Private industry and government agencies push technology in the race to create the most foolproof cybersecurity.
By J.R. Wilson
Cyber warfare still is a relatively new concept, for the military and civilians. To some it is an offshoot of electronic warfare (EW) or information warfare or even signals intelligence (SIGINT). A common definition calls it "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption." It has rapidly evolved and expanded in the 21st Century, so that definition is far too limited.
More recent definitions have expanded to include non-state actors: terrorist groups, corporate espionage, political and ideological extremist groups, individual or small group hackers (aka, hacktivists), and transnational criminal organizations, such as the drug cartels and various "mafias." That diversity, however, also raises the difficult separation of cyber warfare from cybercrime, which share many of the same techniques and technologies and often lead to common results.
The major public emphasis has remained centered on national militaries, especially the U.S., China, Israel, Russia, the United Kingdom, Germany, France, and Iran. All have their own equivalents of the U.S. Cyber Command (CYBERCOM), stood up in mid-2009 as a sub-unified command subordinate to U.S. Strategic Command, but operated by the National Security Agency (NSA). CYBERCOM's charter was to pull all existing military cyber resources together, creating synergies, and synchronizing combat effects in defense of the information environment.
Officially, it "plans, coordinates, integrates, synchronizes, and conducts activities to direct the operations and defense of specified military information networks and prepare to and, when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace, and deny the same to our adversaries." While it began with a predominantly defensive posture, it increasingly has looked to offensive strategies and technologies, as well.
Efforts to develop military cyber capabilities - offensive, but especially defensive - are now as common among nations of all sizes and strengths as the possession, use, and production of unmanned aerial vehicles (UAVs). Even more than UAVs, however, cyber already is a critical and ubiquitous component of society, from grade-school students' tablets to international financial records and transactions, from individual cell phones to top-secret military satellites, from personal computers to national power grids.
Defining cyber warfare
This has made the term "cyber warfare" universally all-encompassing and confusing. That also is true for its place in the military - as a capability, offense, and defense, or as a new and separate "fifth operational domain," equal to land, sea, air, and space. Some even predict all five soon will be superseded by a sixth domain - a combination of information operations (IO) and brain-computer interface (BCI) to control the human mind by manipulating emotional and cognitive responses or by exploiting man-machine technology.
The growth and development of cyber security attack and cyber warfare strategies and technologies also has led to the creation of Cyber Centers of Excellence (CoE). These range from private corporate entities like the Lockheed Martin Cyber Center of Excellence (CoE), opened in late 2015, to national entities like Germany's Nationale Cyber-Abwehrzentrum (National Cyberdefence Centre); to international entities like NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) based in Tallin, Estonia, and the European Cyber Security Organisation in Belgium.
"When we stood up our CoE late last year, it really focused on where we thought the future of cyber was going in the new warfighting domain," says Doug Booth, director of cyber and EW business development at Lockheed Martin. "The CoE is a combination of all our programs and engineers and consultants, coming together as one to help protect our customers, deliver capabilities, and look at the future to see what challenges we can help our customers overcome.
"It is more than a think tank; it's where all our internal business and external customers go when they have a challenge and where we bring in individuals who are interested in learning about what capabilities we have. We resolve problems, tabletop exercise problems, taking a multi-task approach."
Lockheed Martin's CoE has four pillars:
- networks and infrastructure, which build capability to secure, attack, and defend;
- weapons systems, which cyber warfare and EW to target and exploit adversary weapons systems;
- U.S. Department of Defense (DOD) platforms, which build resiliency into those platforms to ensure they are cyber-protected and can operate when under cyber attack in all warfighting domains; and
- international, which take any export-controlled capabilities and push them into relevant cyber programs internationally.
"Where we can get export approval, we're more than willing to take our capabilities, mostly defensive at that point, into those regions," Booth adds.
Cyber centers of excellence
NATO's Cooperative Cyber Defence Centre of Excellence was established in 2008 following significant cyber attacks in Estonia in 2007. Henry Rõigas, researcher, CCDCOE Law and Policy Branch, emphasizes that while the Centre tries to provide the organization with a 360-degree perspective on cyber defense, it is not tasked by NATO nor part of the alliance's command or operational structures.
"The attacks served as a kind of wake-up call to NATO that cyber defense security is an issue NATO cannot ignore. However, Estonia already had planned to establish the Centre before that, so it was not created directly because of the cyber attacks," Rõigas says. "Basically, we function as a think tank, providing support to NATO and its members, but funded by voluntary contributions, currently from 16 NATO member nations and some non-NATO contributing members, such as Austria and Finland.
"Our role is to provide knowledge, functioning as a research center, education and knowledge hub, provide training exercises and presentations on cybersecurity from different perspectives. I am part of the Law and Policy Branch, which focuses on international law and policy," Rõigas says. "We also have a technology branch, who are penetration testers and monitors; a strategy branch that focuses mainly on military and strategic questions; and an education branch that supports NATO's exercises and organizes our exercises and training."
According to the "Tallinn Manual on International Law Applicable to Cyber Warfare," a study commissioned by CCDCOE that is not considered a legally binding document, cyber weapons are cyber means of warfare designed, used, or intended to cause either injury or death of people or damage to or destruction of objects. The scope and limitations of that definition are critical to the potential implementation of NATO Article 5, which says an attack on any NATO member is considered an attack on all and NATO will respond accordingly.
"In 2014, in the Summit declaration, NATO signaled that if a cyber attack reaches a certain threshold, the NATO decision-making body may decide Article 5 may be invoked. That will happen on a case-by-case basis and to date no cyber attack has reached that threshold under international law. The consensus among lawyers, politicians, and nations is the decision to invoke Article 5 in a cyber attack means the results must equal the results of a kinetic attack: deaths, injury, etc.," Rõigas explains.
"That does put out a definite deterrent effect. The main strategic question for us is how to deter the most common attacks that do not yet reach that very high threshold, such as espionage. So far, states with cyber capabilities have shown restraint with respect to very large-scale cyber ops that would reach that trigger threshold. It's clear the opportunities and capabilities are there, but so far those states have not gone that far," Rõigas says.
Rõigas says the Centre does not believe such an attack is likely, at least not in isolation - that should an Article 5-level cyber attack take place, it would be in concert with more traditional kinetic attacks. At the same time, he acknowledges "it still is a new area and things are not entirely clear. Nations are trying to determine how to live with everything that is developing, through international law and policy, etc., but cyber is so huge and has so many perspectives, it is difficult to focus."
He also is far less concerned than many others about non-state actors using cyber weapons, despite the increasingly easy and cheap availability of sophisticated systems on the open commercial market, much less the traditional underground weapons market, now residing largely in the so-called "dark web" - a majority of all Internet websites, but not seen by search engines such as Google and Yahoo.
"The private sector development of new technology is a race for innovation, with a market failure programmed in where manufacturers don't focus on security so much as new technologies that will sell," Rõigas says. "That will enable smaller players to pull off one-time effects. You can go onto the dark web and buy off-the-shelf hardware and software so you really don't need technical knowledge to conduct operations on that level. This is why rogue actors, tier 2 nations, have more opportunities in the future.
"At the moment, the consensus is terrorist organizations don't have the capability, know-how, or motivation to conduct high-level ops through cyberspace. They can more effectively use older methods, such as suicide bombs, which are cheaper and require less knowledge, to achieve their goals. A terrorist's main goal is to create fear, typically through bloodshed; while a cyber attack can be very effective, from a terrorist perspective, it makes more sense to use traditional means of attack."
In recent years, the Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., has used a series of challenges to encourage industry and private groups to push cutting-edge technology beyond its current boundaries and provide proof-of-concept demonstrations. In August 2016, DARPA's latest such effort, the Cyber Grand Challenge, concluded with a start-up company called ForAllSecure as the victor with a software program called Mayhem, a fully autonomous system capable of finding weaknesses in a target system and repairing them in minutes, even seconds.
Unlike the real-world threat, however, DARPA restricted the challenge to memory safety vulnerabilities and information leaks.
Cyber Grand Challenge
"Our goal is to be able to check everything, check the world's software for exploitable bugs, from mobile phones to battleships," says David Brumley, ForAllSecure's CEO and co-founder. "In the challenge, there was exploit - find and prove vulnerabilities - and auto patching software to defend against vulnerabilities. It went beyond strategy to include winning technology.
"Part of our strategy was creating a suite of patches, so every time we got a new program as part of the challenge, our automated cyber reasoning system looked at our suite of patches and picked the one that worked best, that didn't slow the software down or interfere with its functionality," Brumley says. "We were given programs we'd never seen before, so our system had to auto-identify possible vulnerabilities, but it also looked for common security measures. For example, hardening, which is like adding airbags to protect against a lot of problems and not specific to anything."
Brumley, who also is director of the Carnegie Mellon CyLab Security and Privacy Institute, is one of many in the cybersecurity and warfare arena who believe offense and defense are opposite sides of the same coin.
"In my view, offense and defense are tied as mission areas. In both, you want to identify vulnerabilities and prove they really are vulnerabilities. I think what we developed can be applied to offense and defense," he says.
"When you look at national security, automating these tools has given us the capability to look at a much larger variety of software than ever before. Offense often focuses on specific programs or hardware and is limited to experts on those. We enable them to look at all programs without targeting anything ahead of time," Brumley says.
Lockheed Martin's seven-step "cyber kill-chain" to defend against an advanced attack would appear to support that premise as company experts look to a future of smarter adversaries and greater difficulty identifying the source of an attack.
"Following the seven steps helps understand what is happening, where you have potential vulnerabilities, and track an attack," Booth says. "On the offense side, we build exploit and attack capabilities, some under IRAD [independent research and development]. One of those is a specific technology built to do a D5-type disruption [deception, denial of service, disruption, degradation, destruction] focused on cellular systems - LTE disruption. That is ready for marketing and has been flown on UAVs, field-tested and demonstrated in the past 18 months."
The seven kill-chain steps are:
1 - reconnaissance
2 - weaponization
3 - delivery
4 - exploitation
5 - installation
6 - command and control
7 - action-on-objectives
"These are the steps an attacker would take in trying to penetrate your network. By identifying these and the particular tools and payloads they would build for each step, then building countermeasures for each of those, you can create a seven-layer protection for your entire network," Booth continues. "It can identify new activity, regardless of adversary, new techniques versus old techniques, looking inside and outside your network. We also keep a large repository of available technologies and can look to that to help identify an attacker.
"When you think about how wars will be fought in the future, I think they may begin with non-kinetic cyber warfare and EW. With software-defined radios and miniaturization, you now have the ability to take systems that once were built separately - some for EW, some cyber warfare, some SIGINT - and pull them into one multifunctional system that can determine the best approach for going after a target," Booth says. "You now can conduct your mission, whichever of those it may be, from one platform; the customer will be able to decide whether to use an EW technique or a cyber technique or even use both simultaneously. Basically, EW technology is more temporary, cyber warfare more permanent."
The growing vulnerability of every segment of global society has many fathers: the shift of advanced technology development from the military to the commercial sector; the ubiquity of increasingly connected electronics, the Internet of Things (IoT); mass-market commercial manufacturers placing customer-attracting new technologies ahead of built-in security measures; a general lack of knowledge or understanding of cyber vulnerabilities among consumers and as-yet-unresolved cyber disparities within the military.
That is further complicated by a continuing U.S. belief in secrecy that has limited the number of qualified people able to work on classified government projects, while International Traffic in Arms Regulations (ITAR) restricts international cooperation and co-development. Distrust among European and other nations, with respect to the most advanced cybersecurity developments, also remains high.
"Current technology in every country relies on people, which takes considerable skill and time - and industry can pay them a lot more than any government," Brumley says. "National attitude also is important. Countries like Israel tend to have a significant interest in automated tools and are a lot more explicit in asking for them.
"The U.S. still thinks hackers are bad guys and finding vulnerabilities should be locked inside a black room. Developers of that capability are a lot more socially acceptable in other countries, from Israel to China, who are not as concerned about these kinds of capabilities being out there in the public."
Rõigas agrees, saying balancing a fundamental need for secrecy in developing cyber/counter-cyber technologies and capabilities with an adequate level of cooperation among the NATO allies is one of the most important issues surrounding cybersecurity in general.
"That is especially so where allies view these capabilities as something very strategic and are reluctant to share this kind of information, which can be a frustration to cooperation. That also influences researchers, who often make assumptions based on very limited information in trying to understand what various states are doing, especially in terms of offensive operations," Rõigas says. "But I think the states are becoming more open and understand we need more cooperation.
"The U.S. is the biggest and most advanced cyber power, but you also have Germany, France, and the U.K. Politicians often say there is a low level of entry into cyber and small states can push beyond their weight, but when you consider strategic military offensive capabilities to conduct sophisticated operations on a large scale, you have to look at those countries with other major military capabilities. Which is why cyber really has not changed the balance of power," Rõigas says.
NATO's own cyber defense policy highlights each nation's responsibility to defend its own networks. Which, without significant sharing of cyber warfare capabilities, means those with fewer resources and national military capabilities probably are the most vulnerable.
Shrouded in secrecy
Secrecy is even more prevalent among potential adversaries - China, Russia, Iran - with the first two widely regarded as already having conducted cyber ops, from largely espionage-based penetrations by China to Russia's cyber takedown of the electric grid in western Ukraine. But the general consensus is the Stuxnet attack on Iran's nuclear research facility, for which no nation has taken credit, was created and launched by the U.S. and Israel. None of those, according to Rõigas, met the threshold for Article 5.
"The truth is, we just don't know every nation's real capabilities because there are vulnerabilities in critical infrastructure and other systems where a lot of things can happen," Rõigas says. "So it's a game of assumptions."
Military cybersecurity requirements range from the individual warfighter, now heavily equipped with networked electronics, to ships, aircraft, and satellites.
"Platform protection is applying cyber protection to big platforms to ensure our adversaries do not disrupt their capabilities through anti-tamper, secure processing, and electronics design, ensuring these systems are built following risk-management framework guidelines," Booth says.
"It begins with an awareness of the possible vulnerabilities, then building resiliency into those platforms [on the production line]. That would include ground vehicles, communications systems, sensors, etc., starting with the large platforms and working down, but the focus is on larger platforms, not individual warfighter gear."
Cyber arms race
Although cybersecurity and cyber warfare organizations have proliferated to virtually every military, government, academic, industrial, and commercial organization worldwide, the future of cyber/counter-cyber remains murky, at best - a new domain of warfare no one fully understands nor knows for certain what others, friend and foe, understand.
"We're in a race. I don't think anyone is ahead in any big way among our competitors. The U.S. doesn't want an even fight; we want overwhelming superior technology. DOD's Third Offset Strategy means we don't want to match the enemy tank-for-tank, but offset any larger numbers they may have with superior technology," Brumley concludes.
"First was nukes, second precision, and the third will be autonomy - not just physical, but cyber autonomy. China has 22 percent of the world's population and so may have 22 percent of the world's cyber experts, compared to 6 percent in the U.S. So we have to make sure our 6 percent are better than their 22 percent - that is modern warfare with the U.S. in a nutshell."