In the summer of 2008, a criminal syndicate in Russia waged a cyber attack against the Republic of Georgia, shutting down that small country’s government servers and Internet access in an opening salvo well coordinated with the Russian military’s physical attack. Criminal sabotage? Military assault? How would the U.S. military deal with such an event?
Just as the first air raids of the Spanish Civil War awakened the world to the potential of strategic bombing, this small 2008 Russia-Georgia conflict has brought home to policymakers everywhere the significant and asymmetric role that cyber warfare bids to play in future wars. For these reasons, the U.S. Strategic Command (Stratcom) has been tasked with building up the nation’s first unified warfighting Cyber Command to coordinate computer network defense and to direct our nation’s offensive cyber forces.
As with any warfighting command, the cyber operators under the combatant command of Stratcom — and soon-to-be-stood-up Cyber Command — are being forced to understand how imagined scenarios will play out in the real world. How do you recognize, defend, exploit and possibly attack? How do you judge whether an act is criminal or military? How do you fight through a cyber attack to complete other kinetic or nonkinetic missions?
There are many other questions to be answered, especially for commanders. How can a commander achieve situational awareness in a realm as ethereal as cyberspace? How can we validate our trust in our systems and networks, given that the cyber war against Georgia emerged from “botnets” implanted two years before the conflict? How can we reliably attribute an attack — and distinguish whether the source of the attack emanates from a foreign aggressor, or from a petty criminal, or from a friendly computer that has been enslaved by botnets? How can commanders have confidence that their offensive and defensive cyber actions will effectively counter the enemy, without unintended collateral effects boomeranging against their own systems — say, against the power grid or water systems of a friendly city as part of the collateral damage? How should commanders modify their tactics, techniques and procedures when faced with the asymmetric consequences of cyber threats not restricted to the military forces alone?
Theorists suspect that in addition to any frontal assault on Department of Defense (DoD) systems and networks, any major cyber attack on the United States would focus to a large extent on the commercial infrastructure, which may not be as fortified and well defended. Large amounts of military communications traffic travels over commercial systems. Attacks against non-DoD critical infrastructure, both public and private, could prove more devastating, or at least could generate a “fog of war” scenario that complicates the commander’s courses of action.
In kinetic warfare, we have exercises to test our capabilities under real-world or near-real-world conditions. This gives us confidence in our systems’ performance, enables us to prove and refine tactics, and hones the proficiencies and judgment of our operators and commanders.
The “Red Flag” fighter training exercises at Nellis Air Force Base, Nevada, have for decades been among the most advanced and sophisticated in the world. These enable fighter pilots from all our military services, and many of our allies, to develop their aerial combat skills. Engineers and scientists on the ground use GPS, video and computerized feedback to verify and enhance the performance of all of our air combat systems — aircraft, air-to-air missiles, airborne warning and control, etc. Commanders and advisers in the Combined Air Operations Center-Nellis use common operating pictures, adversary and blue force tracking, tactical intelligence and battle damage assessment data to evaluate mission success and to refine the overall sequence and employment of all capabilities packages involved in the fight. These exercises permit tremendous learning and growth across multiple echelons simultaneously with each planned engagement.
What is needed is a cyber warfare equivalent of our “Red Flag” exercises, perhaps conducted at the cyber analog to the Nevada Test and Training Range. Such a capability could address a vexing Stratcom cyber dilemma: How do you exercise your cyber warfare capabilities when the self-same military and intelligence computer systems that would be your test targets must always be up and running?
It won’t be enough to simply test and exercise cyber warfare capabilities in order to gain experience and confidence. Just as with the Army’s Battle Simulation Center at Fort Hood, Texas, the Naval Strike and Air Warfare Center at Naval Air Station Fallon, Nevada, or the “Red Flag” exercises at the Nellis range, what is also needed is the ability to record and play back the complex interactions of attack and defense to learn and be able to predict how they will actually operate. This provides instruction not only to the tactical operators but also to the mission planners, commanders and their advisers, and operations center personnel. This is where the true learning and development of rules of engagement and tactics, techniques and procedures are honed and perfected — at the tactical, operational and strategic levels of warfighting. This must also include the ethical and legal considerations that both operators and commanders will face in cyber warfare.
In kinetic warfare, some revolutionary systems — like the Command Post of the Future developed by the Defense Advanced Research Projects Agency — have enabled commanders to regularly replay the operational planning steps and combat orders and actions from live engagements in Afghanistan and Iraq. This has enabled commanders to learn from previous operations and continuously improve and adapt their combat tactics and command procedures.
Commanders need insights at this level to achieve both real effectiveness and real confidence in the cyber warfare capabilities available to them. Our challenge is how to deliver it. Industry is being challenged to address the needs of U.S. commanders to meet current and future requirements, including those of coalition partners. It should go without saying that a collaborative partnership with industry, as well as universities, is essential to the lessons learned and solutions that will need to be incorporated to not only defend but to offensively operate in the cyber future.
Achieving real-world insights into cyber warfare capabilities requires emulation, not just simulation — the kind of learning that only comes by facing a thinking, responsive opponent under near-real-world conditions. It also requires real-time information flow via integrated data links from military and nonmilitary sources in order to visualize a “ground truth” common operating picture.
Recently inaugurated cyber test ranges — like Northrop Grumman’s Maryland facility, as well the company’s internal range that games the defenses of its own corporate networks — represent foundational technology for the kind of cyber warfare exercise capabilities commanders will need. Technology research in cyber through industry-university partnerships — such as the Northrop Grumman Cybersecurity Research Consortium with the Massachusetts Institute of Technology, Carnegie Mellon and Purdue — are necessary endeavors for national security. Building on these capabilities, cyber operators can get their first true picture of this new battlespace.
Napoleon once said that a good sketch is better than a long speech. For cyber commanders, an interactive, playback picture of actual cyber operator engagements in a controlled range environment is required to prepare for the real deal and achieve the high ground in cyber warfare.
Bob Hinson is vice president for government programs and corporate lead executive for the Nebraska region for Northrop Grumman Corp. Hinson retired as a lieutenant general after a 33-year career in the U.S. Air Force in which he served as vice commander of Air Force Space Command at Peterson Air Force Base, Colo., and deputy commander-in-chief of Strategic Command at Offutt Air Force Base, Neb.
