Thankfully the world has been fortunate enough to avoid witnessing a third world war. No one knows for sure how long that will last with present military engagements around the globe in countries such as Afghanistan, Iraq, Syria, and Yemen to name a few. As of September 2018, it’s now been just over 73 years since the end of World War II (Sept 1, 1939, to Sept 2, 1945). There were less than 21 years between WWI (July 28, 1914, to November 11, 1918) and the start of WWII. Modern military history reveals that there have been numerous small wars (e.g., Korea, Vietnam, Iraq-2003, Afghanistan) and smaller engagements (e.g., Beirut, Kuwait/Iraq- 1990–1991, Ukraine) since WWII.
Given humanity’s history of engaging in wars for religious, ideological, political or other reasons every so often, statistically its only a matter of time before another polarizing major world war takes center stage. That is, of course, unless humanity has learned its lesson from the last two world wars which modern history has arguably demonstrated otherwise. Should there be a third world war, the only unknowns are what will trigger it, which nations will be involved, and will it be nuclear or not? I realize that this a sobering thought to ponder, but there are several global indicators, any one of which could catapult the world into another world war. One could make an argument that one of those indications is the willingness of several national governments to strategically employ cyber espionage and cyber attacks as instruments of intelligence collection and information warfare.
There has been a great deal of speculation surrounding whether or not a war could ever be triggered as a result of a cyber attack? Hopefully, it never comes to that, but, of course, hope is not a course of action that as a nation [we Americans] have the luxury of relying on. Is it possible? Yes. Is it probable? Perhaps, yes. While it may seem to some unlikely to occur, that does not preclude it from occurring or that it isn’t a possibility that world leaders and military strategicians shouldn’t plan for. We plan for nuclear attacks and develop costly missile defense systems should the unthinkable ever happen, why is it not the same for cyber warfare? Computer network attacks (CNA) and Computer Network Espionage (CNE) operations can have tangible effects in the real world, such as when critical infrastructure systems are shut down or damaged; banks are hacked and large sums of money are stolen; or when sensitive information is remotely exfiltrated from a protected information system.
Make no mistake about it, the U.S. is already at war in cyberspace, and it is the target of a massive volume of daily cyber attacks from all over the world. It is lonely for the U.S. being at the top of the technological ladder. Everyone else wants to steal what we’ve worked so hard to research and develop (R&D). Our job is to ensure that never happens, but as a nation, we are failing badly in terms of U.S. cybersecurity of critical infrastructure. One analogy is that its as if we are leaving the lid to the cookie jar wide open with a big sign encouraging adversaries to grab as many cookies as they want. In fact, research conducted by the FBI cited that, “…more than 4,000 ransomware attacks occur daily…and 230,000 new malware samples are produced every day.”
Is there a specific trigger point that would cause a country like the U.S. to declare war against another country following an alleged cyber attack against it? A large-scale cyber attack that either shutdown or damaged another country’s critical infrastructure systems may be that trigger point. For instance, suppose Russia or China were to shut down America’s power grids for a prolonged period of several days. Imagine the economic impact that would constitute. To put this into comparison, the terror attacks of 9/11 had immediate and long-term economic effects that we’re still struggling with today, 17 years later. The New York Comptrollers Office estimated that damages were $55 billion, but that doesn’t even begin to scratch the surface of how much money was lost from shutting down the entire fleet of commercial aircraft, airports, retail stores, banks, and government offices that closed for days afterward. The point being that electricity is vital to just about everything in modern society, and without it there is no Internet. Without electricity, life suddenly becomes much harder, especially for disabled, sick, and elderly. It would be like hitting the reset button and teleporting an entire country back to the 1800’s.
Military Power Projection in the Traditional Sense
Arguably, no other country in the world is capable of projecting military forces as efficiently or as quickly as the United States can. A quick comparison of the largest navies around the world demonstrates that North Korea maintains the largest fleet with 967 ships, followed next by China with 714 ships, and the U.S. Navy with 415 vessels. The condition readiness and capabilities of these foreign naval armadas is another valid question that in no way matches U.S. Navy capabilities, but the point is that these ships can be used to project forces globally as can fleets of military and civilian aircraft. Global projection of military power is performed in the 21st century using multi-modal transportation systems such as via land (vehicle, rail), air, and sea.
Power projection (or force projection) is a term used in military and political science to refer to the capacity of a state “to apply all or some of its elements of national power — political, economic, informational, or military — to rapidly and effectively deploy and sustain forces in and from multiple dispersed locations to respond to crises, to contribute to deterrence, and to enhance regional stability.” ~ Joint Publication 3–35, Deployment and Redeployment Operations
Military power projection essentially boils down to logistics which is the special ingredient that makes it possible. For instance, if some psychopath dictator starts threatening to kill off his rival political factions, the U.S. can and has in the past parked an Amphibious Readiness Group (ARG)/Marine Expeditionary Unit (MEU) off the coast in a political deterrence or as a show of force. It is curious how regime behavior changes when there are three or four U.S. naval ships with jets and helicopters flying around off your coastline. It is the same reason that the U.S. patrols the South China Sea or the Black Sea. The Chinese and Russians vehemently protest and verbally contest their presence, but the U.S. is sending a message loud and clear that they aren’t afraid and they are keeping an eye on things. Without logistics, military power projection is impossible to achieve. Or is it? The overwhelming consensus has traditionally supported the theory that cyberspace cannot be used to project power.
“Finally, there are inherent limitations to the scale and magnitude of the costs that can be imposed solely through cyber campaigns. Cyber weapons lack the inherent violence of conventional and nuclear forces, or even terrorist attacks.” ~ Erica D. Borghard & Shawn W. Lonergan excerpted from a Council on Foreign Relations blog post
Let’s examine this quote a bit further, shall we? “There are limitations to the scale and magnitude of the costs that can be imposed solely through cyber campaigns.” Really? What are these limitations? I must have missed the memo on that. So, if this statement is to believed then how does one even begin to calculate the costs associated with our ability to conduct CNA and CNE actions to deny an enemy the ability to access communications such as phones and the Internet on wide-scale (i.e., via DDoS attack); denying an enemy the ability to utilize critical infrastructure such as energy, water and wastewater systems (i.e., Industrial Control System [ICS] Trojan capable of remote code execution); denied access to emergency services such as 9–1–1 and transportation systems such as buses, trains, planes; denied access to financial systems such as banks, ATMs, stock market closed; denied access to government services which wouldn’t be able to operate without computer systems database access? The list goes on and on. The fact that cyber weapons lack the “inherent violence of conventional and nuclear forces, or even terrorist attacks” should be considered a strength, and not a weakness. If a government doesn’t want a messy situation with potential collateral damage typically resulting from conventional warfare, they can use cyber weapons and get a very similar if not greater return on investment (ROI).
A massive Internet of Things (IoT) DDoS attack against Internet Service Providers (ISP) could bring down the entire Internet if it were powerful enough. To put that in context, the Mirai botnet with only 145,000 devices served up 1.1 terabits per second (Tbps) against French hosting provider OVH. When critical infrastructure is targeted in the manner described here, the totality of cost could be dramatic because it is difficult to quantify the cost of denied access for a sustained period. Quantified on a national scale, DDoS attacks alone could easily inflict tens or hundreds of millions of dollars in economic damage to Web-reliant economy in as little as 24–48 hours. If a DDoS attack only lasts a few hours, then losses may be minimal.
However, if DDoS attacks are sustained for days on end and they are not able to be absorbed by load balancing safety nets such as Google’s Project Shield or Cloudflare, it could cause widespread financial losses and citizens will riot placing increased pressure on government and law enforcement resources. Using cyber attacks to plant the seeds of civil unrest would not be a difficult task. Were the Iranian centrifuges that were damaged by Stuxnet re-usable? No, most were bricked and useless afterward thanks to subtle code modifications that altered their normal spin rates causing them to self-destruct. These type of malware exploits require a great deal of time, skills, and resources to develop, but CNE actions enable the acquisition of intelligence information necessary to pull off an exploit like Stuxnet. It is far from impossible in this increasingly connected world that we live in. And this is precisely the type of cyber reconnaissance work that Russian and Chinese APTs are performing against the U.S. now. The U.S. military and Intelligence Community (IC), as well as those of other nations would be remiss in their duties if they were not tracking cyber vulnerabilities that could be used against one another.
Its also important to point out that the chances of successfully executing a coordinated cyber attack of this magnitude against an entire Nation-state like Russia or China would be on the order of very difficult, to next to impossible to successfully execute given the scope of such an operation, and restoration of critical infrastructure could be manually performed at some point. This is where air-gapping of critical infrastructure systems becomes a major advantage, the concept being that one gives less of an attack surface for an enemy to exploit or at least an enemy will have to work much harder to exploit it.
A quick perusal of Shodan.io yields thousands upon thousands of vulnerabilities for connected critical infrastructure systems around the globe. Attacking numerous systems at once would require an attacker to possess deep resources and a well-defined targeting order of footprinted and enumerated IP addresses for follow-on DDoS attacks, strategically planted logic bombs, and other cyber weapons in the arsenal that would affect various sectors of the enemy’s critical infrastructure. This is not outside the capabilities of an organization such as U.S. Cyber Command, however. Simultaneous attacks give the element of surprise. Timing and deception are paramount. However, just because something has a small degree of potential success, it doesn’t mean it is impossible or that it shouldn’t be attempted.
“A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective.” ~ Sun Tzu, The Art of War
Military Power Projection through Cyber Warfare
Offensive cyber attacks can be categorized under any one of the four elements of national power: political, economic, informational, or military due to the fact that offensive cyber attacks can be employed by U.S. Cyber Command to target any one of those elements belonging to an adversary. The exact opposite is also true, which is that the U.S. must keep adversaries from being able to digitally disrupt our political, economic, informational, and military information and weapon systems through computer network defense (CND).
“For the United States, the lesson is demonstrative — without USTRANSCOM’s engaged cyberspace presence, an adversary could disrupt or deny movement within our distribution network and compromise or corrupt sensitive information. Without a corresponding cybersecurity focus to complement our developing physical capabilities, adversaries will augment their conventional forces with robust and practiced digital disruption skills to target our softer delivery support systems. This disruption may transcend USTRANSCOM’s ability to deny, deter, or defeat, placing the nation’s strategic objectives at greater risk. Logistics readiness is wartime readiness, and that means we need to guarantee superiority in the cyber domain to survive and operate effectively in the more traditional domains.” ~ General Darren W. McDew, USAF, Commander of U.S. Transportation Command, one of [ten] Unified Commands under the Department of Defense; excerpted from PRISM Volume 7 No 2.
Shaping the Battlefield in Cyberspace
Shaping the battlefield is a term used to denote military pre-actions taken to set the conditions for successful future combat actions within a specific battlespace. Essentially, shaping the battlefield is stacking the deck in one’s favor. If the U.S. wants to shape the cyberspace battlefield, it has to ensure that it has robust offensive and defensive cyber capabilities. Russia has proven adept at influencing political elections internationally by subverting social media time and again, hacking key individual email accounts through email spearphishing and infecting devices and systems with sophisticated eavesdropping malware, server hacking, and disinformation campaigns perpetrated via social media platforms such as Twitter and Facebook.
If the U.S. were to counter Russian cyber operations, one option would be to begin a strategic disinformation campaign against Putin pointing out that his political leadership has held Russian citizens back from achieving greater prosperity on the world economic stage, pitting their fearless leader against his own dissidents. The U.S. could also meddle in Russian election processes as it has done in the past, but that is Central Intelligence Agency (CIA) territory. The CIA is another 3-letter government agency with very capable cyber weapons (see Vault 7 Wikileaks) that are used as instruments of political diplomacy. The entire complement of U.S. government agencies and military capabilities can be brought to bear against adversaries in times of crisis to facilitate national interests in cyberspace.
While outside the scope of this article to speculate as to what actions the U.S. Intelligence Community or U.S. Cyber Command have taken or are presently engaged in terms of offensive cyber or espionage operations, one must assume and hope that the overall U.S. cyber strategy includes an adequate level of offensive cyber, defensive cyber, and cyber espionage activity that is aimed at influencing U.S. interests abroad, defending critical infrastructure systems (to include National Security Systems) domestically, and that is capable of responding in retaliation should the U.S. become the victim of a cyber attack.
One of ten unified commands, U.S. Cyber Command, was only recently established as a 4-star Functional Combatant Command. Previously, Cyber Command was subordinate to the U.S. Strategic Command and was commanded by the same General that was also in charge of the National Security Agency (NSA) which was interesting for the simple fact that a single commander had cognizance of the entire DoD suite of offensive and defensive (Title 10 U.S.C. military) cyber weapons arsenal, tools, and activities in addition to the NSA’s (Title 50 U.S.C. intelligence) cyber espionage tool arsenal and activities. This has changed now that Cyber Command has been elevated to a Functional Combatant Command.
The role of the functional commands is to support the warfighters abroad in their respective Geographic Combatant Command regions.
“USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” ~ Mission statement of U.S. Cyber Command
The key words in the mission statement are “conduct full spectrum military cyberspace operations to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” In this sense, offensive cyber attacks are seen as a force multiplier for actions in the other domains of land, sea, air, and space. Clearly, CyberCom’s mission does not imply power projection, but rather the enabling of military actions on the ground, sea, air, and space. However, it is all in how you view the capabilities and tangible effects that cyber warfare can bring about against an opponent.
Parallels between kinetic offense and offensive cyber attacks
Parallels exist between cyberspace and each of the four elements of national power: political, economic, informational, or military. Those parallels might be invisible strings we know as networks, but they still exist. Offensive cyber attacks against any one of these four elements could adversely and dramatically affect their performance. If a DDoS attack or a logic bomb, for example, were employed against a targeted system preceding a military strike or ground invasion of some sort, does that not also constitute “projection of military power?” Or, a cyber attack could also serve as a warning to a foe that there is more of this to come if they do not cease their actions and change course in the same way economic sanctions do. Following a well-executed and time-coordinated cyber attack, there may not be ships off the coast line or American troops kicking down doors, but the adversary has a clear message from the American government and there was no collateral damage loss of life or cost to the environment.
The U.S. is one of 29 member nations that comprise the North Atlantic Treaty Organization (NATO), a political and military security alliance of nations formed in 1949 after WWII to defend against Russian and any other aggression towards its member nations. Article 5 of the NATO Treaty is known as the “Collective Defense” article, and it can be invoked should one ally be attacked. The only time in history that Article 5 has ever been invoked was after terrorists attacked the U.S. on September 11, 2001. When Estonia removed a Soviet WWII statue in the city of Tallinn in 2007, they came under an intense cyber attack attributed to pro-Russian threat actors that more or less blocked all access to the Internet for Estonians over a 24-hour period by way of a Distributed Denial of Service (DDoS) attack. Estonia did not invoke Article 5 for this action due in part to the short duration of the attack in which the money for the DDoS operations likely ran out, and also partly due to how difficult it can be to positively attribute culpability following cyber attacks. It is a murky science at best given how easy Internet technology has made it to obfuscate digital evidence and cover tracks.
In 2008, the DDoS attacks happened again, this time to Georgia as Russian forces simultaneously invaded the country with their conventional military forces. Since the collapse of the Soviet Union and the Cold War, Russia has unofficially and quietly adopted the Fifth Domain of cyberspace as a national instrument of political and military pressure while developing cyber units and honing their skills on real-life targets. Though President Putin has publicly denied it on numerous occasions, these Russian State-sponsored APTs have been involved globally in attempts to influence political elections of countries such as Germany, France, the United Kingdom, and the U.S. in the lead up to the 2016 Presidential Election. Denial is Russia’s typical modus operandi, but the world is not in doubt as to who is behind these cyber espionage and sabotage attacks.
The real-world cyber espionage and attack examples are beginning to mount up. In 2009 there were the ‘Stuxnet’ and ‘Flame’ malware discoveries which were later revealed to be a George W. Bush Administration-era joint-U.S. (NSA) and Israeli (Unit 8200) offensive cyber weapons operation that was specifically designed to target Uranium enrichment centrifuges in Natanz, Iran. This information came to light after retired Marine General James Cartwright leaked some of the details to the Press. We refer to these specific versions of malware such as Stuxnet or Flame as cyber weapons because like actual bombs they contain destructive payloads that once a system is infected, may include one or more 0day exploits that could then cripple or subvert a computer system in some manner thereby rendering it useless or modifying its performance in some way. Cyber weapons like Stuxnet are tough to control, however, once released or wielded in the wild. The intended victim of the malware might not become the only victim, and likely wouldn’t even know such 0days existed until the digital forensic aftermath was conducted.
The level of sophistication required to create Stuxnet was simply amazing which, of course, narrowed the potential list of nations that could have manufactured the code to a select few. That is the telling sign about malware, there are often key indicators upon reverse engineering it that point to who is responsible for creating it. Combine these indicators with current political motivations, and cyber threat analysts can make a strong case for whodunit. Cyber attack attribution is a murky business though given the ease to which attackers can obfuscate and cover their tracks.
The ‘BlackEnergy3’ malware version was used by Russian Advanced Persistent Threat (APT) group Sandworm Team in Ukraine just before Christmas, on 23 December 2015, and shut down the power grid for 6-hours in the middle of winter. The APT had previously experimented with earlier versions of the BlackEnergy malware which is specifically designed to target ICS and has grown considerably in capability from its initial discovery in 2007 where it consisted of a simple DDoS attack Trojan and later included User Account Control (UAC) bypass features.
More recently, the tropical island of Saint Martin had their Internet-connected systems shut down for an entire day in April 2018. In the grand scheme of things, one day may not seem like much, but it still has some level of detrimental impact. Atlanta, Baltimore, Charlotte, Dallas, and San Francisco have all suffered crippling ransomware attacks that shut down various capabilities and commercial enterprises for days or weeks. The discovery of more and more computer network espionage (CNE) malware targeted at ICS should be alarming for world governments because it indicates that adversaries are attempting to cyber attacks to the next level. They will actively try to gain footholds in energy grids and other critical infrastructure systems to possibly shut them down or worse, use these cyber footholds as a precursor to a kinetic military attack.
Space Systems Cyber Warfare
Despite mandates from overarching compliance regulations such as the Federal Information Security Modernization Act (FISMA) of 2002; the National Institute of Standards and Technology (NIST) Special Publication 800–37, Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach (Revision 2 is currently in draft for comment status); the SP 800–53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Revision 5 is currently in draft for comment status); and the Committee on National Security Systems Instruction (CNSSI) 1253, Categorization and Control Selection for National Security Systems; the DoD has traditionally struggled with protecting its weapons systems for a number of reasons.
“Pentagon officials have acknowledged for years that the department, the military services and defense contractors are under persistent cyber probes and attacks, including from state actors seeking to steal data to gain an economic or technological advantage. The report doesn’t name potential attackers, but it noted that some “advanced threat actors” are aware of the vulnerabilities and “have well-funded units that focus on positioning themselves to potentially undermine U.S. capabilities.” ~Lolita C. Barber, The Associated Press
These weapons systems vulnerabilities did not just crop up overnight. They have been festering for years on legacy systems that have been protected from scrutiny due to their sensitivity as classified National Security Systems (NSS). Look no further than the U.S. Strategic Automated Command and Control System that still uses 1970’s-era IBM Series/1 Computer and 8-inch floppy disk according to a 2016 GAO report. There is a false sense of security that since the code and technology is so old and because the system is likely air-gapped, that its capabilities are by default redundant since an attacker might not be able to hack it. Shall we also assume that the Russians and Chinese are not actively trying to penetrate our military weapons systems and that they don’t have skilled attackers capable of exploiting potential vulnerabilities? If that isn’t security through obscurity, then I don’t know what is?
A genuinely air-gapped system is an effective part of an overall layered defense strategy, but the fact that the software running these weapons is over 40 years old does not bode well unless it is being maintained and regularly patched against newly discovered vulnerabilities. One has to wonder how difficult would it be for an adversary to pull off a cyber attack against a legacy weapon systems such as the one described that was similar to Stuxnet? Surely the DoD has security controls in place to prevent something like from occurring, but perhaps not after reading recent GAO reports. The implications of something like that are enormous and scary to think about: nuclear proliferation by the hands of hackers. Consider for an instant if a Russian APT were to somehow hack the U.S. nuclear system and somehow managed to launch U.S. nukes at North Korea, which then responded in kind. Realizing that is a stretch of the imagination, but now Russia would have effectively eliminated the U.S. which is arguably its biggest obstacle to achieving world domination.
Space systems cybersecurity is equally essential, as several powerful nations compete for supremacy in the Space domain. The Space domain is so important that President Trump has directed the establishment of a Space Force, a sixth branch of the Armed Forces targeted for stand up in 2020. This means that in the not-so-distant future, the U.S. will be projecting military power through space using cyberspace as an enabler. If cyberspace channels are not secure, however, adversaries may be able to intercept or block communication signals.
How Did Things Get To This Point?
What typically happens is that huge sums of taxpayer money is spent to develop a weapon system, and it goes through the standard defense acquisition process over a number of years that results in a patchwork quilt of software that is sloppily thrown together like a homemade ham sandwich and the most basic, if any, cybersecurity controls are implemented as Band-Aid fixes afterward. This occurs largely due to the DoD’s focus on offensive capability versus defensive mindset; its desire to rush the weapon systems into operational status before ensuring the system is adequately secured; the scope of the vast number of systems it is responsible for protecting; and a persistent shortage and turnover of qualified cybersecurity workforce professionals that comprise the overall DoD cyber workforce from uniformed service members, Government civilians, and contractors. The DoD has only recently taken measures to improve the cybersecurity of these types of weapons systems which should be quite alarming considering the financial, time, and workforce investments that have already been made in these systems such as missile systems, aircraft and naval platforms, and space satellite systems.
Zero-days, Logic Bombs, & DDoS Attacks, Oh My!
So, what exactly qualifies as a cyber weapon and how could it be used in cyber warfare? There are several different ways that offensive cyber attacks could be used in combination with the projection of military power. Zero-days (0days) are essentially flaws in software or hardware code called vulnerabilities that are exploitable. Since these 0day expoits are unknown there is no digital signature that anti-malware software can use to detect and quarantine it. Only after it is discovered, then can the malware be detected. Heuristic Intrusion Detection/Prevention Systems (IDS/IPS) may be able to detect an 0day depending how it affects a system, but it is a risky long shot. Nation-state cyber threat actors will not hesitate to burn a Zero-day if the stakes are high enough, and they’ll use it repeatedly to get as much use out of it as they can. Governments and even some companies will often pay top dollar for 0days, which can sell for upwards of hundreds of thousands or more depending on the severity level of a particular exploit. To provide some context of how sophisticated the Stuxnet worm was, it contained four distinct 0days in its payload.
Logic bombs are programs that contain destructive code that can be timed to detonate within a system to cause physical or logical damage to a computer system. Logic bombs could be planted by an adversary on systems or networks to wipe or encrypt the entire drive at a prescribed date and time; or in the case of ICS, it could cause an energy plant’s systems to glitch or completely crash and thereby present a moment of opportunity for an aggressor to attack conventionally. A terrorist organization could just as easily use a cyber weapon such as a logic bomb to inflict damage on enemies.
Distributed Denial of Service (DDoS) attacks have become somewhat commonplace in recent times with prolonged attacks against video game platforms and other popular sites. Hacktivist groups have used DDoS attacks repeatedly to express dissatisfaction with government policies or corporations that do not align with their beliefs.
Used in combination with the deployment of military forces, offensive cyber attacks can not only help shape the battlefield for military operations, but they can also be the decisive factor in denying the enemy the opportunity to defend itself. This is similar to a tactical air strike that neutralizes enemy anti-aircraft artillery (AAA) and tanks before launching a ground force invasion. Offensive cyber attacks can be used to soften targets and neutralize enemy tactical or commercial systems to prevent command and control of its forces.
It is easy to criticize an organization as large as the Federal government or the DoD for the latest GAO report cybersecurity-related weapons systems vulnerabilities, but in reality the purpose of the GAO publishing these reports is to provide transparency of the status of government (including DoD weapons systems) cybersecurity. It is a good thing, because it means that these deficiencies should receive the attention, funding, and manpower they deserve as long as they continue to be held accountable. It is in the interest of all Americans that our National Security Systems be as secure as they can be. Enforcing compliance with the NIST Risk Management Framework will go a long, long ways towards protecting our NSS, but we must re-train and re-tool our cyber workforce not to stop after achieving system authorization to operate (ATO) and to continue monitoring each system indefinitely, applying software patches, scanning for vulnerabilities, improving security controls along the way with new technologies. We can never afford to allow cybersecurity to become a “fire and forget” type of mentality, a term that is commonly used with respect to disposable military weapons systems. Instead, cybersecurity should be a “fire and continually search and assess” mentality because the cyber threat landscape is vast and new vulnerabilities are discovered en masse literally all the time.
Policy-wise, I think we are moving in the right direction with the Trump Administration having released an updated version of PPD-20 which is reported to have expanded the authority for U.S. Cyber Command to use offensive cyber attacks in the future. Even so, the U.S. has its work cut out for it to be able to defend it’s most critical information systems against the multitude of cyber threats that currently exist and which are ever-increasing. This is a challenging task that we are failing badly at currently. Look no further than how China has blatantly used cyber espionage tools and techniques to steal enormous amounts of U.S. intellectual property and sensitive military information that has saved them untold trillions of dollars in research and development. We are doing a disservice to our critical infrastructure if we don’t drastically improve our cybersecurity posture and get better at thwarting adversarial cyber espionage.
In conclusion, the contention that military power cannot be projected through cyberspace is both narrow and shortsighted. It shows a lack of understanding and appreciation for how effective offensive cyber weapons can be. At the very least, it is an enormously capable force multiplier if not an actual instrument of power projection itself. Perhaps it is not a literal projection of military power as we have traditionally and doctrinally defined it, but it still is a very effective tool that facilitates power projection in the literal sense. We can dance around words and definitions all we want, but if the U.S. is going to be successful in cyberspace in the coming decades we need to move past the antiquated doctrinal definition of power projection and incorporate the offensive cyber capabilities of the 21st century Digital Age. To not do so, would be to make a grave mistake. CNA and CNE are not only enablers of power projection, they are also capable of power projection themselves. Once used those 0days will have been burned forever, but look at the cost savings in terms of human life and physical infrastructure damages. Software and hardware are not short of flaws in their code, meaning that there will be other 0days to come and 0days are only one cyber weapon in the toolkit.
The author is an experienced information security professional with over 20-years of prior experience in the Marine Corps working Force Deployment Planning and Execution (FDP&E), crisis action and contingency planning, in addition to tactical Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) systems administration and information assurance.