28 April 2019

Preparing for a Digital Pearl Harbor

By Commander Brent Spillner, U.S. Navy

The planes and submarines attacking Pearl Harbor may have appeared with little warning, but the raid didn’t come out of the blue. It followed years of escalating tension, military adventurism, crippling economic sanctions, and failed diplomatic negotiations that the American government knew had reached an impasse. Several American studies and wargames had identified the feasibility and potentially devastating consequences of a surprise attack on Oahu, even accurately predicting the weekday, timing, and direction of the assault.[i] Yet, the fleet responsible for deterring Japanese aggression was caught by surprise, concentrated in a vulnerable position and at a relaxed state of defensive readiness. In just 90 minutes, its principal striking force was crippled, over 2,000 sailors killed, and operational plans shredded, with minimal casualties to the attacker. Can we learn to do any better if the next surprise attack comes in cyberspace?

Deterrence is Relative

A front-page headline in the 7 December 1941, New York Times boldly declared “Navy Is Superior to Any, Says Knox.”[ii] The next four years would prove the Secretary of the Navy correct, but nevertheless the bombers that would hand his superior Navy its worst-ever defeat were scrambling for takeoff just a few hours after that issue went to print. The U.S. military’s justifiable assessment of (modest) superiority in conventional forces engendered a much less justifiable belief that “they would never dare to attack us” and undoubtedly drove the failure to maintain adequate defensive precautions.[iii]


In 1941 there was little doubt on either side that United States’s overall military and industrial might dwarfed that of Japan. The 1922 Washington Naval Treaty had enshrined a notional 10:6 ratio in favor of the United States over Japan in battleships, heavy cruisers, and heavy carriers, increasing in practice to 20:6 as long as U.S. interests remained closely allied with those of the UK.[iv] The senior Japanese admiral attending the treaty conference viewed this ratio as an egregious insult and declared that “the war with America starts now.”[v] Imperial Japanese Navy planners realized that global commitments would limit the U.S.-UK’s local force advantage in the Western Pacific and concentrated on submarine and aerial warfare not regulated by the treaty in order to level the playing field.[vi] Japan’s eventual withdrawal from the treaty in 1934 convinced U.S. officials that war was indeed plausible, but did little to shift the overall balance of power, nor to compromise the U.S. sense of superiority and security.[vii] 

Pushing Technological Frontiers

Admiral Yamamoto selected Pearl Harbor as his first offensive target precisely because it was “what they will least expect.”[viii] He realized that any forces positioned to threaten Japan were necessarily also exposed to a preemptive Japanese attack and creatively pushed the technical envelope in expeditionary warfare. Underway replenishment innovations enabled high-speed strike and withdrawal across thousands of miles of empty ocean.[ix] Improvements in bombing accuracy reduced the necessary strike force size and its time at-risk over an alerted target, torpedo ranges were extended past that of anti-aircraft defenses, and breakaway fins and daring release trajectories permitted attacks in shallow harbors previously considered unassailable.[x]Perhaps most importantly, clever operational security and deception plans denied tactical intelligence on the approaching force.[xi] Japan brilliantly transformed a hopeless situation (open water battleforce-on-battleforce engagements across the Pacific) into one in which they had at least a fighting chance (total surprise against a poorly defended fleet at anchor). The “super-battleships” for which Japan withdrew from the Washington Naval Treaty weren’t even necessary and played a relatively limited role in the war. [xii]

Twenty-first century U.S. dominance in conventional warfare makes it even more likely that our next conflict will start with an unanticipated attack in an emerging dimension of war, and a sudden preemptive strike against computer networks or satellite constellations might be the next game-changing technology. The very nature of offensive cyberwarfare, with difficult and uncertain attribution, minimal leading indicators that forces are massing for assault, and no need for physical proximity to the enemy or exposure to counterattack, makes the cyber domain especially attractive for an opening salvo. Even when the attacker’s identity can be proven, nations or alliances without formal offensive cyber capability for retaliation-in-kind may find it difficult to muster popular support for kinetic response to virtual attack. The strong prospect of “getting away with it” undermines any deterrent value that conventional forces might hold. 

The Battleforce is the Target 

Just as interwar U.S. planners expected Japan to be intimidated and deterred by overall firepower, they assumed that any foolhardy challenger would at least keep well clear of the battleships. Senior officials up to and including the President advocated keeping the Pacific Fleet in port to deter potential raids or subversive activity on Oahu, not realizing that the massed fleet itself was the target and inducement to attack.[xiii]

Modern militaries are so dependent on real-time command, control, communications, computer, and intelligence (C4I) networks that the right cyberattack could paralyze them. U.S. forces are networked together via a relatively small set of common C4I systems. From a defensive perspective, this is a tremendous liability, as the compromise of a single shared system could confuse, hinder, or disable a large proportion of that joint force. It would be reckless and irresponsible not to invest as heavily, and test our systems as thoroughly, in cybersecurity as we do their offensive capability.

Maneuverability Enables Survivability

If the best defense is a good offense, mobility must be a close second. The fleet at Pearl Harbor could have been protected by better long-range aerial reconnaissance and strike capacity, a more comprehensive early warning radar system, more and better-trained anti-aircraft batteries, torpedo nets, or a continual defensive alert on all ships. Or it could have protected itself simply by putting to sea. The raiders’ good fortune in finding most of the fleet at anchor was, next to operational security, the principal factor in their success.

The United States runs the same risk of presenting too attractive a target in cyberspace by concentrating too many combat-essential functions in a few common C4I systems. How many large-scale exercises could be successfully executed without email and chat? How many operations would grind to a halt without GPS? The U.S. military is already well versed in maintaining multiple redundant physical circuits for the most important communications (orders and vital operational messages), as well as partitioning computer networks into independent enclaves to protect different levels of classified information. The recent trend, however, has been to centralize higher-level services onto a uniform, IP-based global information grid—an attractive target for attack. Centralizing, standardizing, and interconnecting services is convenient for users and maintainers, but also for the enemy.

The cyber equivalent of dispersing the fleet at sea would be to cycle these functions across a variety of independent, interchangeable data paths, perhaps using satellite-based circuits one day and ship-to-shore the next, or web-based front ends to access one week’s operational planning tools and “old school” methods the following week. Instead of an all-or-nothing toggle between business-as-usual and a “River City” posture of minimal communications, we should be continually mixing and matching our available tools and periodically disabling key services to fully explore and assess the necessary workarounds. This is the only realistic way to achieve the operational unpredictability and resilience demanded by our National Defense Strategy.[xiv]

Defense Cannot Be Outsourced

Responsibility for protecting key assets should be concentrated under the same hat that values and depends upon them. Whenever the pre-WWII Pacific Fleet was in port, General Short’s Hawaiian Department was formally responsible for its defense.[xv] The Army, for its part, considered the fleet’s own firepower to be the primary deterrent to attack, while those same warships relaxed their defensive postures in the erroneous belief that the Army “had the watch.”[xvi] We can easily imagine a similar blind spot in the wild frontier of cyberspace. Program managers likely expect industry partners to continually apply “corporate best practices” to keep up with the fast-moving world of IT vulnerabilities, while those partners would surely claim that their responsibility extends only to “implementing all government-specified standards,” which are often frustratingly vague or out-of-date.[xvii] Front-line platforms at risk of being hindered or disabled by a cyberattack often have little embedded cybersecurity expertise and, like the forces at Pearl Harbor, count on an outside oracle to provide timely warnings and detailed direction before an actual attack, while centralized authorities may be relying on reports from the field to detect that anything is wrong.

A more robust model would embed cyberdefense responsibility under unit commanders. Realistic cyberdefense tests should be as formal and important a part of pre-deployment inspections as physical drills are today—not only to focus the commander’s priorities, but to ensure that higher headquarters fully grasp systemic challenges and can pressure the technical enterprises to provide better solutions. The recent Air Force decision to shift cyberdefense responsibilities to the Air Combat Command is a promising step in this direction.[xviii]

Similarly, organizations that would be deeply affected by a compromise of sensitive information should be intimately involved in its protection, regardless of who owns the server on which it resides. One of the United States’ worst publicly known cyber defeats—the 2014–2015 breach of Office of Personnel Management (OPM) records, including detailed personal information on almost everyone with a federal security clearance—was a treasure trove for foreign intelligence services seeking vulnerable targets for recruitment.[xix]

If successfully developed into HUMINT sources or counterintelligence leads, this intel coup could materially affect a future military conflict. And yet it seems unlikely that the OPM considered itself to have the resources or mandate to protect this information as a vital military asset, nor that the Department of Defense and intelligence agencies felt that they should or could extend their own data-protection standards to OPM-managed databases. A pre-attack OPM audit reveals a badly broken cybersecurity culture, with industry standards ignored, deficiencies uncorrected for years, and zero in-house expertise until 2012.[xx] Many other vital defense functions (logistics, payroll, official travel, contracting, etc.) reside on low-security enclaves or the public internet, yet could seriously disrupt military operations or jeopardize operational security if compromised. DoD should dictate and monitor standards for all supporting organizations— an initiative just now getting started—providing the cybershield for private industry instead of the other way around.[xxi]

Damage Control Training

In the chaos and confusion of a surprise Japanese air raid, standard protocols collapsed, and the U.S. fleet fell back to the level of its training. Sailors manned weapon batteries, broke out ammunition, counterflooded compartments, welded hull cuts, established triage stations for battle casualties, rigged makeshift gun mounts, and got their ships underway and planes aloft, often without orders from higher authority. Quick thinking and battle discipline onboard USS Oklahoma saved hundreds of lives after she capsized.

It’s doubtful that the same onboard repairs or workarounds could be made to modern C4I systems. Every ship-driver or aviator is expected to understand the engineering details of everything on his or her platform that can rupture, flood, ignite, or explode, and to tirelessly rehearse the appropriate casualty procedures, yet we’re often content to regard C4I systems as a “black box” that someone else will fix when required. The arguments against tearing down the ship’s LAN or combat systems while underway—it’s too disruptive, recovery might fail, we can’t safely and effectively operate without these systems—merely underscore the importance of exercising these procedures. If we can’t fight through them in peacetime, how will we ever manage in combat?

Fight Back with Whatever is Left

Without the traditional means of retaliation (battleships), the U.S. Navy was finally forced to creatively employ its other assets, immediately saddling up three submarines (Gudgeon, Plunger, and Pollack) to wreak havoc in Japanese home waters–a major shift from their previously-envisioned defensive role and a challenge to the combat capability of their disappointing Mark XIV torpedoes. Even more creative was converting Army B-25s to launch from carriers for the renowned Doolittle Raid on Tokyo.[xxii] The new all-out emphasis on submarines, codebreaking, and very-long-range carrier strike paid dividends in the Coral Sea and at Midway and laid the groundwork for an ultimately successful Pacific campaign. The modern doctrine of “distributed lethality”[xxiii] will be essential to sustaining operations after a cyberattack disables some platforms in the next war.

The Way Ahead

In 1941 the Navy failed to take seriously the threat that a bold and innovative enemy could pose to forces that would have been secure in “the last war.” Defensive preparations and assumptions were not rigorously examined against technical advances and actual practice, and force protection responsibilities were divided and obscured. Cyberattacks are now as devastating as innovations in long-range carrier strike were then, and our forces may again have decades of complacency to dislodge. The United States must rapidly strengthen organic cyber capability in every unit; give cyberdefense the same priority as physical casualty preparedness; diversify the use of key C4I systems; bring support infrastructure up to military standards; aggressively red-team and stress-test every assumption about its systems, relentlessly pursue better reconnaissance, indications, and warning capabilities; and provide for every platform to operate independently as a formidable offensive force. Failure to embed the lessons of Pearl Harbor in modern strategic culture would be far less excusable than any defensive oversight committed that bright Sunday morning.

No comments: