The following essay by CWO4 Kevin Schneider was submitted in the U.S. Naval Institute Cyber Essay Contest – Sponsored with DXC Technology:
CYBER WARFARE IN THE FIELD
TACTICAL COMMANDERS REACHING FOR THE CLOUDS TO WIN WARS
JULY 26, 2017
Word Count: 2329
Since the end of the Cold War and the terrorist attacks that occurred on September 11, 2001, the U.S. Intelligence Community (IC) and Combatant Commander (COCOM) components have drastically changed the way they conduct business. Sweeping changes were made based on executive decisions that included the establishment of the Department of Homeland Security (DHS), U.S. Cyber Command (USCYBERCOM) and new laws that provide the framework to address today’s threats. USCYBERCOM that is headed by the Director of the National Security Agency (DIRNSA) focuses on Computer Network Defense (CND), Computer Network Exploitation (CNE) and Computer Network Attack (CNA). In that regard, DIRNSA wears two hats, of which fall under Title 10 (traditional military) and Title 50 (intelligence and covert) authorities. USCYBERCOM is suited to conduct Title 10 operations since its establishment in 2009, which gives the organization offensive cyber authorities or nonlethal fires. Since the U.S. has witnessed cyber terrorism by both state and non-state actors, “future conflicts will contain cyber elements at both the operational and strategic levels. Regardless of asymmetries in other capabilities, cyber components and capabilities are now part of the battlefield and the strategic environment writ large” (Cilluffo, 2013).
On July 21, 2017, Chief of Naval Operations (CNO), ADM Richardson acknowledged the fact that future conflicts will contain cyber elements while speaking at the Naval Future Force Science and Technology Expo in Washington D.C. The CNO reinforced his ongoing effort to increase both the size and the capability of the fleet, relying on the notion to ‘network everything to everything’ and allow sensors and weapons payloads to become a service available to fleet commanders (Duffie, 2017). The CNO further discussed that networking everything together from the numbered fleet commander to an individual pilot in a cockpit – would facilitate a collection of all the sensors operating in the theater and make use of all weapons [kinetic and non-kinetic], with both the incoming data and the outgoing munitions being a ‘service’ for all operators.
This essay explores how fledgling cyber initiatives at the COCOM component level can evolve and address cyber threats operating in multiple domains of the battle space. Terrorists of today as well as nefarious state actors have forced the U.S. to address this strategic threat not only at home and abroad, but also in the cyber domain. Over the past two decades we have witnessed a massive expansion in globalization. According to the Internet World Stats, the number of Internet users in Afghanistan in 2000 was zero. By the year 2017, over 4 million users were reported (IWS, 2017). Additionally, over the past two decades, the world has seen a dramatic expansion of cell phone, satellite and microwave networks in most third world countries. This essay will demonstrate an unprecedented requirement for cyber defense capabilities at the COCOM component level as well as delivery of nonlethal fires at a moment’s notice. Reflecting on the CNO’s recent comments, the need for tactical commanders to be networked and to share intelligence in order to conduct cyber effects has never before been more crucial.
DESIRED CYBER CAPABILITIES IN SUPPORT OF TACTICAL COMMANDERS
According to Vice Admiral Gilday, Commander of U.S. Fleet Cyber Command/U.S. Tenth Fleet, five strategic goals have been detailed to underpin Cyber efforts (USSC, 2017):
- Operate the network as a war fighting platform
- Conduct Tailored Signals Intelligence (SIGINT)
- Deliver war fighting effects through cyberspace
- Create shared cyber situational awareness
- Establish and mature Navy’s Cyber mission forces.
These strategic goals not only apply to the U.S. Navy, but to all services operating under their respective COCOMs. As we partner across the U.S. cyber community to deliver integrated fires, COCOM components are often the first responders to detect, share and act. At the tactical level, cyber elements are uniquely positioned to carry out mutually beneficial solutions that span the spectrum of all warfare areas as illustrated by the following figure (SECNAV, 2016):
Therefore, as a tactical level cryptologist or cyber operator, the most desired and advantageous capability would be a joint mesh network that drastically shortens the kill chain for integrated nonlethal fires or to conduct CNE. Simply stated, a wireless mesh network extends the capabilities of an existing data network using radio technology. Each node within the mesh network would have the capability to transmit and receive using Software Defined Radios (SDRs). By using SDRs, multiple nodes can be strategically placed in areas to enable cyber operations wherever required. The following figure illustrates the concept of a maritime mesh network (Hazra, 2010).
Mesh networks can be cascaded, or one mesh can be used as a backbone, interconnecting another mesh. Because mesh networks use transmitters, it is inherently detectable. For this reason, advanced encryption would be used to provide network security. It is not possible to prevent detection of radio signals, however, it is possible to prevent packet decoding or mesh access.
An advantage of mesh networks with regards to cyber operations is that a maritime (or mobile) node can be utilized by a cyber operator/analyst remotely from across the globe using an enterprise Local Area Network (LAN) (FireTide, 2008).
In theory, an operator in Hawaii could access the enterprise LAN and deliver cyber effects to a target in the Indian Ocean via cooperative nodes within the footprint of an established mesh network. At the COCOM level, Joint Cyber Centers (JCCs) would manage these targeting efforts to create desired effects with the least risk and least expenditure of time and resources. Given our current global cyber environment, time-sensitive targets (TST) that present a significant threat to friendly forces or allies, the JCC would be postured to allocate intelligence collection and engagement assets (mesh nodes) to support find, fix and finish operations (JP 3-60, 2013) in the field. Because of globalization, wireless access is available almost everywhere. There are many successful efforts using the 802.11 based technologies to create wireless backbones that can be leveraged to carry out federated CND, CNE and CNA. By utilizing mesh networks, this technology can be securely implemented to serve a multi-domain wireless backbone on land, at sea and in the air with reliable extended ranges.
In addition to tactical maritime units, dismounted and Special Forces personnel must rapidly adapt to hostile environments and need to acquire relevant operational information as quickly as possible. SDRs within a mesh network would deliver a paradigm shift in operational awareness on the battlefield as a platform would be enabled to sense the surrounding Radio Frequency (RF) environment (including VHF/UHF/SHF emitters over the horizon), join a target network and deliver effects against TSTs on the move. The ability to sense the RF spectrum and coupled with cyber tools, provide a tactical platform the ability to quickly deliver network information and/or effects not previously available to untethered operators. The graphic below shows a U.S. Marine setting up a mobile SIGINT system which could also be used as a tethered mesh node to support cyber operations in the field (RAND Corp., 2017).
To maximize the full potential of an RF cognizant, mobile computing node (passive and active SDRs), dynamic network sensing and discovery techniques, would be managed and supported by a geographic JCC. In addition, establishing a standing Concept of Operations (CONOPS) approved by USCYBERCOM to enable COCOM JCCs would greatly enhance this capability. A CONOPS would allow a tactical commander to rapidly carry out CNE and/or CNA operations by providing pre-authorization as dictated by Rules of Engagement (ROE).
This effort would focus on the discovery and engagement of local area wireless communications networks encountered in the battlefield, utilizing the unique capabilities of SDRs onboard mobile maritime/air platforms or man packable radios. The access would include, as tactical commander requirements dictate, a capability to join IEEE standard 802.11/16 wireless networks, Automatic Identification System (AIS), low bandwidth links, satellite communications and/or cellular networks, in addition to military communications systems.
In summary, by using this type of integrated mesh network to tie tactical units with geographic JCCs via an Enterprise LAN, it would advance all five Strategic Goals outlined by VADM Gilday to the Senate Armed Services Committee. A pre-approved CONOPS would address such areas as Title 10/Title 50 authorities, deconfliction mitigation to avoid fratricide as well as legal parameters to address ROE. The end goal is to essentially ‘push down’ all necessary authorities to the lowest tactical level possible to rapidly address timeliness requirements of cyber operations in the field.
HOW TO SUPPORT COMMANDERS AND OPERATORS IN THE FIELD
Recommendations on how to support fellow tactical commanders and operators in the field are an extremely dynamic and achievable endeavor by leveraging joint efforts across all warfare areas. Support to navy cyber units alone is a daunting task – “the Navy Networking Environment currently consists of more than 500,000 end user devices; an estimated 75,000 network devices (e.g., servers, domain controllers); and approximately 45,000 applications and systems across three security enclaves” (USSC, 2017). By incorporating lessons-learned from Operation Rolling Tide, we can further develop tactics, techniques and procedures (TTP) to support future cyber operations as an example. Operation Rolling Tide was the U.S. Navy’s first named cyber operation, “in which at least five Naval units were dispatched to defend against an Iranian intrusion to unclassified networks, with attackers seeking to impair command and control capabilities as well as conduct basic reconnaissance to potentially be used at a later date” (Pomerleau, 2016).
This event can be considered a catalyst for driving change in how we support tactical commanders in the future. “The best defense is a good offense” is a saying known as the Strategic Offensive principle of war. Supporting tactical units should tie all warfare areas to include SIGINT (Title 50) and Electronic Warfare (Title 10) areas to enable cyber operations. As previously suggested, COCOM JCCs would include target subject matter experts as well as embedded Combat Support Agencies to provide mission support and guidance to tactical commanders. All disciplines of intelligence would be used, to include imagery intelligence (IMINT) in order to provide the best fused product possible.
While supporting CND, CNE or CNA operations at the tactical level, the most valuable element is providing timely and relevant information. A tailored approach to supporting such tethered operations provide operators the five W’s; who, what, where, when and why. The logic behind having a COCOM specific JCC is to provide a tailored support package to the component that is relevant to the mission and facilitates quick reaction. Support packages would include elements such as lessons learned on specific target sets, case studies, recommended TTPs as well as relevant SIGINT data to carry out swift operations. Support packages would be provided based on specific Courses of Action (COAs) that specifically address the commander’s intent and/or requirement. Under such COAs, support packages would be rapidly validated and delivered to the field to be implemented. Four factors will help determine which COA is the most practical, “proximity, frequency, expertise and containment of effects” (RAND Corp, 2017). This approach while supporting cyber operations would overall be conducted jointly and at all echelons that include both defensive and offensive aspects.
In the end, the overall strength of conducting cyber operations at the tactical level come from the ability to mix and match capabilities and authorities to optimize the operational effectiveness of assets. Through interagency partnerships present at facilities such as the JCC, each participating organization’s representative protects the equities of their agency but, through sharing physical space with other participating organizations, manages to share the information needed for situational awareness. To provide the best support possible, it is up to service specific individuals supporting their elements to develop close working relationships with all participating organizations. By being ‘the man-in-the-loop’, effective support can be achieved by ensuring that all goals and objectives of involved organizations are met.
The unknown future of U.S. Cyber missions and what tactical cyber operators are authorized to do today suggests that authorities for these operations will remain granted and managed at higher echelons. Cyber strategists and planners will need to move towards more flexibility at tactical levels as globalization expands and our foes become increasingly sophisticated. Tools such as dedicated mesh networks for cyber operations will help keep the U.S. foot in the door by providing cyber effects on the fly. The type of technology as provided by a secure mesh network as well as cyber support as mentioned in this essay can and would save lives. We have witnessed the evolution of technological advances by our adversaries – Jihadi-approved encryption software and the use of commercially available smart phone ‘apps’ that utilize proprietary encryption to communicate over cellular and/or computer networks securely. Another alarming example is the advancement of Islamic State (ISIS)-owned drones. ISIS drones have been used for reconnaissance as well as deployment of airdropped improvised explosives as shown in the ISIS video screen grab below (Counterextremism, 2017).
Having a tactically fielded cyber option (ex, mesh node onboard unmanned aerial asset) for this type of threat could potentially avoid coalition casualties and ultimately ensure positive strategic outcomes. Deploying unsophisticated anti-drone equipment in volatile areas such as Mosul, Iraq, can be extremely dangerous and costly. “U.S. soldiers moving devices [counter-drone] around Mosul have come under fire from the Islamic State, at least once while scouting for deployment sites” (Martins & Nakashima, 2017). Not only are terrorist organizations operating drones, state actors such as Iran have routinely operated their drones in close proximity to U.S. forces; “last week, an Iranian Shahed-129, a drone roughly the size of a U.S. Predator- attacked U.S. led Special Operations forces near the border outpost of al-Tanf” (Martins & Nakashima, 2017). This is just a small sample of real-world scenarios that our forces face today. Having had the opportunity to speak with ADM Rogers in 2016 during his visit to U.S. Central Command, Tampa, FL, we asked him what he thought of our current state of cyber readiness. He responded with, “it’s like trying to fly an airplane while it’s being built,” a very profound and insightful response by a tremendous leader.
Cilluffo, Frank. Strategic Studies Institute. Preparing for Netwars. 2013. http://www.strategicstudiesinstitute.army.mil/pubs/Parameters/issues/Winter_2013/11_CilluffoandClark.pdf
Counterextremism. Digital Developments: Extremists’ Use of Modern Communication Tools. 2017. https://www.counterextremism.com/content/digital-developments-extremists-use-modern-communication-tools
Department of State (DOS). Patterns of Global Terrorism 2001. May 2002. http://www.state.gov/documents/organization/10319.pdf
Duffie, Warren. CNO: How Can U.S. Navy Prevail in Contest for Maritime Supremacy?. July 24, 2017. https://www.onr.navy.mil/en/Media-Center/Press-Releases/2017/CNO-Keynote-Address-2017-Expo
FireTide, Inc. Planning and Installing your Wireless MESH. March 2008. http://www.winncom.com/images/stories/Firetide_WP_Designing_Deploying_Firetide_Mesh_Network.pdf
Hazra, Sukanta. Topology Broadcast in Maritime MESH Networks with directional Antennas – A practical Approach. October 31, 2010. http://ieeexplore.ieee.org/document/5680011/
Internet World Stats (IWS). Usage and Population Statistics. Internet Usage and Population for Afghanistan. 2017. http://www.internetworldstats.com/stats3.htm
Joint Chiefs of Staff. Joint Targeting. Joint Publication 3-60. January 31, 2013. https://www.cfr.org/content/publications/attachments/Joint_Chiefs_of_Staff-Joint_Targeting_31_January_2013.pdf
Martins & Nakashima. Stars and Stripes. ISIS Drones are attacking U.S. Troops and disrupting airstrikes in Raqqa. June 14, 2017. https://www.stripes.com/news/middle-east/officials-isis-drones-are-attacking-us-troops-and-disrupting-airstrikes-in-raqqa-1.473476#.WXUK-a2ZNBw
Pomerleau, Mark. Cyber Defense. Navy Makes Plans for Cyber R&D. February 24, 2016.
RAND Corp. Tactical Cyber. Building a Strategy for Cyber Support to Corps and Below. 2017. http://www.rand.org/content/dam/rand/pubs/research_reports/RR1600/RR1600/RAND_RR1600.pdf
Secretary of the Navy (SECNAV). Navy Cryptologists: Leaders Across the Spectrum. June 2016.http://www.secnav.navy.mil/innovation/Documents/2016/06/NavyCryptologyVisionAndGuidance_Jun2016_Full.pdf
United States Senate Committee (USSC). Senate Armed Services Committee. Cyber Posture, 1st Session 115th Congress. May 23, 2017. https://www.armed-services.senate.gov/hearings/17-05-23-cyber-posture-of-the-services