‘Be the Windscreen, Not the Bug’1
Cyber – An Air Commander’s Responsibility
By Lieutenant Colonel Dave Sexstone, CAN AF, JAPCC
What is Cyber? More importantly, why should you as a military professional, commander and airman even care to understand? Frankly, what Cyber is defined as precisely and whether it be anointed as its own domain is irrelevant. Your general awareness of Cyber, its risks and associated consequences from an operational planning and continuity of operations perspective is what is important. Leadership is what is required to act; i.e. having gained awareness of Cyber risks and implications, execute a consequence management plan to remain effective. Take the time to recognize your dependency on Cyber to operate.
Cyber in Practical Terms
A loose description of Cyber is provided here to frame understanding. Cyber is a system of any and all electronic technologies networked or linked together to allow their sum coordinated effect, function or mission. Cyber is a medium or a tool to enable. From an Air Power perspective Cyber includes, but is not limited to, the interconnectivity of aircraft, ISR platforms, fusion centres, and Air Command and Control (C2) elements.
Dependency on Cyber
The consequences to Air Power of a Cyber action is arguably potentially more harmful than to the other services due to its more centralized and Cyber dependent approach to C2 and synchronized execution. Furthermore, as Air Power is principally a supporting arm to other services in a joint or combined campaign, the required collaboration with other services / components and higher headquarters to support is also a factor. What is important is recognition of your dependency on Cyber, an understanding of the associated vulnerability and a determination of associated actions necessary to reduce the consequences of this dependency. The degree of interconnectivity Cyber offers has enabled the potential for commanders to receive and exchange an unprecedented amount of data and information, and thus an expectation of situational awareness that supports expedited decision-making. Commanders and their staffs need to ask themselves, are we ready for the inevitable; the moment when access to critical information is slowed or prevented? Or even worse, the trustworthiness of that information becomes suspect?
Cyber Ownership: Adapt to and Exploit It
It is fair to say that most airmen today inaccurately view Cyber as a simple ‘wire and router’ or a desktop computer network, and hence mitigation of their dependency is transposed to the CIS / A6 staff to manage. The reality facing airmen today regarding Cyber requires an approach where Commanders and operational planners’ take ownership of the problem and conduct the necessary assessments to determine courses of action to maintain effective operational function should elements of that Cyber be rendered inoperable or degraded for any reason. Much the same as an airman is eager and compelled to understand Electronic Warfare to be able to both exploit and survive in the air, he must begin the journey to understand and survive within the broader Cyber world.
The incredible level of interconnectivity achieved by information technology burdened Air C2 systems, platforms, sensors, power plants and grids, civil works, etc. have combined to introduce both threats and opportunities for the conduct of a campaign.
While NATO is of common mind about the need for Cyber Defence, it is divided over the collective development and conduct of active defensive and offensive Cyber operations. It is clear that globally a number of nations as well as non-state actors are active poking and prodding via Cyber seeking to exploit military and civilian elements. The major global powers all are known to have the ability to exploit Cyber and would not hesitate to do so to gain advantage in a military or other conflict. The same can be said for a number of smaller nations. A simple search and review of open sources alone highlights the players and the successes.
Stated in another way, the concern regarding Cyber perhaps is best summarized in a covering memorandum enclosed in the published report2 from the Task Force on Resilient Military Systems and the Advanced Cyber Threat. Therein it states, ‘There is no silver bullet that will eliminate the threats inherent to leveraging Cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated Cyber attacks.’ The Task Force goes on to recommend a risk reduction strategy which includes: improved Cyber Defence; refocused intelligence capability; and a segmentation of critical mission capabilities to retain some level of function and response in face of a catastrophic attack. While the strategy reduces Cyber risk it does not eliminate it. The message to commanders remains unchanged; plan and be prepared for reduced capability.
Cyber: A Principles of War Perspective
The importance of understanding Cyber may be stated from another standpoint; a back to the basics principled perspective, i.e. long recognized Principles of War (PoW). Representative PoW of a few nations and the NATO Principles of Operations3 (PoO) are listed in Table 1 below. While western nation states and NATO have slightly different PoW / PoO, stark similarities highlight sound considerations in the conduct of warfighting or campaign conduct. The PoW are of course not dogma, but it does not take too much of an imagination to understand how Cyber could both empower and undermine a commander’s campaign. Cyber directly supports or enables virtually every PoW. Stated another way, the PoW or their application have dependencies in one way or another to Cyber.
I do not intend to dissect every PoW against Cyber, just a few to provide some thought for further consideration and thereby seek to re-enforce the importance of Command understanding and leadership engagement re Cyber as part of an air warfighting mindset.
Offensive Action. This principle is about taking or seizing and exploiting the initiative, thereby imposing on the opponent a compelling need to react or defend. The ultimate aim is to get inside the opponent’s decision-making and disrupt his ability to execute his plan or to command his force effectively. Offensive action in NATO’s comprehensive approach environment lends itself to and is more inclusive of means leading to the required effect / objective. Certainly being able to suppress an opponent’s air defence, anti-aircraft networks or associated command and control elements temporarily via Cyber attack with virtually no notice would allow the application of this principle in the right circumstances. The debilitation of command and control, disruption or severing of sustainment lines of communications or critical supporting infrastructure each offer an opportunity for offensive action in cooperation with traditional conventional methods.
Surprise. Sun-tzu is said to have proclaimed, ‘to subdue the enemy without fighting is the acme of skill’4 and that knowing the adversary and proceeding with speed and stealth offers opportunity for surprise. Through understanding of adversary, the weaknesses or vulnerabilities are mapped and exploits identified. This principle and underlying approach was perhaps best demonstrated with the debated debilitation or set-back of the Iranian nuclear program, exercised through malicious code insertion.5
Security. The principle is about protecting one’s own force while maintaining the freedom to act against an opponent. Physical and other measures are employed to protect the force; this clearly must include the protection of information systems and Cyber as a whole. Measures within NATO are ongoing to improve the defence of specific elements of Cyber enabled capabilities; certain networks. Defending or securing elements of Cyber enabled capabilities is a laudable goal, but as already indicated in the above-noted Task Force study, not believed to be assured. Recent expositions to the vulnerability of Cyber6 have been laid bare by the so-called Snowden Affair, as well as the revelation of a serious flaw within arguably a more commonly used internet security encryption protocol7. Issues of Cyber complexity, human error, blind understanding, and a keen desire to know your adversary all play out to affect this security principle. Certain governments are known to actively feed on and exploit security measures to acquire industrial or diplomatic benefit. Refer back to Sun-tzu, and ask yourself whether such governments limit their efforts. Some nations possess professional Cyber warriors. How secure are you in the belief that your capabilities and information are protected from infiltration? Importantly, how confident are you that you have contingent or branch plans in place to counter-act or work through such an infiltration which might include an element of information corruption or a power grid failure?
Flexibility. The immaturity of Cyber law and the relative leeway afforded Cyber events compared to kinetic or lethal force offers opportunity or alternate avenues to achieve effect. Flexibility calls for creativity of mind and adaptability to changing circumstance, giving consideration to alternate means to achieve the end or effect. In a more modern yet still traditional sense, this has meant the ability to dynamically redirect conventional forces to target. While Cyber related action tends to be more deliberate, certainly awareness and consideration of such tools and capabilities and their potential for application also speaks to the principle of flexibility. A flexible mindset starts and flourishes with education and exercise. Commanders must light the fire within their staffs and subordinate commanders to pursue understanding of Cyber and to apply it in operational planning and campaign development.
In summary, the intent of this journal article was to highlight the need for Commanders as military professionals and airmen to understand Cyber and its implications to the conduct of operations and campaigns; both opportunity and vulnerability. Ultimately, Commanders’ leadership is essential to indoctrinate a mindset of awareness and consideration for Cyber opportunities and vulnerabilities in operational planning, consequence management and courses of action. The insertion of Cyber into exercise execution and concepts is a starting point.
Command and control of air capabilities which has increasingly become integrated by and dependent on Cyber must be studied and understood from a warfighting perspective. Much the same as the aircraft after its introduction at the dawn of the 20th century changed the battlefield and considerations, Cyber, as a pivotal enabler to Air Power, must now be dissected for implications to the art of warfighting.