7 December 2021

CYBER, COMMUNICATIONS, EW & TECHNOLOGY (C2ET) DIGEST

Maj Gen P K Mallick, VSM (Retd)



 
Microsoft released its second annual Digital Defense Report, covering July 2020 to June 2021. This year s 134 pages report is quite detailed, with sections on cybercrime, nationstate threats, supply-chain attacks and Internet of Things attacks. The report includes security suggestions for organizations with remote workforces. It has a section describing the use of social media to spread disinformation. The report is a compilation of integrated data and actionable insights from across 




Cyber Weapons – A Weapon of War?

Maj Gen PK Mallick, VSM (Retd)

Introduction 
The character of warfare has changed fundamentally over the last decade. In the past, it was essential for an adversary nation or insurgent to physically bring weapons to bear during combat. That requirement is no longer a necessity. In cyber operations, the only weapons that need to be used are bits and bytes. In this new era of warfare, logistics issues that often restrict and limit conventional warfare and weaponry are not impediments. This new weaponry moves at the speed of light, is available to every human on the planet and can be as surgical as a scalpel or as devastating as a nuclear bomb.

Cyber attacks in various forms have become a global problem. Cyber weapons are low-cost, low-risk, highly effective and easily deployable globally. This new class of weapons is within reach of many countries, extremist or terrorist groups, non-state actors, and even individuals. Cyber crime organisations are developing cyber weapons effectively. The use of offensive Cyber operations by nation-states directly against another or by co-opting cyber criminals has blurred the line between spies and non-state malicious hackers. New entrants, both nation-states and non-state actors have unmatched espionage and surveillance capabilities with significant capabilities. They are often the forerunners for criminal financial gain, destruction and disruption operations. Progressively, we see non-state actors including commercial entities, developing capabilities that were solely held by a handful of state actors.

Digitalizing Africa’s mines

Landry Signé

Mineral resources are a critical source of revenue for Africa. In 2019, minerals and fossil fuels accounted for more than a third of exports from at least 60 percent of African countries. The continent produces around 80 percent of the world’s platinum, two-thirds of its cobalt, half of its manganese, and a substantial amount of chromium, leaving it in a strong position to benefit from growing demand for these minerals. Moreover, Africa is believed to have some of the world’s largest untapped mineral reserves.

Unfortunately, a lack of systematic geological mapping and exploration means that the full scope of the continent’s resources remains unknown. To unlock mineral-rich African countries’ full potential, mining companies and African governments must embrace Fourth Industrial Revolution (4IR) technologies. Artificial intelligence (AI), automation, and big data can help mining firms limit damage to the environment, improve working conditions, reduce operating costs, and boost productivity.

Industry leaders and policymakers must work together to capitalize on the opportunities that digitalization brings.

The status quo in the Taiwan Strait is edging toward conflict. Here’s how to stop it.

Steven M. Goldstein

In December 2003 during his meeting with Chinese Premier Wen Jiabao at the White House, then U.S. President George Bush said that the United States opposed “any unilateral decision by either China or Taiwan to change the status quo.” Nearly two decades later, that message hasn’t changed. At the end of last month, U.S. Secretary of State Antony Blinken is reported to have made it “crystal clear” in his talks with Chinese Minister of Foreign Affairs Wang Yi that the United States opposes any unilateral change to the status quo.

Is this evidence of a consistent, clear American position on the cross-Strait question? Or is it the expression of a weak policy formula, in which status quo simply means no war?

HOW THE STATUS QUO HAS CHANGED

One way to approach the question might be to simply ask: Was the status quo in the Taiwan Strait in 2003 when then Taiwanese President Chen Shui-bian’s actions were the object of Bush’s comments, the same as the status quo today? The answer is obviously no. But if that is the case, then what is the meaning of “status quo?”

Beijing’s Strategic Blueprint Is Changing as Tensions Grow

Ryan Fedasiuk and Emily Weinstein

The Chinese Communist Party (CCP) has constructed a strategy that is predicated on both passively absorbing and actively acquiring technology from abroad. Although the tech outflow from the United States to China has undercut U.S. national security, stymying it is easier said than done—and Beijing’s playbook is evolving in response to heightening tensions between the two countries.

In a new framework we’re calling “E.P.I.C.,” we attempt to lay out the four key resources at the heart of U.S.-China competition today. These resources—equipment, personnel, information, and capital—represent the foundational tools that China uses in its push to amass comprehensive national power.

The first resource is equipment—most notably, advanced computer chips and the billion-dollar machines that make them. Beijing’s reliance on imported technologies extends well beyond foreign-designed semiconductors, including lidar systems for self-driving cars, engine housings for commercial aircraft, and reagents for gene editing kits, among others. However, despite its multibillion-dollar efforts to boost domestic production in many of these key fields, China still has a long way to go to produce them domestically.

China Using Cybertechnologies to Expand Their Political Cloud

Paul Budde

A few months ago, I mentioned that China’s social code would also be expanded to companies who want to deal with China.

I have come across information that shows that China is indeed serious about this.

China’s cyberspace regulator has proposed requiring companies pursuing share listings in Hong Kong to apply for cybersecurity inspections if they handle data that concerns national security.

Large internet platforms planning to set up headquarters, operating or research centers abroad will have to submit a report to regulators.

The Cyberspace Administration of China has called for public comment on internet platforms formulating privacy policies or amending rules that could significantly affect user rights and interests.

Companies with more than 100 million daily active users would need to have changes reviewed by regulators and obtain government approval.

China’s rising vulnerability to foreign investors


For the first time foreigners have a large enough position in renminbi-denominated securities to influence Chinese monetary policy. 

Foreign investment in China has historically focused on direct investment, and investment in portfolio assets was largely confined to foreign currency denominated debt. 

Things have changed dramatically in the past 10 years. In 2011, foreigners’ holdings of China’s liquid portfolio assets were just 14 per cent the size of China’s reserve assets. In June, they were almost two-thirds the size at $2.1tn.

 This surge, when combined with the country’s managed exchange rate policy, confers a new power upon foreigners, as evidenced when one considers the size of foreign holdings of China’s portfolio assets in relation to the size of the country’s foreign reserves. What happens if these assets are liquidated?

 Downward pressure on the renminbi exchange rate forces intervention from the People’s Bank of China. And as foreign reserve assets decline, liabilities in the form of renminbi-denominated bank reserves also decline. The action of foreign investors would dictate, through this process, a tighter monetary policy, just as China is struggling with falling residential property prices and growing distress in the private credit system. 

China’s ‘New Generation’ AI-Brain Project – Analysis

 Wm. C. Hannas and Huey-Meei Chang

China is pursuing what its leaders call a “first-mover advantage” in artificial intelligence (AI), facilitated by a state-backed plan to achieve breakthroughs by modeling human cognition. While not unique to China, the research warrants concern since it raises the bar on AI safety, leverages ongoing U.S. research, and exposes U.S. deficiencies in tracking foreign technological threats.

The article begins with a review of the statutory basis for China’s AI-brain program, examines related scholarship, and analyzes the supporting science. China’s advantages are discussed along with the implications of this brain-inspired research. Recommendations to address our concerns are offered in conclusion. All claims are based on primary Chinese data.1

China’s Plan to “Merge” Human and Artificial Intelligence

Analysts familiar with China’s technical development programs understand that in China things happen by plan, and that China is not reticent about announcing these plans. On July 8, 2017 China’s State Council released its “New Generation AI Development Plan”2 to advance Chinese artificial intelligence in three stages, at the end of which, in 2030, China would lead the world in AI theory, technology, and applications.3 The announcement piqued the interest of the world’s techno-literati4 in light of the plan’s unabashed goal of world hegemony, its state backing, and a well-founded belief that China is already a major AI player.5 Although China still lags in semi-conductor design and basic AI research, it is moving to address —or circumvent—these problems, lending credence to its long-term aspirations.

Why Xi Jinping's iron-grip over China faces its biggest threat yet with rising fears he could be OVERTHROWN amid the weakest economic growth in 45 years - and how Australia stands to benefit

STEPHEN JOHNSON

Xi Jinping's position as China's President could be threatened from within his Communist Party if economic growth plunges, a national security expert says.

The authoritarian leader's crackdown on billionaires as part of a 'Common Prosperity' drive could destroy economic growth while a curb on essential exports could see other countries like Australia create their own supply chains to diversify away from China.

While China is the top trading partner for 130 nations, its trade sanctions on Australia have backfired, with a ban on coal for political reasons causing widespread blackouts this year.

Oxford Economics is forecasting China's growth plunging to just one per cent in 2022 should property giant Evergrande's debt woes spread to other parts of the economy.

This would be the weakest gross domestic product expansion since 1976, the year China's Cultural Revolution ended with the death of Communist dictator Mao Zedong.

At that rate, the economy would also be growing at less than half the 2.3 per cent pace of 2020 when China went into a hard lockdown.

Michael Shoebridge, the Australian Strategic Policy Institute's director of defence, strategy and national security, said the Chinese Communist Party's authoritarian legitimacy depended on them delivering economic prosperity.

Israel, Jordan, and the UAE’s energy deal is good news

Bruce Riedel and Natan Sachs

This week in Dubai, Israel, Jordan, and the United Arab Emirates (UAE) signed Israel and Jordan’s biggest energy and water deal since the neighbors made peace 27 years ago. If implemented, this will be a diplomatically transformative deal for a region facing some of the worst consequences of climate change, as noted by U.S. Climate Envoy John Kerry, who was also present at the signing. While the scope is very modest in terms of global mitigation of climate change, it will have a huge impact on Jordan’s effort at climate adaptation.

The deal is the product of intense three-way negotiations. The idea was initially proposed by EcoPeace Middle East, an Israeli-Jordanian-Palestinian non-governmental organization, which outlined a desalinated water-energy community between Israel, Jordan, and Palestine as part of a proposal called a “Green Blue Deal for the Middle East.” (The Palestinian director of EcoPeace discussed water security at a Brookings conference, “The Middle East and the New U.S. Administration,” in February 2021).

Saudi Arabia Energy Profile: Maintains World’s Largest Crude Oil Production Capacity – Analysis

 EIA

Saudi Arabia holds 15% of the world’s proved oil reserves.1 It is the largest exporter of crude oil in the world2 and maintains the world’s largest crude oil production capacity at nearly 12 million barrels per day, including capacity from the Neutral Zone that is shared with Kuwait.3 Saudi Arabia is the largest crude oil producer in OPEC and the second-largest total petroleum liquids producer in the world after the United States (Figure 1).4

Saudi Arabia, one of the key members of the OPEC+ agreement, reduced production in order to rebalance the global oil market, reduce record-high oil inventory levels, and stabilize volatile crude oil prices in 2020 as a result of the economic downturn and restriction measures taken as a result of the global COVID-19 pandemic. Saudi Arabia initially reduced its production by 3.1 million barrels per day (b/d) as part of the OPEC+ agreement that began in April 2020.5 Saudi Arabia has increased production each month since February 2021, and, by October 2021, their production returned to an estimated 9.8 million b/d, similar to the level at the beginning of 2020.

Map of Saudi Arabia. Credit: CIA World Factbook

What AlphaGo Can Teach Us About How People Learn

David Silver 

DAVID SILVER IS responsible for several eye-catching demonstrations of artificial intelligence in recent years, working on advances that helped revive interest in the field after the last great AI Winter.

At DeepMind, a subsidiary of Alphabet, Silver has led the development of techniques that let computers learn for themselves how to solve problems that once seemed intractable.

Most famously, this includes AlphaGo, a program revealed in 2017 that taught itself to play the ancient board game Go to a grandmaster level. Go is too subtle and instinctive to be tamed using conventional programming, but AlphaGo learned to play through practice and positive reward—an AI technique known as “reinforcement learning.”

In 2018, Silver and colleagues developed a more general version of the program, called AlphaZero, capable of learning to play expert chess and shogi as well as Go. Then, in November 2019, DeepMind released details of MuZero, a version that learns to play these and other games—but crucially without needing to know the rules beforehand.

Silver met with senior writer Will Knight over Zoom from London to discuss MuZero, reinforcement learning, and the secret to making further progress in AI. This transcript has been edited for length and clarity.

To Deter China, Invest in Non-Strategic Nuclear Weapons

Christopher Yeaw

Escalation. It’s Indiana Jones pulling out a revolver in response to the whirling blades of the Arabian fighter. It’s also Russia or China employing ultra-low-yield theater nuclear weapons in conflict to stun the United States and our allies into submission to achieve ambitious strategic goals. Escalation is funny in a movie but deadly serious in real life.

The U.S. has suddenly awoken to the realization that it is in the unenviable situation of facing two nuclear-armed peer competitors who have positioned themselves favorably regarding the net nuclear balance and are looking to exploit that for strategic gains.

Russia has, of course, maintained its parity with the U.S. in the area of so-called “strategic” (that is, treaty accountable) nuclear weapons, also retaining a more rapid and sizable upload capacity while also developing new exotic intercontinental-range nuclear weapons outside of the NST treaty. But it has also finished the bulk of a vast modernization program for its “non-strategic” nuclear weapons, none of which are treaty accountable, developing and fielding several thousand such warheads across an enormous variety of weapon systems with the plans for credible employment.

The World Is Starting to Doubt Biden’s Promise That ‘America Is Back’

Emma Ashford and Matthew Kroenig

Emma Ashford: Hey, Matt, I have a question: Why do the new COVID-19 variants always sound like they were created by James Bond villains? I mean, omicron is the perfect name for an evil secret society.

Matthew Kroenig: Ha! Hi Emma, good question. As you know, the World Health Organization uses the Greek alphabet and rumor has it that talking about the “nu variant” would confuse people and then they skipped over xi, directly to omicron, for obvious geopolitical reasons.

I just hope we never make it to omega; I am over this pandemic.

What do you make of the threat posed by this new—but not nu—variant and the swift international response, including tougher travel restrictions by the United States?

EA: It’s like being stuck in a time warp: a new variant, new travel bans, and politicians talking about how dangerous this new variant might be without any actual evidence. Then there are others talking about how this variant might be beneficial because it’s milder than delta, again with very little evidence. I’m certainly no epidemiologist, but it seems premature to jump immediately to further bans and shutdowns when we know nothing at all about this variant and the disease is widespread already.

The Battle for Khartoum Exposes Waning U.S. Influence

Colum Lynch, Robbie Gramer

More than 15 years ago, when Sudan’s warring leaders decided to end Africa’s longest–running civil war, they turned to the United States, the world’s undisputed superpower, to broker the peace. Today, the United States is merely one in a crowd of diplomatic players and hardly the most decisive, seeking to resolve Sudan’s greatest political crisis in a generation.

In the weeks since Sudan’s military leader, Gen. Abdel Fattah al-Burhan, took control of Sudan’s transitional government in a military coup, the United States has been largely on the sidelines, distracted by fears of neighboring Ethiopia’s breakup, competing for influence with a number of regional players, and divided internally over how to respond to Sudan’s generals.

The Biden administration’s two top officials overseeing Sudan have clashed sharply over imposing sanctions on Khartoum’s generals, exposing a diplomatic turf battle that has complicated efforts to fashion a common U.S. strategy for resolving the African country’s monthslong political crisis.

The internal rift pitted Jeffrey Feltman, the U.S. envoy for the Horn of Africa who favors sanctioning Khartoum’s generals, against Molly Phee, the U.S. assistant secretary of state for African affairs who prefers a more conciliatory approach to Sudan’s military leaders. During a recent visit to Khartoum, Sudan, Phee refused Feltman’s offer to have his deputy accompany her on her meeting with Sudanese military leaders, according to several current and former officials familiar with the matter.

Will Artificial Intelligence Help or Hurt Cyber Defense?

Dan Lohrmann

“The U.S. is struggling with a labor shortage that is hobbling its economic recovery, but companies are not sitting still as they work to keep production up and running. As these job vacancies increase, they are turning to automation to pick up any slack.

“Orders for new robots have reached an all-time high in 2021.”

“From fast food to farming, Covid-19 has accelerated the rise of the worker robots. This in turn will put more jobs at risk and makes the need to reframe society ever more urgent.”

Nevertheless, the article from The Guardian also points out:

“There can be no doubt that the pandemic and the associated worker shortage are accelerating the drive toward deploying artificial intelligence, robotics and other forms of automation. In the UK, the trend is being further amplified as Brexit’s impact on the workforce becomes evident. However, the reality is that most of these technologies are unlikely to arrive in time to offer a solution to the immediate challenges faced by employers. …

“Over the course of a decade or more, however, the overall impact of artificial intelligence and robotics on the job market is likely to be significant and in some specific areas the technologies may lead to dramatic change within the next few years. And many workers will soon confront the reality that the encroachment of automation technology will not be limited to the often low-paying and less desirable occupations where worker shortages are currently concentrated. Indeed, many of the jobs that employers are struggling to fill may prove to be highly resistant to automation. At the same time, better-paying positions that workers definitely want to retain will be squarely in the sights as AI and robotics continue their relentless advance.”

Which brings us to the question of AI. The number of current (and future) jobs that can truly be filled by robots will depend on advances in AI — which many are putting under the umbrella of “automation.”

For example, one recent article offers “43 Jobs That’ll Soon Be Lost to Automation”: “Workers have long feared losing jobs to newcomers, but the threat has changed in the digital age, with automated technologies posing a new form of competition. With 2.3 million already present in the global workforce, robots are now projected to supplant 20 million manufacturing jobs by 2030, including 1.5 million in the United States. The shock of a pandemic is expected to accelerate this shift, as industries turn to technology to alleviate financial losses. The jobs that follow are poised to become increasingly automated, including order-taker positions at your local McDonald's.”

This hostile threat landscape has led organizations such as Microsoft to use AI as part of their internal and external cybersecurity strategy. “We’re seeing this incredible increase in the volume of attacks, from human-operated ransomware through all different kinds of zero-day attacks,” said Ann Johnson, corporate vice president of security, compliance and identity at Microsoft.

One of the most high-profile uses of AI this year occurred at the Olympic Games in Tokyo, when Darktrace AI identified a malicious Raspberry Pi Internet of Things (IoT) device that an intruder had planted into the office of a national sporting body directly involved in the Olympics. The solution detected the device port scanning nearby devices, blocked the connections, and supplied human analysts with insights into the scanning activity so they could investigate further.

“Darktrace was able to weed out that there was something new in the environment that was displaying interesting behavior,” Darktrace Global Chief Information Security Officer Mike Beck said. Beck noted there was a distinct change in behavior in terms of the communication profiles that exist inside that environment.

THE DARK SIDE OF AI

Back in May, I wrote this piece asking, “AI Is Everywhere — Should We Be Excited or Concerned?”

I covered plenty of good, bad and ugly examples of AI in that blog, and I also previewed a talk by Bruce Schneier that he gave at the 2021 RSA Conference. Schneier believes that, initially, AI analysis will favor hackers. “When AIs are able to discover vulnerabilities in computer code, it will be a boon to hackers everywhere,” he said.

Here is that full keynote presentation by Schneier:

“The large part of the problem, as both experts see it, is that attackers are using A.I. and automation on a less complex but still very effective scale that allows them to exploit flaws in security systems. …

“'The bad guys are crushing many of us in terms of automation,' he said. 'They're getting much, much better at using intelligent systems and A.I. to do reconnaissance, which allows them to narrow down targets very effectively. They're usually using AI to decompose software to figure out where vulnerabilities exist extraordinarily effectively.'

“When asked to offer advice at the conclusion of the event, Roese offered up a simple idea: ‘Don’t view A.I. in the security context as an added feature. You have to treat it as a core component of all things security, just like all things business process or all things application. Don’t compartmentalize it into a specialist team that, in isolation, deals with A.I. Develop and invest in the capability across the entire organization because it’s a tool, and if you don’t use it everywhere, you’re basically leaving something on the table.’”

The Council on Foreign Relations recently wrote about AI code generation and cybersecurity, stating that AI will revolutionize the way that we write computer programs. The U.S. government and industries need to invest in AI as a cybersecurity tool.

“With software becoming more secure and adept at defending against malware, the cyberattack threat environment has shifted towards phishing. But unlike in the past, where these attacks were predominantly email-driven, hackers are now focused on multiple channels such as mobile devices, apps, and web pages. Since phishing is a human problem that exploits emotions and deals with the psychology of fear and uncertainty, conventional computing methods are not sufficient to defend against them. One of the biggest problems? The browser.”

FINAL THOUGHTS

As I keep coming back to this topic of robots, AI, jobs, the future and cybersecurity, I ponder what current solutions will become problems. What are we creating now that we will later regret? It’s a very difficult topic to get your arms around, and one that I believe we need to keep re-examining.

“A large number of respondents argued that geopolitical and economic competition are the main drivers for AI developers, while moral concerns take a back seat. A share of these experts said creators of AI tools work in groups that have little or no incentive to design systems that address ethical concerns.

"Some respondents noted that, even if workable ethics requirements might be established, they could not be applied or governed because most AI design is proprietary, hidden and complex. How can harmful AI 'outcomes' be diagnosed and addressed if the basis for AI “decisions” cannot be discerned? Some of these experts also note that existing AI systems and databases are often used to build new AI applications. That means the biases and ethically troubling aspects of current systems are being designed into the new systems. They say diagnosing and unwinding the pre-existing problems may be difficult if not impossible to achieve.”

Can-Do Is Not Working A continuously high operational tempo hinders readiness.

Lieutenant Jeff Zeberlein

For the past 20 years, the nation’s military has operated in largely uncontested environments, establishing maritime sanctuaries and air superiority with relatively few constraints. But in 2018, the National Defense Strategy (NDS) warned that the U.S. “competitive military advantage has been eroding.”1 Signed by then–Secretary of Defense James Mattis, it states that “inter-state strategic competition, not terrorism, is now the primary concern in U.S. national security.”2 In March 2021, President Joseph Biden’s Interim National Security Strategic Guidance (INSSG) reaffirmed that China and Russia have “invested heavily in efforts meant to check U.S. strengths and prevent us from defending our interests and allies around the world.”3

But the Navy’s force is strained—mentally, physically, mechanically—from the toll of continuous war. If the service is to prepare for strategic competition, maintenance and modernization programs need updating, the best enlisted sailors and officers must be retained to lead in future conflicts, and new recruits must be trained for the front lines.

U.S.-China Tech Decoupling Accelerates With New Export Controls on Chinese Quantum Computing Companies

Brian Liu, Raquel Leslie

Decoupling between the United States and China accelerated in late November as both countries adopted new trade restrictions against the other. On Nov. 24, the U.S. Commerce Department announced export controls on eight Chinese quantum computing companies. A week prior, Bloomberg reported on new import controls created by a quasi-governmental Chinese industry panel known as the “Xinchuang committee,” which effectively blacklists technology companies that are more than 25 percent foreign-owned from supplying sensitive industries.

In a press release, the Commerce Department stated that it added the eight Chinese quantum computing companies to the Entity List in an effort to “prevent U.S. emerging technologies from being used for the [Chinese military’s] quantum computing efforts.” American companies are barred from exporting certain products to companies on the Entity List without applying for a special license from the Commerce Department; such licenses are rarely approved. The list was created in the late 1990s to address weapons proliferation, but it has since evolved into a general tool to protect U.S. security and economic interests.

The internet is a battleground. Will democracies win?

Jessica Brandt

Democracies are engaged in a persistent, asymmetric competition with autocracies in the information space. Russia and China each make use of information manipulation campaigns to achieve their geopolitical goals: denting the global prestige of democracy, weakening multilateral institutions that could constrain their activities, and punishing those who would hold them accountable. Russia seeks to rend democratic societies from within, exacerbating domestic political fissures and distracting democratic governments from playing an assertive role in international politics. China seeks to highlight the strengths of its governance model and push back on criticisms of its rights record in order to position itself as a responsible global leader.

To succeed in this contest, liberal democracies need an affirmative strategy. The information domain is perhaps the most consequential terrain over which states will compete in the decades to come. To master it, democracies must take advantage of their strengths and frame the competition on their own terms. The Biden administration’s virtual Summit for Democracy is an opportunity for the United States to rally its democratic partners to make progress toward that aim.

NATO Must Adapt to an Era of Hybrid Threats

JOHN R. DENI

As the foreign ministers of the NATO allies met this week in Riga, Latvia, they did so against the backdrop of an increasingly tense geopolitical situation in Eastern Europe. Large numbers of Russian forces remain deployed not far from Ukraine’s borders, postured for offensive military action. And Minsk announced on November 29 that it was prepared to conduct large-scale exercises with Russia near Ukraine’s border.

Although Ukraine is not a NATO ally—and therefore not covered by the alliance’s mutual defense clause—another Russian invasion there would greatly destabilize Central and Eastern Europe. NATO allies Poland, Romania, and the Baltic States would all perceive a renewed existential threat. They would very likely call for NATO to respond with efforts to bolster the alliance’s eastern flank.

To its credit, NATO has done much over the last several years to prepare for and deter a traditional attack from Russia. A reinvigorated NATO defense planning process has improved allied capabilities, readiness initiatives have shortened alliance response times, and allies have re-embraced territorial defense. It is likely that a Russian military assault against Estonia or Lithuania, for instance, would result in a strong, unified response that would ultimately defeat and expel the invading force.

How Migrants Got Weaponized The EU Set the Stage for Belarus’s Cynical Ploy

Mark Galeotti

Over the past month, as thousands of migrants gathered on Belarus’s border with Poland and tried to cross into the European Union, some European leaders accused Belarusian President Alexander Lukashenko of engaging in a “hybrid war.” In an effort to put pressure on the EU, they asserted, Lukashenko intentionally sent the migrants to the border with Poland and left them exposed in a freezing forest. Ylva Johansson, the European commissioner for home affairs, called it a new way of “using human beings in an act of aggression.” But if the strategy was extreme, the forces driving it have long.

Will Putin Invade Ukraine (Again)?

Owen Matthews, Michael Weiss

Just three months ago, the world seemed to be going President Vladimir Putin’s way.

In May, the United States dropped sanctions on the Russian state gas company Gazprom’s Nord Stream 2 pipeline, opening the door to yet more European customers being locked into Russian gas supplies.

In June, a three-hour summit in Geneva between Putin and U.S. President Joe Biden had been cordial — far more so than might have been expected given Biden’s campaign rhetoric about Russia. Biden asserted (whether or not he believed it) that Russia “did not want a new Cold War.” And Putin praised Biden’s “experience” and said that the two leaders “spoke the same language.” They agreed to cooperate on cybercrime and terrorism and set up working groups on strategic arms control.

The anti-Kremlin posture of the Democratic Party also appeared to have diminished. A year ago, senior Democrats were blasting Putin for allegedly suborning the Taliban to kill U.S. troops in Afghanistan and warning of continued Russian interference in U.S. elections — a finding consistent with the incoming Biden administration’s own intelligence assessments. But by late September, U.S. Deputy Secretary of State Wendy Sherman and Russian Deputy Foreign Minister Sergei Ryabkov were elbow-bumping after talks on “strategic stabilization” in Geneva. U.S. officials described the negotiations as “detailed and dynamic.” Ryabkov called them “the start of a journey … there are no unbridgeable gaps.” That same month a visit by Putin’s archenemy, Ukraine’s President Volodymyr Zelenskyy, to the White House yielded warm words but a gentle yet firm rebuff to Kyiv’s continued pleas to join NATO. True, Biden announced a $60 million military aid package to Ukraine in September, added to a prior $125 million subvention from March — but the combined total is still 335 times smaller than Russia’s 2020 military spend of $62 billion.

Making the Military Climate-Ready for What Truly Matters – Modern Warfighting

Tim Gallaudet

Secretary of Defense Lloyd Austin has expressed his commitment to include climate considerations as an essential element of our national security. This is not new to the DoD, and the recently released DoD Climate Adaptation Plan details the intended efforts by the Department to make the military more climate-ready. This is a wide-ranging plan, covering everything from training, installations, and supply chains. Unfortunately, the breadth and depth of the document dilute what should be its primary focus – warfighting. The topic is indirectly addressed in a Line of Effort on “Climate Informed Decision Making,” but the closest it gets is to direct the Department to incorporate climate change considerations in warfighting concepts and doctrine and develop appropriate decision support tools.

Much more needs to be said on these concepts, doctrine, and tools, especially in view of the move to distributed, all domain operations – which is not even mentioned in the document. Let’s take a look at these concepts, beginning with distributed operations. The Navy made the move to Distributed Maritime Operations (DMO) in 2015 with Naval Surface Forces’ Distributed Lethality Strategy. At the time, I was in charge of the Navy Meteorology and Oceanography Command, with the mission to provide the Navy’s operational forces with climate, weather, and ocean information to ensure their safety and effectiveness. We had the responsibility to prevent mission-kills from the environment in Naval strike warfare, anti-submarine warfare, Naval Special Warfare, Marine Corps ground force maneuver, and Joint intelligence, surveillance, and reconnaissance (ISR). Distributed lethality and later DMO required naval forces to shift to a more dispersed operational footprint over a larger geographic area. That meant my job got a lot harder because we had more microclimates and weather regimes to forecast simultaneously for any given operation. Now, the entire DoD has embraced a similar disaggregated operating concept called expanded maneuver.

AFTER THE INFO-APOCALYPSE (AA) (PART 1) – TECH THE UNTAMED

Satya Nadella

The Information Apocalypse series examined the decline of trust and truth in American Institutions over the past several years, from the effects on news and information but more critically, on ideas and values. The series explored the role of leaders in a polemicized society, and the necessity for reliance on logic, common sense and rejecting the rush to judgment that has become society’s norm. In the emerging post-Info-Apocalypse era, the main conflict seems to be one of control as increasing public awareness of the powerful role of technology in our lives and its effects as both an unwitting accelerant in spreading misinformation and as a nascent arbiter of communication norms and values.

After the Info-Apocalypse examines the issues with society’s biggest elephant in the room – ‘Big Tech’ (Alphabet, Google, Facebook (now Meta) and Apple) companies and their exercise of control over consumer data and privacy, their ability to manipulate information platforms and their massive power in the global marketplace. This series will explore society’s burgeoning response to Big Tech – whether through government regulation, court challenges from companies demanding a level playing field, or regulatory attempts to hold the behemoths accountable, whether in terms of response to digital crime, or in curbing their influence on national security, society, and politics and culture.

The European Union has taken the first steps to limit digital technology’s vast influence on modern life and commerce. The U.S. is just beginning to see similar action unfold, in the case of states enactment of privacy legislation, or from lawsuits challenging how Big Tech limits competition. While these beginning actions hold promise of protection for consumers and small business, alike, the road ahead is complex and contentious.

The Odd Couple and the End of an Era

JAMES E. GOODBY

George Kennan made public his ideas about what became the American Cold War strategy of containment in 1947 in an essay published by Foreign Affairs under the pseudonym “X”. The article was based on the “Long Telegram,” a strategic analysis of the sources of Soviet conduct he had written and sent as a cable while posted in Moscow in 1946. One question that he obviously thought he had to address was: How does it all end?

Kennan’s answer was strikingly close to what actually happened to the Soviet Union more than four decades later, in December 1991: “If … anything were ever to occur to disrupt the unity and efficacy of the Party as a political instrument, Soviet Russia might be changed overnight from one of the strongest to one of the weakest and most pitiable of national societies.” His rhetoric got a bit out of hand with adjectives like “overnight,” “strongest,” “weakest” and “pitiable,” but the general sense of his prediction was spot on.

In his “X” article, Kennan did not venture to discuss the possibility that the leaders of the two bitter Cold War protagonists, the Soviet Union and the United States, could ever become partners in the global political arena. In fact, he ruled that out for what he called “the foreseeable future.” With no evidence to suggest that a Reagan and a Gorbachev would emerge simultaneously at the tops of their respective governments, he could not have anticipated what took place during the 1980s. Selling containment as the preferable alternative to a war that then seemed all too likely was uppermost in his mind.

What the Internet Bug Bounty Teaches About Open-Source Software Security

Jonathan Reed 

The security platform HackerOne recently announced the latest version of their Internet Bug Bounty (IBB) program. The IBB strives to enhance open-source software security by pooling resources and encouraging security experts (they call themselves hackers) to find flaws in open-source software (OSS).

Now, the program has introduced a new crowd-funding method. This enables more organizations to use the IBB to secure open-source needs in their software. Other program partners include Elastic, Facebook, Figma, GitHub, Shopify and TikTok. These companies, like nearly every digital brand, all depend on open-source software.

The use of OSS has exploded lately. What’s the history and motivation behind Bug Bounty? And what are the important OSS security issues to be aware of? Take a look at the risks of open-source software and the latest efforts to mitigate them.
Why Open Source Software Security Matters

Due to rising demand for rapid development and ongoing iteration, developers are leveraging open-source frameworks and libraries more often. Everyone wants to fast-track development life cycles, and OSS works great for this.

Democratizing harm: Artificial intelligence in the hands of nonstate actors

Sarah Kreps

Advances in artificial intelligence (AI) have lowered the barrier to entry for both its constructive and destructive uses. Just a few years ago, only highly resourced states and state-sponsored groups could develop and deploy AI-empowered drones, cyberattacks, or online information operations. Low-cost, commercial off-the-shelf AI means that a range of nonstate actors can increasingly adopt these technologies.

As the technology evolves and proliferates, democratic societies first need to understand the threat. Then they can formulate effective policy responses. This report helps them do both. It outlines the contours of AI advances by way of highlighting both the accessibility and appeal to nonstate actors such as terrorist, hacking, and drug trafficking groups. Based on the analysis, effective or feasible policy responses are unlikely to include outright bans on AI or autonomous vehicles that rely on AI because of questions about enforceability. AI is so diffuse that such bans are not practical and will not be effective. Instead, public-private partnerships will be key in incorporating software restrictions on commercial robotics, for example, which would address the potential consequences of nonstate actors using AI to program the flight and targeting of a drone.

Cultivating a broader and deeper talent pool in the science, technology, engineering, and math (STEM) fields will also help enrich the ability of democratic states to guard against the misuses of AI-enabled technology. Lastly, democratic societies should work together to develop ethical use norms, which may not preclude the misuse by nonstate actors but at least create guardrails that present obstacles to the export of harmful AI technologies from states to non-states and can shape the ways nonstate actors consider using these technologies.

CIA Deputy for Digital Innovation Talks Mission, Partnerships and Espionage Challenges


Ewbank, who spent much of her career with the Agency running overseas operations, noted at
The Cipher Brief Threat Conference, not only how U.S. adversaries have upped their digital game, but also how the agency has been “grappling with how to manage the explosion in volume and variety of data fueled by technological change,” saying, “It has transformed the intelligence business in many of the same ways it’s transformed the commercial marketplace and the global economy as a whole.

Below is her perspective on the evolving digital landscape, the hazards and opportunities within and what it means for the organization she leads at CIA. Her comments have been lightly edited for clarity.

Jennifer Ewbank is the Deputy Director of CIA for Digital Innovation, responsible for accelerating the development and integration of digital and cyber capabilities across all of CIA’s mission areas. She also focuses on enterprise information, technology, cyber operations and analysis, data strategy, artificial intelligence, open source collection, and reporting.

Hacking the Supply Chain

Greg Hadley


Testifying before the Senate Armed Services readiness subcommittee in April, Dr. Raymond D. O’Toole Jr., then acting director of operational test and evaluation for the Pentagon, dropped a verbal bombshell.

Rattled, Sen. Dan Sullivan (R-Alaska), the ranking member on the subcommittee, quickly followed up. “I hope our adversaries aren’t watching this hearing. They often do watch these hearings. But what in the hell are we going to do to close that gap?” he said. “That is shocking and, well, concerning.”

Six months later, Sen. Tim Kaine (D-Va.), the panel chair, recalled the incident while questioning Nickolas Guertin, the Biden administration’s nominee to lead operational test and evaluation.

Anything that’s sitting out there on a network, anything that’s moving a bit or byte around, is a cyber target.

“Senator Sullivan and I both looked at each other and said, ‘Is this an open hearing?’” Kaine said of his reaction to O’Toole. “And the witness, Dr. O’Toole said, ‘I got this cleared for delivery of testimony in an open hearing.’ But it troubled us greatly.”

The Defense Department’s cyber challenges are enormous. Systems increasingly rely on software code, much of it incorporating open-source components. Growing dependence on cloud-based systems to host databases and computer workloads also expanded the Pentagon’s attack surface. Conventional cyber defenses based on keeping hackers out of DOD networks have given way to new strategies built on protecting the data inside the network, because that’s what hackers are after.

Some see the principal challenges as developing a more cyber-capable workforce, as O’Toole suggested; Guertin suggested the issue is more about integrating cybersecurity into the systems development process from the very beginning. The reality is that in an increasingly connected world, every weapon system is a cyber target.

OUTLINE THE THREAT

As far back as January 2013, a Defense Science Board task force report, “Resilient Military Systems and the Advanced Cyber Threat,” warned that adversaries could exploit cyber vulnerabilities to:

Degrade and sever communications;

Manipulate and corrupt data;

Cause weapons to fail, and potentially; and

Destroy weapons or systems.

China, Russia, Iran, and North Korea all see cyber as presenting an opportunity to counter American advantages in military technology by exploiting it as the soft underbelly of U.S. defense. A large-scale attack across infrastructure and the military, the report said, could “impose gradual wide scale loss of life and control of the country and produce existential consequences.” For such an attack to occur, it added, “there must be an adversary with both the capability and intent to conduct the attack.”

Klon Kitchen, a senior fellow at the American Enterprise Institute who worked on creating the U.S. Cyberspace Solarium Commission, said it’s not hard to imagine today which adversaries might be so capable. “China has … a capability, and an intention, and a demonstrated history of leveraging its access to supply chains to gain access to information, to exfiltrate data, to insert vulnerabilities that they can leverage later,” he told Air Force Magazine.

Kevin Coggins, a vice president at Booz Allen Hamilton and the head of its Positioning, Navigation, and Timing practice, said cyber vulnerabilities transcend the computer world and threaten the physical world, as well.

“It sounds real sci-fi, but you can literally stop things from working,” Coggins said. “People used not to think of cybersecurity with respect to a weapon system, because you only saw what the weapon system did, right? That thing hits a target and blows a building up. That thing flies through the air, that thing orbits the Earth,” he continued. “But those things are [also] computers. Every single one of them has a computer at its core and information coming into it and out of it. And that defines enough attack surface right there to start thinking about cybersecurity.”

The F-35, as former Air Force Chief of Staff Gen. David L. Goldfein has said, is “a computer that happens to fly.” Modern, digitally enabled weapons are networked to sensors and communications links in space. And Goldfein’s dream of multi-domain command and control—what the Pentagon now calls joint all-domain command and control—is effectively a “military Internet of Things,” as former Air Force acquisition chief Will Roper dubbed it.

The trouble is, there’s no such thing as a hack-proof system. If it can be built, it can be compromised. Iran’s cyber warfare unit famously captured control of an American RQ-170 surveillance drone a decade ago. The incident highlighted the potential vulnerabilities of such systems, as well as the fact that it doesn’t take a world power to develop such capability. Meanwhile, China and Russia have honed their cyber skills, penetrating U.S. government and industry networks, exfiltrating unknown volumes of data, and raising the stakes in information warfare.

“The military writ large is in the middle of this pivot toward near-peer competition … but we’ve been there in the cyber realm for a while—a lot longer than we’ve been there in the kinetic realm,” said Kevin Fogarty, defense and civil chief technical officer for Dynetics Aerospace. “So, as we turn our kinetic capability toward near-peer competition, we need to understand where we’re at with our cyber capabilities and where our adversaries are. And then we need to understand the impact that has on the legacy systems that we’ve got out there, as well as the new systems we’re procuring. Because anything that’s sitting out there on a network, anything that’s moving a bit or byte around, is a cyber target.”

U.S. Air Force Staff Sgt. Stephanie Dias, 60th Communications Squadron cyber transport systems technician, configures a network switch at Travis Air Force Base, Calif. The military used to focus on protecting its networks, but recent strategy tilts toward protecting the data stored and moving through the network.

PROTECTING THE SUPPLY CHAIN

Cyber vulnerabilities begin in the development stage. “Obviously potential vulnerability goes up if you can steal the entire plans for weapon systems,” said Laura Brent, a senior fellow in the Technology and National Security Program at the Center for a New American Security.

Securing contractors networks is really the very first line of defense. The Cybersecurity Maturity Model Certification establishes cybersecurity standards and training for contractors and is a good first step. Securing the digital supply chain, including computer chips and sub-assemblies made offshore, however, is another thing entirely.

“Most chips are not made in the U.S. anymore,” noted Ann White, a principal at Booz Allen with a background at the NSA. “And so we’re looking at how you identify vulnerabilities associated with the manufacturing process and that supply chain. How can they be switched out?”

Most of those parts are made in Taiwan, China, and South Korea; concern over parts manufactured in China is particularly high.

Specific vulnerabilities related to China’s role in the supply chain are classified, but the implications of such a threat are clear.

“Imagine if [China] had gotten into the chip supply chain in such a way as to where they could turn off navigation systems in military aircraft,” Kitchen said. “Or if they could disrupt communications capabilities at sea, or if they could throttle power on fundamental systems inside any of our platforms.”

In the recent SolarWinds hack, Russia was able to compromise hundreds of companies and federal agencies, including DOD and cybersecurity specialist FireEye, which discovered the breach. The hackers penetrated the SolarWinds system and then bided its time, employing a long-term strategy to spread its malware by attaching it to a legitimate update, which then spread naturally to SolarWinds customers.

And even if the Pentagon is able to secure the IT systems of contractors and ensure the supply chain is safe, highly sophisticated attacks like that one are hard to detect.

“The user is a vulnerability … how the user interacts with the system,” White said.

Clicking on deceptive links in emails or on websites, downloading files shared by a colleague (or apparent colleague), and taking other routine actions that anyone might experience in a normal workday can all result in accidentally enabling a cyber attack.

Once in the system, malware can exfiltrate data or manipulate data, causing a system to produce bad results, to crash, or to fail. “If you cause a processor on an autonomous drone or a missile or a sensor on a satellite to crash, there’s no one there to hit a reset button,” Coggins said. “And if you didn’t design it to recover from that, it’s done. It’s toast until it resets and recovers.”

The Stuxnet attack used to infiltrate and damage an Iranian uranium enrichment plant caused the plant’s centrifuges to malfunction and effectively destroy themselves. Commonly attributed to Israeli and U.S. cooperation, it was one of the first known instances of a computer virus that directly impacted the physical world.

“Something very similar can be done in a whole host of systems, right?” Kitchen said. “I mean, you could shut down cooling systems, and therefore everything else that depends on those cooling systems within all these different platforms could overheat and stop working, right? … There’s essentially no shortage of ways that you can do bad things if you’ve got this kind of access.”

Digital twins provide a virtual test bed for every aspect of a system, enabling engineers to envision how weapon perform as inputs change, including if bad data or malware is introduced. Chris Quinlan and John James/USAF

CURRENT EFFORTS

The Government Accountability Office first identified cybersecurity as a high risk in 1997. Today, while overall security is greater and more effective than ever, the range of systems accessible to hackers has grown exponentially. A 2021 GAO report praised the Air Force’s Cyber Resiliency Office for Weapon Systems for its servicewide guidance on how to define cybersecurity requirements for acquisition systems and how to incorporate them into contracts.

The Air Force’s “System Security Engineering Cyber Guidebook” integrated cybersecurity into the development process, applying an approach similar to the “DevSecOps” mindset used in agile software development, where developers, security specialists and operators all work on new systems in parallel, rather than one after the other. And the crossover between cybersecurity approaches in software and hardware shouldn’t end there, Fogarty said.

“The term ‘zero trust’ doesn’t just apply to your computer network. That needs to apply to our weapon system architecture. … So we really need to look at those constructs, some of the guidance coming out, and make sure we translate those correctly from an IT world into a cyber-physical weapon system,” Fogarty said.

Another approach from the IT world that should carry over to a weapon system’s cyber defenses, Coggins said, is that of iterative updates, where cybersecurity is never considered perfected or finished.

“It’s not just, ‘give me a requirement for an iPhone, I’m going to build you an iPhone and deliver it.’ It’s, ‘build me a capability that you can continuously upgrade and that can continuously pace the threat’—as the threat changes, it’s easy to change the capability,” Coggins said. “Historically, we haven’t designed weapon systems to be updatable or easy to change.”

Like the GAO, Coggins singled out the Air Force for its efforts in that regard, specifically praising Platform One, a DevSecOps platform for software designed to be hardened against threats while still flexible for different programs.

From the hardware side, cybersecurity can also be enhanced by “digital twins,” White added. Using a virtual replica of a weapons system through the development and testing phases allows agencies and contractors to “simulate attacks, simulate mitigations, and then evaluate their effectiveness,” she said.

Overall, increased testing has been a central component of how Congress has tried to address the issue—the 2021 National Defense Authorization Act required the Secretary of Defense to establish policies for periodically testing major weapon systems for cyber vulnerabilities, and the legislature has provided funding for pilot programs aimed at developing a cyber-capable workforce like O’Toole said the Pentagon needs.

Yet even with acquisition requirements, iterative updates, and increased testing, the threat remains so widespread, so pervasive that “it’s important to realize that 100 percent security, whether that’s cyber or otherwise, is probably not achievable,” Brent warned. “So what is an acceptable amount of risk while still allowing achievement of mission critical functions?”

The F-35A is more than a fighter airplane; it’s a flying sensor and data center, able to accumulate and share troves of data and is built of millions of parts that must be sourced across a global supply chain. Staff Sgt. Andrew Sarver

RISK ASSESSMENT AND RESILIENCY

Defining an acceptable level of risk for cybersecurity is especially critical given some of the realities the Pentagon and the Air Force face, like constrained budgets and legacy systems designed and built in a different era.

“I think a lot of our systems made assumptions in terms of … an IT system needed cybersecurity, but these systems with microcontrollers, processors in them that didn’t connect to the internet, didn’t need cybersecurity,” White said.

And in a different time, the risks associated with that mindset weren’t as great—systems were “stove-piped … they had their own command and control system with them,” Fogarty said. “You could protect that system, or not protect that system, but there wasn’t a lot of lateral movement an adversary could do.”

Now, with JADC2 aiming to connect sensors and systems like never before, “you’re only as strong as your weakest link,” Brent said—even systems developed with cybersecurity in mind could be compromised by being connected to less secure systems. Fixing those less secure systems isn’t as simple as a quick software update either.

“It’s hard to push patches to older systems, because the act of putting the patch on them is hard, it’s difficult,” Coggins said. “The system may have to go back to a depot for someone to do it. In the new paradigm, you’ll be able to do it in the field, and it saves a lot of time and money. We’re trying to update many old systems right now. It may take five years to put one patch out.”

Over time, the systems being developed now—the ones developed with security in mind, tested more rigorously in those areas, and capable of receiving iterative updates—will replace the older ones. But that will likely take years. In the meantime, there are ways to address the gaps.

For one, “not every vulnerability has to be fixed, right?” White said. “If it’s not … operationally impactful, or the probability of it happening is very low, don’t fix that, right? Fix the ones that we know our adversaries know about and that are easy to impact, easy to execute, and that have a high operational effectiveness.”

Fixing the issue might not even involve deploying a software patch, Coggins added. Sometimes it’s as simple as training the person operating the weapon system.

“A good example is there may be some telemetry data coming from the satellite that they don’t pay attention to, because it’s just been benign for 20 years,” said Coggins. “We’ve flown GPS for a long time. But now there may be some indicators on the telemetry data of a certain attack that might have occurred, and so now you can detect it as an operator and then do something about it immediately.”

In that example, the satellite’s cybersecurity measures failed to prevent an attack—but the issue isn’t quite as simple as success or failure.

“I think often we approach some of these challenges in binary, does it work/doesn’t it work kind of ways,” Brent said. “And the answer is, even if it doesn’t work now, what is the time, how resilient is the system to be able to return into operation?”

And it’s not just the system that has to be resilient. The operator has to be able to use it even when circumstances aren’t ideal—“It’s not a matter of just knowing how to use your system, you’ve got to know how to use your system while the adversaries are actively attacking it,” Fogarty said.

That speaks to a broader need, multiple experts said, for DOD to continue to develop its workforce to be digitally fluent across the board, not just in specialized fields. Such a force will be necessary as weapon systems become increasingly digital themselves.

“Cybersecurity is not just about the computer, right?” White said. “I have a computer in my doorbell these days, right? I have a computer on … the spotlight that I have in my house. As everything becomes a computer, we have to think a lot more about those requirements and what that means for us in terms of attack surface for our adversaries and how we develop hardening and mitigation against those attacks.”