Cyberwarfare: Battlefield precursor for kinetic attacks?
The cyber domain is playing a more visible role in offensive military operations, but serious vulnerabilities exist within weapons systems that must be addressed today to avoid being rendered useless via cyberattacks during future battles.
Cyberwarfare is an intriguing way to prepare battlefields for kinetic attacks; we recently got a glimpse of this when Iran shot down a U.S. military drone – allegedly operating within international airspace in June 2019 – and the U.S. responded with a cyberattack intended to disarm some of Iran’s weapon systems’ command-and-control systems.
Situations like these don’t necessarily mean cyberattacks will become the go-to response in some situations rather than launching a missile, but they’re certainly an option.
Perhaps the most surprising thing about the recent U.S.-Iran altercation “is that the U.S. claimed that they engaged in a cyberattack against Iran,” says Richard Stiennon, founder and chief research analyst for IT-Harvest (Birmingham, Michigan), an IT security industry analyst firm. “It’s fairly unheard of to attack a military’s capabilities by cyber means without going through all of the normal geopolitical steps when you suspect someone has bombed a tanker or blown up a drone.”
With cyber operations, either you want to be discovered or you don’t. “If the goal of your operation is intelligence gathering, you probably don’t want it to be attributed to you because you don’t want the target to know you’ve stolen data from them,” says Priscilla Moriuchi, director of strategic threat development for Recorded Future (Somerville, Massachusetts), an internet technology company that specializes in real-time threat intelligence. “When it comes to an active operation like the recent attack on Iran, it’s likely that the U.S. wanted to message to Iran that we did it. If they don’t know who it was, they could lash out at an innocent party.”
It’s unlikely that any single military domain will emerge as the standard response, because “you can’t win a war with just the Air Force,” Stiennon points out. “This has been demonstrated over and over again, but the effects gained from cyberattacks can be real. And there are several advantages because the exposure to loss of life is much lower, the total cost is much lower, and there’s plausible deniability – you can cause the effect like we did with Stuxnet without the risk of escalation.”
But using cyberattacks to prepare the battlefield for launching an attack may be an emerging trend – not one that has just arisen because we aren’t currently engaged in many shooting wars. “Cyberattacks may be used how the artillery barrages used to slow down the defense before we had data,” Stiennon explains. “In the recent cyberattack on Iran, it would have been a perfect precursor to launching a kinetic attack. I’m not sure it was a very good strategic move to do it without launching an attack, because it burned their attack methodologies and tools.”
Cyber responses will play an increasing role in conflicts or war scenarios, Moriuchi says, but since there are few identified parameters for cyberwar, this may limit it from becoming the go-to response. “There’s no convention or parameters for a response today,” she says. “What exactly makes up an attack vs. intelligence gathering? When you’re a victim everything feels like an attack. What type of response is proportionate with what countries interpret as a cyberattack or as an act of war? There are too many unknowns within the cyber domain for it to be the primary or the first go-to. But it will become a much larger part of conflict broadly going forward.”
How bad are cyberattacks today?
If you view cyber operations broadly, including data and intellectual-property theft, today it includes a wide range of destructive and denial-of-service (DoS) attacks – and the attacks are bad on many levels.
“We’re at a point in the history of the development of internet and information technology that anyone can execute a cyber operation as long as you have a computer and access to the internet,” Moriuchi points out. “The success of an operation will depend on your skill set and access to tools. But anyone, even a kid with a computer and an internet connection, can find an exploit kit online and use it to inflict or victimize anyone who’s vulnerable. There are so many malicious activities online, and the barrier to executing an attack – whether it’s sophisticated or entry-level – is quite low.”
At this stage, there’s rarely a need to go to a more advanced, sophisticated attack posture within a cyber environment, according to Dean Weber, chief technology officer for Mocana (Sunnyvale, California), which develops security platforms for industrial and military elements, typically within constrained environments. “You don’t need to because the systems that you’re attacking aren’t capable of defending against simple attacks,” he says.
There’s a lot of preliminary activity going on to “scout out the terrain, particularly within critical infrastructure,” Stiennon says. “We’re somewhat privy to the Russian and Chinese presence inside our electrical and communication grids, but we have a lot less visibility into whatever the U.S. is doing in other countries’ grids.”
Stiennon is seeing more of a willingness on the part of attackers to engage in cyberattacks. “They’re starting to use their resources, thinking that they’re getting some sort of benefit – even if it’s just to intimidate the targets,” he explains. “We’ve had the tools for years but have held back for fear of retribution or exposing the tools. Now attackers seem to be more willing to use them.”
Regarding the intelligence-gathering operations of China, Russia, Iran, and North Korea, the types of targets that have been hit by foreign militaries have “remained relatively static over time, and they each have their own set of targets they’re interested in,” Moriuchi notes. “China’s military targets have involved private companies and intellectual property, whereas maybe other militaries have not targeted those. What’s changed, especially for Russian threat-actor groups, is weaponizing social media for disinformation or influence campaigns. And we’re seeing some indications on the Iranian side that their military-intelligence services are also choosing to begin exploring foreign-influence operations as a tool as well, and that’s incredibly difficult to counter.”
The disinformation campaigns and techniques the Russians are using appear to be effective. “They’re turning up the volume and amplifying issues and divisions within our society that we’re already choosing to align ourselves along,” Moriuchi adds. “You can counter it with knowledge or identify it from an analytics perspective, what a Russian influence account might look like, but on its face it’s incredibly difficult to counter that type of activity. “Influence operations on social media are really concerning to us.”
Serious DoD weapons systems vulnerabilities exist
One of the main concerns about cyberwarfare is that military systems and weapons are largely vulnerable to being hacked. In 2018, the U.S. Government Accountability Office (GAO) released a report on the U.S. Department of Defense (DoD), “Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities,” which revealed the massive scale of vulnerabilities that exist.
“Congress has instructed the DoD to perform an in-depth evaluation of their systems, which is due out in October 2019,” Weber says. “The Navy has already issued a preliminary report essentially saying: ‘Don’t be afraid, but it’s worse than we thought.’”
In the meantime, the DoD should “take intermediary steps right now to defend their systems with new add-ons like firewalls and monitor systems so they can tell you when an attack is being made,” Stiennon says. “But they should also retroactively go back and start fixing the vulnerabilities they built in to all the software. Most of the weapons systems that we know were hacked, according to the Washington Post, in 2008, were sourced in the 1990s when the approach to security was that no hackers could hack these because they don’t have access to a F-35 Joint Strike fighter. And, of course, the hackers do have access to the software they’ve stolen in data breaches. So they need to go back and fix the software, and I’m afraid the cost will be close to a trillion dollars.”
If we get into a battle and lose it because of cyber effects, according to Stiennon, the DoD would likely end up spending that money to fix the problems. “It’s better to spend it now to avoid that battle and loss of life than to wait for it to happen,” he says.
Truly fixing this problem may require going all the way back to the supply chain. “How do you trust the data if you don’t trust the device? The way to secure the device generating the data is to ensure the supply-chain efficacy is intact,” Weber says. “To do that, you need to ensure that all of the discrete and active elements – including software, firmware, hardware processing, trusted platform modules – and other things that go into making a trustworthy system are secure. Then they need to be knitted all together into some kind of a value that states that the platform is trustworthy. And it should be available at intervals or on demand.” (Figure 1.)
Patching can only go so far and is less than ideal for protecting weapons systems. “It’s a constant battle of trying to fix what’s wrong and, in many cases, is often a stitch-them-up and put-them-back-into-battle routine; it doesn’t fix the problem,” Weber adds. “The IT world is already so far down the path that it’s unlikely to get trustworthiness within the near future.’”
To better protect its systems, the DoD could focus on “building cybersecurity in as opposed to waiting until after it’s built and bolting it on,” Weber notes. “Why don’t we do it that way? Because that’s not how it was done in the past. But the whole ‘least-cost’ effort that went on the past several years is changing now. Money is being put back into the system and contracting officers and agents aren’t searching for least-cost as their primary decision logic.”
When attacks happen, the U.S. is using a “name and shame” approach to cyberattack attribution. But attribution isn’t always easy, and it will likely become increasingly challenging for future cyberattacks.
“Attribution is becoming murkier, especially at the nation-state level,” Moriuchi says. “If you look at China, Russia, Iran, and North Korea, there was a period of time before 2013 or 2014, when cyber actors weren’t cognizant of the amount of information they were leaving behind in data trails within the wake of building and executing their operations.”
During this pre-Snowden time, many of the techniques for attribution and tracking threat actors were built. “For many threat-actor groups, the data goes back to that era,” Moriuchi notes. “But since then, most of the nation-states’ second- and top-tier actors that we follow have a much greater understanding of the information that they’re leaving behind and the value and downsides to attribution, so they’re changing their techniques.”
China and Iran, for example, are relying on many more commodity tools, like remote-access trojans and penetration test kits that were developed and made available by members of the public. “The code is frequently available online, and they can just tweak and use it in their own operations,” Moriuchi says. “It’s often quite effective and makes attribution incredibly difficult. If you just have indicators about a specific tool, it could be any one of innumerable actor sets, with a bunch of people using one tool.”
While rumors abound of Russia and China or other nation-states teaming up to diminish and degrade the effectiveness of the U.S. military and diplomatic influence, “they’re perceived to be operationally closer and cooperating at the tactical level with joint operations at a much higher rate than they actually are,” Moriuchi says. “We aren’t seeing a lot of sharing of malware or unique, high-capacity cyber tools, because those are quite expensive to develop. If they do create a tool that’s really successful at targeting computer systems, they’d likely want to deploy it against each other. Even if they’re partners, they’re always trying to collect on each other.”