2 December 2017

We Need Cyberspace Damage Control


Naval losses during World War I and the lessons learned in the Battle of Jutland underscored the importance of damage control to a U.S. Navy resolved to improve survivability. Analysis of German warships and procedures, combined with the attention of Navy leadership, resulted in the widespread adoption of German damage-control procedures and influenced ship construction toward more survivable designs. 1 Since the inception of modern damage-control practices during the interwar period, the Navy has demonstrated a strong tradition of rapidly reconstituting damaged ships’ seaworthiness and combat effectiveness, so they might prevent cascading damage, survive, and continue to fight. It is said if every Marine is a rifleman, then every Sailor is a damage controlman. Building on this foundation of damage control, the Navy must incorporate 21st-century practices to ensure the combat effectiveness of future naval units in all domains, including cyberspace.

Three paradigms are increasing the urgency to adopt cyberspace damage-control practices: 

• The U.S. military anticipates cyberspace to be a heavily contested domain in future multidomain battlespaces. 

• The Navy is advancing concepts where highly networked platforms, sensors, and weapons are dispersed and lethal. 

• Naval units are undergoing an electronic and computational metamorphosis where cyberspace technology is permeating every aspect of platform functionality.

Given these trends, existing naval capabilities are inadequate to provide cyberspace damage control, defined as the ability to restore cyber-dependent warfighting systems sufficient to reconstitute a unit’s combat effectiveness. It is critical that naval units be equipped and organized to perform cyberspace damage-control activities to remain survivable until lasting repairs can be effected. Integrating people, processes, and technology can provide this capability across Navy tactical units.

Shifting Paradigms

The U.S. military envisions battlespaces of the future as highly contested cross-domain warfare environments convulsing with action and counteraction in what retired Marine General John Allen and Amir Husain call “hyperwar,” which will require the joint force to be highly resilient and adaptable. 2 Fundamental to this requirement is the ability to rapidly reconstitute combat power in the face of both kinetic and nonkinetic attacks. As the character of warfare—the capabilities of modern systems, platforms, personnel, and organizations—continues to evolve, the cyberspace domain is playing an increasing role in the generation and wielding of combat power. The much-touted weapon precision of the “second offset strategy” owes much to this increased role. 3 Cyberspace capabilities also will contribute to the anticipated “third offset strategy,” which calls for using artificial intelligence and human-machine teaming. 4 In this vision, cyberspace will play a leading role and likely will favor the side more prepared and agile in defending and exploiting it. Given this challenging operating environment, the Navy is maturing concepts to fight more effectively. Several admirals have advocated for the employment of dispersed “hunter-killer surface action groups” empowered by “advanced kill chain capabilities, such as the Navy Integrated Fire Control-Counter Air, to enable sea control and defeat existing and emerging threats in all domains.” 5Moreover, Chief of Naval Operations Admiral John Richardson recently advocated for increased network “connectivity and capability [which] will enable new ways to combine ships, aircraft, and undersea forces.” 6These concepts are anchored on an interconnected, cyberspace-assured maritime force. With this vision and these concepts as guides, Navy platforms are becoming more interconnected, automated, capable, possibly vulnerable, and certainly dependent on cyberspace. Today’s warfighting platforms are undergirded by computers, networks, and data woven into the fabric of their capabilities: 

• Ship hull, mechanical, electrical, navigation, radar, and communication systems are increasingly centrally and remotely controlled—for example, integrated bridge systems, machinery control systems, and various highly integrated combat systems. 7 

• Littoral combat ships and the new Zumwalt (DDG-1000)-class destroyers are built with total ship computing environments, and these platforms are taking cyber-physical system integration to a new level. 8

• Computer code is controlling more functionality; the Zumwalt destroyers will operate with six to seven million lines of code and the F-35 Lightning with eight million. 9

These capabilities are intended to increase situational awareness, facilitate rapid platform and weapons control, and improve reliability and safety while supporting reduced crew size. As this transformation of naval platforms accelerates, it is critical for the Navy to control damage originating in cyberspace.

Existing Capabilities Fall Short

Existing naval capabilities and procedures are inadequate to the challenge of restoring combat effectiveness while under concentrated fire from this fifth domain. For example, the traditional bureaucratic assessment and authorization processes, which incorporate information assurance (cybersecurity) into platform systems before their fielding, too often provide static protections that lack sufficient adaptability to be operationally relevant to the warfighter in combat. In addition, these practices are further attenuated when applied to embedded platform information technology (PIT)—technology within highly integrated systems-of-systems with significant reliability-induced engineering constraints. Traditional computer emergency response procedures favor an impractical approach of either accepting the risk from degradation or implementing disconnection, quarantine, and eventual restoration on operationally infeasible timelines. 

This response methodology presents an impossible choice regarding PIT systems because of the platform’s reliance on their continuous operation, which may be equally disrupted by either the malady or the cure. Similarly, the Navy’s network defense-in-depth strategy provides an umbrella of protection external to warfighting platforms, but it is limited in its ability to provide on-site cyberspace damage control. 10 This is somewhat analogous to the Aegis combat system providing strong air defense capabilities but no capability to extinguish the fire ignited by a missile leaking through. Cyber protection teams are widely dispersed across Navy cyberspace infrastructure with limited and often fleeting focus on tactical units, a situation unlikely to change in time of war because cyberspace will be contested across the board. In addition, traditional damage-control practice predominantly constrains itself to fighting fires and flooding without considering cyberspace, even as it is dependent on cyberspace to remotely start fire pumps or actuate dumping of fire retardants.
A New Framework

To address these inadequacies and adapt to the changes in the character of warfare, the Navy’s traditional cybersecurity and damage-control cultures must coevolve to integrate capabilities and procedures to provide cyberspace damage control: • The Navy should bolster and empower the people who interact with cyberspace-dependent systems. • Processes must be established to coordinate effective damage control and restoration. • Technology must be developed or matured to provide the necessary tools to the people engaged in the processes. This people-processes-technology framework can deliver a vital capability for modern naval warfare. People—engineers, contracting officials, acquisition specialist, and warfighters—generate the requirements, performance parameters, design specifications, security features, and data standards for cyberspace-dependent systems. These personnel must be provided with sufficient training to balance cost, schedule, and performance trade-offs regarding anticipated hostile cyberspace operating conditions. 

They must determine how best to build systems that can remain operational while enabling naval forces to fight through these contested environments. Naval program offices, in coordination with in-service engineering agents (ISEAs), must maintain a cadre of cyberspace and engineering experts associated with fielded systems who can team virtually with forward warfighters to provide detailed system-level analysis, configuration recommendations, and impact assessments during cyberspace damage-control operations. At the unit level, the Navy also must provide personnel trained to assess cyberspace-originating damage and with the authority to lead combined internal and external teams to control damage. 

These sailors directly would support shipboard leadership and the damage-control assistant. Ultimately, the Navy must ensure these key people are trained, educated, and positioned in the right organizations, teams, and units to instantiate cyberspace damage-control capabilities. The Navy also must establish processes to enable personnel to engage in cyberspace damage-control activities or create the conditions for their success. The Risk Management Framework process for assessment and authorization of information systems is insufficient to mitigate anticipated cyberspace-induced damage in time of war. 11 It should be modified to ensure program offices employ cyberspace penetration testing during research, design, and development of systems. 

It also should include steps as part of the acquisition process where each program office must incorporate interoperability standards with cyberspace threat analysis and response tools and test integrated prototypes within laboratories, such as the USS Secure (the Navy’s virtual test bed), that are designed for PIT and cyberspace tool integration testing. 12 This will allow future Navy platform systems to coevolve with cyberspace tools, and eventually will bridge the gulf that exists between these two development ecosystems within the acquisition process. In addition, processes at the tactical level must maximize cyberspace damage-control potential. 

Military computer emergency response procedures, or cyber incident handling, must account for “fighting through” malicious cyberspace activity with maneuver, configuration changes, real-time malware eradication, sandboxing, and other techniques that may be less disruptive than the traditional disconnect-and-rebuild approach. 13 To advance this effort, program offices should support the expansion of a nascent project at the Naval Postgraduate School to create system-specific “Cyber Defense Operational Sequencing Systems (CDOSS),” which would provide detailed technical documentation and procedures to mitigate cyberspace attacks and restore system capability. 14 This would assist response personnel in taking the initial steps to control damage from cyberspace.
Invest in Cyberspace Damage Control

No matter how knowledgeable they are or how well procedures are codified, local cyberspace damage-control personnel often will need external support because of the highly technical nature of cyberspace. Therefore, the Navy must create processes that enable restoration-centric coordination and teaming across organizations to virtually buttress on-site personnel. Such teaming must be organized rapidly to fight through cyber incidents and could consist of members from across program offices, ISEAs, system commands, Navy Cyber Defense Operations Command, cyber mission forces, and maritime operation centers. Yet to be successful, there also must be authority and leadership for the cyberspace damage-control efforts. In time of war, this is best left to the ship or unit under fire. The commanding officer, supported by the cyberspace damage-control officer, must lead a “team of teams,” 

understand the risks, and restore combat effectiveness to accomplish the mission. Collectively, these new or adapted processes could create conditions where cyberspace damage-control personnel would have a fighting chance at restoring unit-level combat effectiveness. The Navy also must invest in technology within each program office to meet key cyberspace performance parameters and make each system more resilient and survivable, while providing data to Navy cyberspace situational awareness (NCSA) capabilities. 15 NCSA must help unit-level operators differentiate between the normal and abnormal within the cyberspace fabric of naval platforms and inform cyberspace damage-control teams where to focus their efforts. Cyberspace damage-control coordination should take place from within an “out-of-band” environment to insulate those activities from the networks and systems under fire. 16 These technologies will enable Navy units to control and recover from cyberspace attacks that damage critical platform systems. There are tectonic trends changing the character of warfare and expanding the technological bounds of the battlespace. The Navy must adapt to thrive in the complex, fast-paced battles of the future. By investing in the right people, processes, and technology to develop cyberspace damage-control capabilities, the Navy will be postured to fight through contested cyberspace, reconstitute combat effectiveness, lethally operate inside the adversary’s decision cycle, and win the nation’s maritime battles.

1. Jeremy P. Schaub, “U.S. Navy Shipboard Damage Control: Innovation and implementation during the Interwar Period,” unpublished thesis, U.S. Army Command and General Staff College, 12 December 2014,www.dtic.mil/get-tr-doc/pdf?AD=ADA613481 .

2. U.S. Army, “Multi-Domain Battle: Combined Arms for the 21st Century,” 24 February 2017,www.tradoc.army.mil/multidomainbattle/docs/MDB_WhitePaper.pdf . GEN John R. Allen, USMC (Ret.), and Amir Husain, “On Hyperwar,” U.S. Naval Institute Proceedings 143, no. 7 (July 2017), 30–37.

3. Ben Fitzgerald, “Technology Strategy Then and Now – The Long Range Research and Development Planning Program,” War on the Rocks, 21 October 2014.

4. Cheryl Pellerin, “Work: Human-Machine Teaming Represents Defense Technology Future,” DoD News, 8 November 2015, www.defense.gov/News/Article/Article/628154/work-human-machine-teaming-r... . Greg Allen and Taniel Chan, “Artificial Intelligence and National Security,” July 2017, Belfer Center for Science and International Affairs, Harvard Kennedy School,www.belfercenter.org/sites/default/files/files/publication/AI%20NatSec%2... .
5. VADM Thomas Rowden, RADM Peter Gumataotao, and RADM Peter Fanta, USN, “Distributed Lethality,” U.S. Naval Institute Proceedings 141, no. 1 (January 2015), 18–12. Naval Surface Force, “Surface Force Strategy: Return to Sea Control,” www.navy.mil/strategic/SurfaceForceStrategy-ReturntoSeaControl.pdf .

6. U.S. Navy, “The Future Navy,” 17 May 2017,www.navy.mil/navydata/people/cno/Richardson/Resource/TheFutureNavy.pdf .

7. “Remote Monitoring: SWE Improves Equipment Operating Condition Feedback,” CHIPS Magazine (July-September 2008). T. V. Nguyen, W. Epperly, and B. Budinger, “A survey of existing ship machinery control systems and suggested improvement for future ship platforms,” American Society of Naval Engineers (2008). A. Manfredi and S. Meier, “Upgrading the GEDMS design for increased COTS content in ship control systems,” American Society of Naval Engineers (2008).

8. Sean Gallagher, “The Navy’s Newest Warship Is Powered by Linux,” ARS Technica, 18 October 2013. Megan Eckstein, “USS Freedom Modernization Boosts Reliability, Increases Combat Capability,” USNI News, 19 February 2016.

9. Kris Osborn, “Revealed: Inside the U.S. Navy Shadowy Stealth Destroyer,” The National Interest, 6 May 2016. Andrea Shalal, “Pentagon Sees Risk in F-35 Fighter’s Complex Logistics Program,” Reuters, 16 September 2015.

10. John Gelinne, “Every Sailor a Cyber Warrior,” U.S. Naval Institute Proceedings 141, no. 4 (April 2015), 70–74.

11. Jennifer M. Ellett and Shaun Khalfan, “The Transition Begins: DoD Risk Management Framework,” CHIPS Magazine (April-June 2014).

12. John Joyce, “Navy Coalition Building Cybersafe USS Secure to Protect Fleet Warships and Weapon Systems” (January-March 2016), www.doncio.navy.mil/mobile/ContentView.aspx?ID=7461&TypeID=21 .

13. ADM Michael S. Rogers, USN, “Sharing Cyber Threat Information to Protect Business and America” keynote speech at the U.S. Chamber of Commerce, 28 October 2014, www.nsa.gov/news-features/speeches-testimonies/speeches/28oct14-dirnsa.s... . Gene Costello and Douglas Powers, “Talk Cybersecurity and the Insider Threat,” CHIPS Magazine (April-June 2014).

14. Patrick Dionne, “NPS Faculty, Students Develop Innovative Cyber Defense for Front Line Operators,” 21 June 2017, http://my.nps.edu/-/nps-faculty-students-develop-innovative-cyber-defens... .

15. Greg Touhill, “The Great Cybersecurity Bake Off: The Necessary Ingredients,” Nextgov, 26 July 2017. Bob Freeman, “A New Defense for Navy Ships: Protection from Cyber Attacks,” Office of Naval Research Public Affairs, 18 September 2015, www.navy.mil/submit/display.asp?story_id=91131 . U. S. Fleet Cyber Command / TENTH Fleet, “Strategic Plan 2015 – 2020,” http://www.public.navy.mil/fcc-c10f/documents/fcc-c10f_strategic_plan_20... .

16. “Out-of-band management,” Wikipedia, https://en.wikipedia.org/wiki/Out-of-band_management .


No comments: