval cyber capability is decentralized and put into the hands of tactical warfare commanders.
Set General Quarters
Consider this scenario: In the near future, in a contested maritime area in the Pacific Fleet area of operations, a CSG is maneuvering to a launch area to conduct strikes against major port facilities. An adversary surface action group (SAG) is on course to intercept.
This CSG has been manned, trained, and equipped with tactical offensive and defensive cyber capability, controlled by the strike group commander. As the CSG maneuvers closer to the launch area, intelligence feeds flow to the carrier from national and Fleet Commander sources. These feeds help the warfare commanders understand the situation and develop a plan for how to get past the SAG that is currently blocking their path.
National, U.S. Pacific Command, and Seventh Fleet cyber teams have been preparing for this potential contingency, having infiltrated the networks of the SAG assets. After infiltrating their logistics systems, the teams were able to conduct lateral movement and privilege escalation throughout the network, gaining footholds in navigation, combat, and engineering systems. Teams already had fingerprinted the networks, installing back doors, logic bombs, beacons, communications collection tools, and bots throughout the network. As expected, the SAG network posture changed soon after leaving port, and it would be up to the CSG and its unmanned assets to get close enough to take advantage of the work that had been done.
The engagement begins just before the CSG is in detection range. Hoping to avoid kinetic combat if possible to maintain speed towards the launch area, the CSG cyber team changes data on the navigation charts, placing some undersea mountains and potential shoal water on the path of the SAG. The team also puts false radar returns on their combat systems, hoping to convince their adversaries to change course. The CSG expects to operate completely disconnected soon. All non-essential communications have been disconnected for weeks, freeing up satellite time for all the other units in the region. The artificial intelligence (AI) systems between the CSG and the Seventh Fleet have been communicating back and forth, continually examining logs, configurations, and intrusion detection/prevention systems. It also has been scanning for vulnerabilities, patching, and conducting maintenance to build resiliency against the cyber capabilities of the SAG and adversary national cyber systems.
Missile launch detected!
While the electronic warfare team focuses on defeating the missile, the cyber team tries to disable the ships. The first target is power systems, and the team has some effect. One adversary ship loses power when breakers were tripped, with another able to shift to alternate power. The cyber team shifts focus to disable the targets’ weapons and targeting systems. The cyber teams at Seventh Fleet infiltrated to be able to prevent launch by setting off alarms that won’t release interlocks. The attack is successful on half of the ships but does not prevent another missile launch, which hits the aircraft carrier forward on the starboard side near a critical node room.
Cyber teams continue to work hard, with the decision support system helping them identify which weapons and targets to use that would have the most influence on the engagement. The AI system tells the cyber operators to focus on preventing targeting capabilities, so the team targets radars, changing the chill water line-up, causing a loss of cooling water, or causing them to stop rotating or radiating. In the meantime, electronic alarms are disabled, and indications altered so it appears the radars are still operational.
False data is fed into combat systems so any other missiles would be firing at the wrong targets. Botnets are activated, causing an internally distributed denial of service attack against its combat systems. This appears to work, but the CSG commander wants to be sure they cannot continue a sustained engagement. The information warfare commander (IWC) directs the cyber team to target the plant configurations for sea water intake valves, starving critical systems and spaces from cooling and causing physical damage to some engineering systems. The team also starts moving liquids between tanks, adding sea water to the fuel and oil tanks. Thanks to the earlier work of disabling alarms and indications in the engineering control center, physical damage to the adversary’s equipment is likely.
Defensive cyber teams also are busy on the carrier, with signs of breaches in various network boundaries. A hanger bay door closed on an aircraft, damaging it and the door. Combat systems lost control of the rolling airframe missile launcher and all missiles were launched into the sea. Sections of the ship’s unclassified and classified networks are also down, with damage to a core switch caused by the missile strike. Two fire pumps become damaged after they ran without any sea water intake, and all engineering spaces are hearing alarms they cannot disable. Lighting is sporadic throughout the ship, and satellite communications except for the global broadcast system (GBS) are down. Luckily, the cyber teams had ship systems at the highest Information Condition (InfoCon), or else the damage would have been worse. As the teams get to work, the priority is getting a new network activated and re-establishing the ship’s common operating picture (COP). This “break-glass” system had been dormant and disconnected, so the risk of infection is low. Engineering goes to full manual control of all systems until the cyber team can examine their network and ensure it is safe to use.
Intelligence feeds start coming in over GBS and it looks like the work done by the IWC’s cyber team did the job, forcing the enemy to disengage and allowing the strike group to continue moving forward to the launch area. By using non-kinetic cyber effects, the CSG commander reserved valuable munitions for future engagements and area self-defense. Once the ship’s information systems technicians (ITs) restore the primary network, all engagement data will be collected and sent to the Seventh Fleet cyber teams. The data will be used in modeling and simulations on a cyber range, enabling new tactical, non-kinetic cyber options to be developed to attack adversary systems and defend against their tactics, techniques, and procedures (TTP). Unmanned intelligence, surveillance, and reconnaissance (ISR) assets used to facilitate the cyber strike are reassigned to move forward of the CSG to search for adversaries, while support drones are launched with communication relay payloads to restore contact with Seventh Fleet.
Stand down general quarters. Set condition III. Relieve the watch.
Challenges to Overcome
Centralized capabilities depend on a live, continuous connection for some portion of operations. Unfortunately, an active communications link is not always going to be there. Satellite resources are insufficient and will become more limited in combat due to more units requesting access, the size of the data, and the ability to maintain access to satellites being contested or denied. Without alternative communications capability when the primary link is not there, distributed lethality of cyber capability will not be possible.
Classification policies also are problematic. Over-classification of cyber capabilities has resulted in commanders not knowing what is at their disposal, or what is possible. For any effort to distribute cyber capabilities down to the tactical level, details must be reclassified to the Secret level or below. Without this, commanders will not be able to fully integrate cyber into their operations, nor utilize their whole staff to conduct detailed planning, nor interoperate with allies.
Over-classification has had additional adverse effects, primarily that commanders do not understand their vulnerabilities. They do not have all the tools they need to self-assess the state of their systems. There is a limited availability of configuration baselines to compare their systems against, vulnerability scans are unable to scan all systems, configurations are not well controlled, and commanders do not know when critical functions are not working.
Finally, commanders don’t know how to defend or react to cyber threats. Understanding of the risk, threat tactics and capabilities, and potential responses is elementary at best. Current response guidance given is insufficient and does not provide information on positive actions to take to fight through disruptions of operational capability.
Implementing a Tactical Cyber Capability
Implementation of a tactical cyber capability is a challenge that must be addressed from multiple perspectives to include national classification policy, knowledge development, organizational redesign, workforce improvements, infrastructure improvement, and the creation of specific tactics, techniques, and procedures.
To address the issue of over-classification, an effort to declassify cyber capability information should occur to include any information that already has leaked through unauthorized classified material disclosures. Adversaries are going over leaked information with a fine-tooth comb, and Department of Defense (DoD) personnel that are expected to plan and fight in the cyber domain must have equal knowledge. Emergent Fleet training events should be employed to disseminate information on capabilities and vulnerabilities quickly.
Cyber capabilities, both friendly and adversarial, must be included in operational planning to improve the understanding of adversary threat tactics as well as identify and protect against vulnerabilities. In operational plans, a kinetic, non-kinetic, and combined/cooperative plan for each rival platform or capability must be developed.
The ideal place to institute a significant improvement in cyber capabilities is to integrate them into the newly formed IWC structure resident at CSGs. The IWC will need more expertise at their disposal, as the number of technicians that are assigned now is insufficient. The IWC construct also is useful as it ensures that cyber capabilities integrate seamlessly into CSG operations in support of all maritime warfare areas. The Center for Naval Analysis is an ideal organization to study the implementation and determine its effectiveness as well as its impact on other CSG missions.
No cyber capability improvement is possible without an effort in professionalizing the workforce, which requires increased manning, increased pay, and the development of rigorous training. This workforce should be equipped with live assistance, detailed tactics, techniques, and procedures, and robust maintenance documentation. Maintenance and monitoring should be extended to off-site organizations where logs, configurations, and sensors can be monitored in real time by automated data science tools and specialized personnel assigned as direct support.
Network infrastructures also must be improved to support tactical-level cyber capabilities. One technical advance crucial to this effort is the installation of private cloud infrastructure on all afloat platforms, providing tactical commanders the ability to operate their own disconnected data centers when communications are denied or degraded. A complimentary virtual desktop infrastructure also is needed, which removes many avenues of approach for client-targeted malicious software and reduces the success of insider threat attacks and client-side data exfiltration. Lastly, a private cloud infrastructure synchronized with established baselines consolidates configuration management changes, significantly reducing vulnerabilities.
AI and big data analytics must fuse with network systems to better analyze vulnerabilities, potential breaches, and options for offensive and defensive solutions at machine speed. These should connect to a robust intrusion detection/prevention system with real-time monitoring and alerts. Significant investment also is needed for graphical user displays and augmented reality to enhance decision making for executing all combat missions including OCO, DCO and daily network operations.
The risk of adversary cyber capabilities used against afloat units is high, and a cyber “general quarters” TTPs must be developed to respond to attacks. Technicians must be able to recognize the signs of infected and infiltrated networks and notify commanders when the reliability of information from that system cannot be assured. They must learn how to fight through degradation to include rerouting on alternate paths. Every function should have a disconnected, analog backup to ensure functionality exists in worse case scenarios.
Executing network maneuvers in response to threats will be required, so the system must be agile in its security and operational posture. The security posture should follow InfoCon guidance in a rapidly reconfigurable manner with the ability to fine tune configurations. The operational posture must also be quickly reconfigurable to adapt to various operating conditions and bandwidth availability.
It is understood that, in combat, the network will suffer damage, physically or virtually, making damage control essential. Single points of failure must be eliminated. The afloat network, to include engineering and combat systems, must have multiple layers of redundancy with readiness to build temporary or special use networks as required.
Lastly, afloat units should prepare to operate completely disconnected. The network must be fully operable in an entirely disconnected state, with no errors or degradation. Network technicians must have the knowledge, skills, and abilities to take local control of all hardware, software, and infrastructure and make changes as required. All institutions (military and civilian) that communicate or exchange data with ships at sea should prepare to operate without that connection. It must be determined how the missions and tasks of ashore organizations will be accomplished when communications to afloat platforms via normal means is impossible.
