by U.S. Army Capt. Jerome M. Althoff
173rd Airborne Brigade
July 18, 2018
The terms Cyber Security, Cyber Space, and Cyber Domain are prevalent in all major news outlets and within the conference rooms of the Army. We hear about the establishment of Cyber Command, recently publicized attacks and breaches, and a need to “combat” or “operationalize” the digital domain. But what is Cyber in general? How can we visualize and implement realistic effects upon it? How do we understand it without a degree in computer science or a zeal for illicit technological pursuits? I will attempt to use three examples relating historical events to potential future cyber threats in order to express the vulnerabilities inherent in our use of technology. My hope is that we learn from the mistakes of the past in order to prevent similar mistakes in the future.
Find, fix, finish. This was one of the primary lessons I learned while at the Infantry Officer Basic Course. If you look back far enough, these three words summarize the basics of most combat situations. One significant tool used to finish is the flanking maneuver. Before the flank revolutionized warfare, two forces of equal weight meeting in close combat would trade blows and projectiles face-to-face until one side was exhausted. The innovation of the flank, as used by the Boetotian army in the battle of Leuctra in 371 BC, caught the Spartan army completely off guard by changing the alignment of the Boetotian force’s phalanx and hitting the Spartans from the side. The Spartan domination of Greece was shattered; their king and over half of their elite troops were killed by the successful deployment of the new tactic. While this historical battle shifted the balance of power within the Greek world, the modern-day flank will take on a significantly altered look.
In a technology-augmented modern military formation, a similar flank can be achieved via directed targeting of our force data flow. American ground forces create their depth through a rifleman with a radio, connecting the relatively small, tactically-engaged force to a deep formation of long range artillery, exotic munitions, drones, and planes. Every radio call-for-fire, sensor, full motion video, or individual’s key strokes has to arrive at the point of need before it can be helpful. Typically, this information travels significant distances regardless of the medium: radios, satellites, fiber optic cable, or other, less common methods. If an adversary focused on the flow of the data and targeted it as an attempt to change the depth of our flanks, we would be caught as off guard as the Spartans were 2,391 years ago. To provide a more concrete example of the risk in “flow of data,” let’s look at how vulnerable the Military Grid Reference System (MGRS) is to attack. MGRS is used to relay pinpoint locations for ground forces around the world. Each vehicle, bomb, and Soldier knows where they are and where adjacent formations are by sharing their MGRS. If the flow of data was manipulated to alter transmitted MGRS, say by rearranging all the numbers or inserting completely different numbers, our artillery and aircraft would be negated, relief forces misdirected, and flanks unknowingly exposed.
In August 1914, in what we would know today as Poland, the 2nd Russian Imperial and the 8th German Imperial armies met near Tannenberg, East Prussia. While the German army was outnumbered and outgunned, it had several key advantages in transportation, leadership, and technology. However, one technology that both nations shared was the radio. This technology had been around for less than twenty years, which meant the combatants of the first World War were going to be testing the technology in large scale combat together. While both countries fielded this new radio set, one did it better. The Russian radio operators could transmit their messages over great distances, but they did not understand how to use their equipment securely. This oversight led to those messages being broadcast in the clear, with the only security being the Russian language and military acronyms. This protection proved to be insufficient when the messages were received and deciphered by elements of the 8th German Army. The almost complete destruction of 2nd Army, followed by another loss suffered by the 1st Army, set the tone for the rest of the war when Imperial Russian forces met Imperial German forces on the front. Securely messaging from one end user to another is paramount to military operations that now span whole theaters or the globe.
Secure communication, called cryptography, is something we all tend to take for granted. Most assume that the use of asymmetric Public Key Infrastructure (PKI) in association with our Common Access Cards (CAC) and Virtual Private Networks (VPN), or other symmetric keys, ensure end-to-end encryption and guarantee secure means of communicating. And yes, if properly configured and implemented, these technologies can lead to secure means of sending data across the ether; however, the users, the administrators, and random chance challenge these security measures every day. The assumption of secure communications is also challenged daily by threats using more direct brute force methods to break into the secure channel. Finally, the security of the end device is just as important. All the technology used to establish secure links can be mitigated if the laptop, phone, or radio being used on either side of the communication has been compromised and a side channel has been established to rebroadcast the message to others.
Another relevant public example was heat mapping from Strava , which gained notoriety recently when researchers discovered the outlines of multiple US military installations around the world had been shared publicly. Every Strava user who made their daily run around the perimeter of the installation unwittingly contributed to precisely and publicly sharing the location, size, and shape of the installation on which they were confined. The heat mapping service had been available for years and it was articulated in the End User License Agreement and privacy settings of the company: the portion every user quickly clicks past in order to access the app.
On 18 October, 1941, the Nazi ambassador to the Empire of Japan, Eugen Ott, was alerted that his close confidant, Richard Sorge, had been arrested for espionage. Sorge, a German newspaperman, was a frequent visitor to the Nazi embassy and helped draft the ambassador’s reports to Berlin. The embassy assumed the trusted newsman had been swept up in a wave of anti-German sentiment then prevalent in Japan. Much to the ambassador’s mortification, it was eventually proved that Sorge was one of the most prolific spies that the Soviet Union had ever fielded, and it was he who had likely saved the Soviets by confirming there was no attack pending from the Empire of Japan. This freed the forces in the Far East to pivot to the German threat. Spies have existed as long as people have kept secrets, so what makes Sorge an excellent example? He serves as an example of the threat of cloud collaboration services.
Digital clouds have become an ever-prevalent fixture in modern society. Their flexibility and ease of access make them fantastic solutions for a mobile-active user base that utilizes multiple end-user devices in various locations and allows those uses to share effortlessly. Ultimately cloud solutions are an elegant way to sell a scenario where users save their data on to someone else’s machines; this machine exists without the user having an idea of its physical location, how it is secured, or who has access to the data. Many cloud service providers struggle with securing the data-at-rest and all of them are subject to data-in-transit dangers. In effect, the embassy should be viewed as the physical machine that exists somewhere in the center of the cloud. This machine is diligently storing data, just like the desks and offices of the German embassy, and ultimately, it can provide a clearing house for agents to peruse at their leisure. All Sorge had to do was gain access to the embassy, and all the information and thoughts of the Third Reich became available to the Soviet Union. Like the German embassy’s secure rooms being open to Sorge, and the ambassador’s reports being drafted in part by Sorge, cloud computing can be easy leveraged against the warfighter with few or no obvious indicators.
What stands at the heart of Cyber Warfare? The ability to damage either the warfighter directly or the continuously-growing, electronically-enabled links that allow the warfighter to function. It takes only a small leap of abstraction to recognize the truth and the danger posed in that statement. Every day there are new apps, new wearable devices, and new uses for data that increase convenience, effectiveness, and lethality, but with each advance comes new risks. These advances require a binding of individuals and systems closer together to realize these increases in efficiency, but the more the network spreads and the more sensors and actuators are networked together, the smaller the world becomes.
Hackers are derisively viewed as living in their parents’ basements. But with one connection to the network of networks, they are in our pockets, tanks, and squad radios. They are altering the data flow to dump every munition request from theater into the recycle bin. They are taking over your phone(s) and smart watches in order to see the screen the same way you do, eliminating the effects of VPN or to simply using the built-in microphones and cameras to literally use you as their accomplice. They are reading and aggregating the knowledge scattered across clouds used without extensive technical reviews by our forces. In short, one individual’s compromised device or incorrectly-saved document can flank our entire force or broadcast our commands in the clear. This is the heart of Cyber Warfare and something I hope is more relatable for everyone in uniform.
Cyber is not a strategic fight, cyber is not someone else’s job, cyber is not stuck at the national level or with some ‘brain’ in a closet. Cyber warfare spans any piece of technology that can listen, see, remember, or connect. Some basic actions to combat this elusive and pervasive threat at the company level and below are provided here:
Mobile Devices: This includes cell phones, smart watches, some fitness devices, and numerous other small devices that are significantly helpful in civilian life. Here’s the reality: if it can hear you, see you, or connect to something else that can, it is a potential enemy collection device. To mitigate this pervasive threat, actively enforce strict bans on these devices in secure areas or around any operations plans. And no, keeping your phone on airplane mode won’t cut it – they need to be kept out of the secure area entirely. This action drastically reduces the risk poised by the devices we all like to use in our civilian lives. And it works even if your device has been compromised; there is nothing for an enemy to collect if you don’t provide the opportunity.
Digital Footprint: Uncomfortable as it may seem, Facebook, Strava, Google, etc. all track you. They build a profile of your physical movement (through GPS device, geo-tagged photos, and by localizing the IP addressed used by your device) when you use their services. They can also track what webpages you look at and what you search for. In short, your devices and internet behavior are always capable of being observed. Actively encourage people to understand this truth so they can be mindful of what operation actions they give away for free. If an old adage was ‘Loose Lips Sink Ships’ the modern equivalent is ‘Wireless devices call in fire’. If you are a Google user (browser, mail, drive, maps, etc.) Google will attempt to build a profile around you, one you can review in your profile . Take a look at what you’ve been sharing with Google, and try to view it from an outside perspective: what could a complete stranger decipher about your life just based on your search history? If it makes you uncomfortable, consider using services which make your privacy a priority, such as search provider DuckDuckGo or the TOR browser.
Education: For the most part no one of our devices or profiles will call in the fire. However, without understanding that all of our devices are easily collected against in order to build a composite picture, individuals are tempted to think that their digital misstep won’t cause disaster. While AFN ads come across as cliché, they are correct in that the strength of our digital security is diminished by any single weak point. Every member needs to be made aware of the risks that they cause for everyone. Every member must learn that their devices can cause actual mission failure for their own unit or adjacent elements. Finally, technical solutions shouldn’t be the only answer in a platoon or company kitbag: paper maps, magnetic compasses, pen and ink, and pre-shared brevity codes are tried and true techniques that can mitigate the risks posed by susceptible digital maps and cryptography.