February 15, 2007 by jimstogdill
8th AF Cyber Command
After a couple of off-topic posts (rants?) I’m going to try to get back on track now with some thoughts, just thinking out loud really, on the new Air Force Cyber Command.
During the cold war the U.S. Navy Submarine force is said to have engaged in an on-going hidden near-war referred to by its participants as “Cowboys and Cossacks.” Like the aggressive interactions between U.S. Air Force interceptors and Soviet Tu-54 Bear strategic bombers, these torpedo-less near-fights tested and improved tactics, validated the U.S. force’s acoustic superiority, gathered voluminous and detailed intelligence, and established the hunter mentality required to be prepared if called upon to rapidly transition to real war.
During a recent briefing on the new Cyber Command by Lt. Gen. Elder of the 8th Air Force I found myself hoping we are establishing the same kind of aggressive dominance in the Cyber domain that we previously established in air and submarine warfare. Are we proving to ourselves in real world situations today that we will be able to gain, maintain, and exploit information superiority at the tactical, operational, strategic levels of war?
Lt. Gen. reiterated the Joint Chief’s definition of the cyber domain as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.”
My first reaction was that a definition that broad, by trying to include everything, may be too broad to effectively address anything.
Much of Lt. Gen. Elder’s discussion then went on to focus on the protection of military networks and the disruption of enemy networks through a combination of electronic and kinetic means. I had never really thought of a HARM missile as a cyber weapon before, but within the 8th AF’s definition of the Cyber Domain it makes sense.
The Cyber Command will have its hands full if it is going to have to deal from day one with everything from radars to satellites, IP networks to IFF beacons, bot networks to SIGINT, and everything electronic in between; offensively and defensively, at the tactical, operational, and strategic levels of war (maybe those definitions no longer really make as much sense?). Starting from a clean slate and focusing more narrowly might be easier than fighting the organizational battles associated with taking on existing programs, capabilities, and responsibilities.
My natural instinct would be to have DHS and law enforcement focus on cyber defense of CONUS commercial and infrastructure vulnerabilities, use “organic” defensive units for defense of tactical and operational level defense networks (with Cyber Command development of tactics, techniques, and procedures), and focus the 8th AF on “cyber deep strike.”
Because of the 8th AF strategic heritage going all the way back to 1940’s Europe, I was really expecting more focus on cyber deep strike. In the same way that the 8th AF was used during WWII to disrupt civilian infrastructure by striking deep into enemy territory, I assumed an 8th-AF-seeded Cyber Command would have significant focus on behind the lines disruption of communications, power generation and distribution, banking and financial services, and other key infrastructure; at least where our potential adversaries are reliant on modern networks for those functions.
Obviously, in an asymmetric context Cyber Command becomes mostly about defense and maintenance of information superiority while the offensive operations are carried out in the land, sea, and air domains.
There are some problems with strategic deep strike cyber warfare which might be why it wasn’t really mentioned.
To conduct strategic deep strikes you need intelligence on targets and vulnerabilities. Strategic cyber warfare is bound by some of the same constraints as early cold war strategic air warfare. To identify targets inside of a potential enemy’s domain you had to fly over it. If you are the 8th AF in 1943 you might get shot down flying recce flights; or if it is 1960 you might end up trading spies for Francis Gary Powers.
The problem is, how do you identify targets and build up your “cyber MIDB” without risking taking the risk of conducting illegal activities on a potential enemy’s networks?
Today US military and critical-infrastructure commercial networks are regularly probed by both state and non-state actors for vulnerabilities. We should not assume that these probes are looking for immediate payoff; but instead should assume that our potential adversaries are simply building up their own cyber MIDB.
We should probably be doing the same thing. However, we should also remember that cracking is almost always a combination of network-based efforts with “social engineering,” or good old fashioned human intelligence gathering.
For example, if Cyber Command is interested in being able to disrupt a future adversary’s electric grid or telephone infrastructure, it may be useful to obtain engineering information from SCADA and telephone switching vendors in use in those countries; and where “natural” vulnerabilities are not readily available, it may be required to install software agents within those systems in situ. Naturally this will require close coordination between Cyber Command and other government agencies.
It may not always be necessary to directly identify and exploit an adversary’s network vulnerabilities. There are as many as 100 million compromised personal computers on the Internet throughout the world today combined into remote controlled bot networks.
These are generally painstakingly assembled machine by machine and then control is sold to people interested in using them for a range of illegal activities. However, in some cases bot networks in the US may have been assembled by state actors and designed to look like the work of criminal gangs and placed into “standby” for use to disrupt commercial network activities when desired at a later date.
It may also be possible to co-opt these bot networks without actually conducting the illegal activity that initially compromises the machines, by discovering the illegal networks and then identifying the particular exploit used, and then exploiting the exploit at a later time. Identifying these indirect vulnerabilities in our potential adversary’s networks and making them available in our cyber MIDB could be a valuable strategy for predetermining deep strike targets and vulnerabilities while conducting completely legal network activity.