by Lewis
Dec 15, 2015
Eight years ago, deep within the area now controlled by the self-proclaimed ISIS/Daesh caliphate, a secret nuclear reactor was under construction by the Syrian, North Korean, and Iranian governments. Its purpose was the production of plutonium for use in nuclear weapons.
On September 6, 2007 a strike force of Israeli aircraft entered Syrian airspace. The Israeli aviators’ mission was to destroy the reactor.
The Syrian nuclear reactor, before and after the Israeli strike in 2007. At that time the Syrian air defence system, which had been supplied largely by Russia, was considered to be one of the toughest in the world outside the major military powers. It had scores of radars and many hundreds of heavy surface-to-air missiles, some of them capable of bringing down aircraft no matter how high or fast they might be flying. Syria also possessed fighter jets, including the advanced Mig-29. All this equipment was tied together by a sophisticated computer and communications network.
Shortly after the Israeli strike force crossed the border, the entire Syrian air defence radar network reportedly “went off the air” (paywalled). The attacking planes flew unmolested to their target and back out again, leaving the reactor site wrecked behind them. No weapons were fired at them; no Syrian fighters were scrambled.
The 60,000 troops of the Syrian air defence command, with all of their expensive technology, had been neutralised as effectively as if they had been wiped out by conventional bombing. To date, this was probably the most devastating military cyber strike the world has ever seen.
Nobody except the Israeli organisations involved—and perhaps the Syrian regime and its Russian advisers—can be sure exactly how this was done. The hints we have as to the methods employed come mostly from unattributable US sources involved in American military cyber capabilities. Whispers regarding so-called “Suter” technologies, deployed by the shadowy US Air Force electronic warfare group long known as “Big Safari,” have quietly circulated since the Israeli raid.
An EC-130H Compass Call flies a training mission over Lake Mead, Arizona.
How do you hack an air-gapped network? From the air.
It has been plausibly suggested that American specialists can effectively hack into an air defence radar system without requiring a normal network connection to its computers at all. Instead this is done by beaming tailored signals at the radar receiving antennae themselves, reportedly from an EC-130 Compass Call electronic warfare aircraft which cooperates with an RC-135 Rivet Joint spyplane via a specialist data link to achieve its task. Both planes would normally be lurking out of range of the defences, at least to begin with. The targeted signals from the Suter system are processed by the defence radars in such a fashion as to cause their hardware to behave in ways that the Big Safari electronic warfare operators want. For instance, certain pieces of sky can be blanked out so that aircraft in those areas become invisible, or alternatively many phantom aircraft can be made to appear.
The Big Safari airmen can also, it is murmured, see the same picture that the opposing radar operators on the ground do, to find out if their hacking is working. Indeed, it would seem that this ability to see the output of the system being worked upon would perhaps be one of the main keys allowing it to be manipulated successfully.
It’s also apparently possible to gain access to the data links between the hacked ground radar and other pieces of equipment on the air defence network, and to manipulate those as well. The data links are vital for most long range surface-to-air missile systems to function, as the search radar which finds an intruding aircraft in the first place must then pass its information to a fire-control radar (usually co-located with a missile battery) which actually guides a surface-to-air missile to its target.
This is necessary partly to keep the locations of at least some missile batteries secret until they are ready to shoot—a radar which is switched on acts as a massive radio beacon to the enemy—and partly because the search radar by its nature doesn’t obtain very precise information on the target, in particular on its height. The precision fire-control radar for its part has only a narrow view of part of the sky and could never find the target on its own.
Sometimes the chain of handoffs is even more complicated, involving several different radars handing over a target from one to another before a missile can be launched.
In the case of distributed air defence setups like Syria’s, all these various subsystems will be far apart and in many cases linked to one another by omnidirectional wireless radio hookups, creating further opportunities for skilled and capable hackers in the area. The use of wireless communications is seldom avoided completely even in long-established permanent defences, as many parts of the system need to be vehicle-mounted and mobile in order to create uncertainty on the part of an attacker as to where they are. Also, a common tactic for the attackers is to cut hard links and force defenders to use wireless backups.
Enlarge / The UK's first Rivet Joint surveillance aircraft is pictured landing at RAF Waddington in November 2013. Nobody’s saying so officially, but it’s generally thought that Israel has acquired or developed its own capabilities similar to Suter and deployed them aboard specially modified Gulfstream business jets. Britain, for its part, is acquiring Rivet Joints from America to replace its retired Nimrod R1 spyplanes—and meanwhile, at least some of the capabilities of the Suter programme have reportedly been installed on US unmanned aircraft as well as Compass Calls and Rivet Joints.
Zero cool
Cyber strikes may also involve more conventional hacking. The Israeli raid against the Syrian reactor—dubbed Operation Bustan (“Orchard”)—may have involved some intrusion via orthodox computer-to-computer networks, and indeed it’s always possible that such methods were the only ones used. Some would even contend that the Israelis were merely lucky and the Syrians incapable, and nothing unusual at all took place.
Various other theories have been put forward, too. For instance, that the Israelis were able to make use of secret backdoors or remote controls hidden in the Russian air defence equipment, ones unknown to its Syrian operators. Such backdoors are believed in some circles to be commonly installed in all advanced military equipment sold for export, whether of Russian or Western origin. It’s at least possible that the famously capable and active intelligence services of Israel might gain access to such secrets, and save them up for special occasions such as Operation Orchard.
Enlarge / The Russian "Buk" air defence system. The vehicle on the left is the "command vehicle," which helps target the missiles. Even further down that particular rabbit hole, it’s interesting to note that since the end of the Cold War a lot of Russian military hardware has made use of components bought from manufacturers around the world. At least one make of Russian missile seeker uses Texas Instruments chips, raising the possibility that some Russian export hardware may conceivably have a US backdoor, as well as Russian ones. Those who would dismiss such thinking as exaggeratedly paranoid should note that America openly admits to being worried about foreign-made chips in its own weapons.
In the end it doesn’t matter exactly how the Israelis pulled off Operation Orchard. The significant thing is that it was achieved: ordinary, non-stealth planes were able to fly in and out of one of the better-resourced hostile air defence systems in the world without that system managing to fire a shot.
Welcoming our new robot overlords
Cyber strikes, then, do appear to have real military applications. “Cyber," or more accurately information and technological warfare, has long been hailed as the fifth domain of war alongside land, sea, air, and space—and now it would certainly seem that there's actually some truth to this.
The other thing that everyone’s talking about in military tech terms these days is drones. The military hate the term “drone” almost as much as some IT types hate the term “cyber,” but in both cases it would seem to be a matter of lumping it: both terms are clearly both here to stay.
Enlarge / One of the RAF's Reaper drones. Use of the term “drone” these days usually refers to an aircraft such as the well-known Reaper—formerly known as the Predator—in service with both the US and UK. The Reaper is a relatively inexpensive unmanned aeroplane powered by a turboprop engine. It can fly high enough to be safe from all but the most powerful ground-based missiles, but it is usually cold meat if such powerful missiles—or worse still, enemy fighters—are on hand. It is useful both as a surveillance platform and for airstrikes, being well able to carry heavy smartbombs as well as the more surgical Hellfire missile. An alternative to the Reaper, if there is deemed to be a threat from powerful missiles or fighters, is the Tomahawk. Like the Reaper it is ostensibly an unmanned winged aeroplane. Unlike a Reaper, however, it is launched by booster rocket from a tube—usually mounted on a warship or a submarine at sea—and then flies to its target up to a thousand miles away, by way of its own little jet engine. The Tomahawk is a good bit faster than a Reaper and can fly at high subsonic speed and low altitude, making it very difficult to detect and shoot down unless one is up against top-ranked opposition with airborne radar. And of course a Tomahawk has no option to return and be reused like a Reaper.
Enlarge / A Tomahawk missile, launched from the submarine USS Florida. Tomahawks, unlike Reapers, are typically beyond the control of their operators for much or all of their mission: they are, in fact, “autonomous weapons” or “AI war robots” which decide for themselves whether there is a legitimate target for them to attack once they reach their destination. This is done based on a digital image acquired by the Tomahawk once it arrives: it doesn’t (usually) just crash on a set of GPS coordinates. Upgrades are under way to let Tomahawks discriminate between legitimate and non-legitimate targets even if they are moving, rather than fixed.
The appearance of such weapons is much dreaded in some quarters. Not many people realise that they are already here, or that Tomahawks are really specialised one-shot drones. This is probably because the Tomahawk has been in service since the 1980s and is generally called a "cruise missile" rather than "one-shot drone." Nonetheless, the Tomahawk is merely a variation on the Reaper theme—or, more accurately, vice versa.
It seems pretty clear that the actual bombing part of Operation Orchard could just as easily have been carried out using Tomahawks or maybe Reapers. The Israelis don’t have Tomahawks or Reapers, of course, but the US and UK do—and, furthermore, it’s also known that the Suter radar-hacking technologies have been fitted to US unmanned aircraft.
If the US or perhaps the UK had been carrying out Operation Orchard, it would seem very possible that it might have been an entirely cyber and robotic mission, with no military personnel entering Syrian airspace at all.
War by Tomahawk
The US and UK didn’t carry out Operation Orchard—but four years later in 2011, in cooperation with various allies, they did mount an air campaign above Libya. The British part of this was called Operation Ellamy. Libya, like Syria, had a Russian-supplied air defence network. The plan was to clear this out of the way so as to allow coalition air power to eliminate Colonel Gadaffi’s tanks and other heavy weapons, giving the rebels on the ground a fighting chance. The Libyan air defence system was effectively wiped off the map in a matter of days—and it was indeed an almost entirely cyber and robotic mission.
The campaign opened with a lengthy cyber/electronic phase in which an aerial armada of US and allied spyplanes and electronic-warfare platforms—certainly including Rivet Joints and Compass Calls, among others—got the measure of the Libyan defences and prepared the ground.
The actual destruction itself commenced on March 19, involving the use of between 200 and 300 precision strikes. Almost all of these were delivered by Tomahawks launched from US and British ships and submarines off the Libyan coast. Both the RAF and USAF did manage to deliver a few weapons from manned strike aeroplanes which entered Libyan airspace, though this was largely a gratuitous act of military superiority.
Enlarge / Two RAF Tornados, pictured over the Mediterranean Sea enroute to Libya as part of the UK's Operation Ellamy. Following the missile barrage, the Libyan air force and air defence system were described as having been “neutralised.” (As an interesting aside, the Ministry of Defence’s press release originally used the rather off-colour term “neutered” in the URL, but it has since been altered.)
“We can operate in [Libyan] airspace with impunity,” stated the British air commander, Air Vice Marshal Greg Bagwell, four days after the first Tomahawks went in. Subsequent airstrike operations against Libyan ground forces could be, and often were, conducted by drones as well as manned jets. In some cases, the despised drones were even able to take out the remaining air defence missile systems.
Towards total electronic warfare
So the Libyan air defences had been defeated: the skies above Libya were no longer “contested” in air warfare jargon. While some manned jets were used, there is no doubt that the same results could've been achieved by fully electronic/robotic means, if the various air commanders had decided to go that route.
For everyday work against enemies who have no air weapons beyond shoulder-fired missiles, like the Taliban or ISIS/Daesh, there are even fewer reasons to risk sending in manned aircraft.
Further Reading
Stuxnet was never meant to propagate in the wild. Supersonic, Stealthy Joint Strike Fighters—or indeed non-stealthy jet fighters like the RAF’s current Tornadoes and Eurofighter Typhoons—are certainly not as good as Reapers for operations above Afghanistan or the caliphate zone. Fighters can’t stay up as long as Reapers, nor fly as far, and they don’t offer significantly more punch. That’s not even to mention the risk of death, and associated jihadi propaganda coup, in the event of a mishap.
As we’ve seen, even when fighting openly against well-equipped enemies like the air forces of Libya and Syria, cyber weaponry is more important than supersonic speed or stealth airframes. When fighting secret wars in places like the deeply buried and hardened uranium-enrichment bunkers of the Iranian nuclear weapons programme, cyber weapons like the famous Stuxnet may be the only ones that can reach the target.
When we’ve decided it genuinely is time to blow something up, a Tomahawk, Reaper, or something similarly autonomous is nearly always going to be more usable—and far cheaper—than a supersonic manned jet, whether it has stealth or not. A Tomahawk or a Reaper will also most likely be cheaper and easier to use than a battery of artillery, or a tank, or a conventional surface warship for that matter.
Enlarge / Two drone pilots at the RAF's new ground control station in Waddington, England.
“Cyber” and “drones” really are the modern and effective ways to make war. It’s not so much that boots on the ground are obsolete, it’s just that most of our military boots today are never “on the ground”: they’re in tanks or self-propelled guns or jet fighters or frigates, or walking about inside the massive bases and support facilities that these things require. And yes, some of these latter boots and their associated kit are indeed obsolete.
Our need for cyber strike capability isn’t just hype created by those who would like to sell cyber weapons to us. Or to put it another way, it’s certainly no more hyped than than the need for stealth fighters or frigates. If Britain is serious about being able to fight wars either secretly or openly in future, it must indeed have the ability to mount cyber attacks. And when Britain wants to use actual force, we should make sure that we have the unmanned systems—the drones—that can get the job done with the least amount of cost and risk.
All this would mean that a lot more of our boots could actually be out on the ground, too, if we wanted that.
UK government: "Don’t worry, we've got this."
Governments are generally rather unwilling to admit that they even want to be able to carry out cyber strikes: but not the UK government. Back in 2013 the coalition government’s defence secretary, Philip Hammond, brazenly stated:
“Cyber is the new frontier of defence. For years, we have been building a defensive capability to protect ourselves against these cyber attacks. That is no longer enough.
You deter people by having an offensive capability. We will build in Britain a cyber strike capability so we can strike back in cyberspace against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity. Our commanders can use cyber weapons alongside conventional weapons in future conflicts."
Since then a thing called the Joint Forces Cyber Group has appeared within the Ministry of Defence, and—perhaps in acknowledgement of the fact that the armed forces culture doesn’t overlap a lot with hacker or IT security culture—the Cyber Group is looking to recruit part-time reservists with suitable skills.
So far, though, the Joint Forces Cyber Group seems like little more than a rebranding of the previous Defence Cyber Operations Group, and the new Joint Cyber Unit (Reserves) looks set to work in much the same way as previous initiatives such as the Land Information Assurance Group, a reservist IT security unit which actually dates all the way back to 1999.
Enlarge / How could we possibly publish a story about hacking without including a photo of GCHQ in Cheltenham?
The units of the new Cyber Group still reside at the same locations as before, too: one is among the sprawling defence sites around Corsham in the Cotswolds, a place famous for its various underground bunker complexes. (Confusingly and/or intriguingly the “Corsham Computer Centre” also located there—it has its own postcode which points exactly to an obvious underground bunker entrance with adjacent, active car park—actually operates in support of Britain’s nuclear weapons rather than its cyber ones.) The other UK cyber tentacle, understandably, is based alongside Britain’s electronic spy service GCHQ at Cheltenham.
The new Conservative government, however, has just laid out its plans for the British armed forces and spy services in its five-yearly strategic defence and security review. Chancellor Osborne visited GCHQ Cheltenham this summer, in fact, to deliver some tough talk on British cyber attack capability:
“The threats to our country in cyber space come from a range of places – from individual hackers, criminal gangs, terrorist groups and hostile powers.
To all of them I have a clear message.
We will defend ourselves. But we will also take the fight to you too.
We are increasingly confident in our ability to determine from where attacks come.
We are stepping up not just the means of defence, but also the means to ensure that attacks on Britain are not cost-free.
To those who believe that cyber attack can be done with impunity I say this: that impunity no longer exists.”
One might take Osborne’s comments to mean that British national cyber strike capability is already up and running, and indeed perhaps already being used against hackers, crooks, and terrorists—even if not against hostile nation states.
The actual security and defence review document, however, said something slightly different: “We will provide the Armed Forces with advanced offensive cyber capabilities, drawing on the National Offensive Cyber Programme which is run in partnership between the MoD and GCHQ.”
Later in the Review there's another note that may be relevant to UK cyber strikes against targets other than hostile nations, too: “We will disrupt the activities of cyber criminals overseas through prosecution and other means.” (Emphasis added.)
Talk is cheap—but nobody’s talking
As we all know, when it comes to politics and posturing, it's easy to talk the talk. The best indication of a government actually being willing to walk the walk is money, and so far the Prime Minister and Chancellor haven't been willing to back up their hard words with hard cash.
Enlarge / The UK's Chancellor and Prime Minister, George Osborne and David Cameron. So far they have allocated £1.9 billion of new spending on cyber matters in general, much of which will be spent on defence rather than attack. And this, one should remember, is over five years—so spending per annum on new cyber power whether defensive or offensive will be just £380 million. When you compare this to the defence review commitment to spend £178 billion on conventional defence equipment like jets, tanks, and warships, and you realise that the normal MoD budget is about £38 billion every year, the new cyber spend is peanuts.
There’s not much going on with “drones” either. Britain is not increasing its stock of Tomahawks, and it will remain the case that our Tomahawks can only be fired from our handful of submarines, not from our more numerous surface warships as the Americans can. Our Reaper fleet is to double in size... to 20. It will remain very small compared to the RAF’s inventory of jet fighters, which in most cases are much less useful.
When you only have a small capability to start with, though, even a small increase in resources can make a big difference. There will be more drones in action above ISIS/Daesh, and now in Syrian airspace as well as Iraqi. Assuming that blowing things up there actually makes matters better, drones are certainly the right way to do that.
So, does the UK have a cyber strike or not?
Ars Technica asked both the MoD and GCHQ to clarify whether the British cyber-strike capability is ready for use yet, or indeed has been used and if so against whom. Both spokespersons declined to comment.
The Right Honourable The Lord Touhig, opposition defence spokesman on defence in the House of Lords, asked pretty much the same question in Parliament following the Review’s publication:
“Can the Minister tell us if such an offensive capacity already exists or is it just at the planning stage? If that is the case, what is the timeframe before it becomes operational?”
He didn’t get an answer either.
Asking if a cyber attack capability is operational—as though it was a bomb or a missile—is a difficult question to answer, however, even if the government wanted to answer it. Britain’s cyber strike force will definitely be capable of carrying out some attacks against some targets—for instance the operators of the National Offensive Cyber Programme could probably overwrite files on the hard disk of a low-level cyber criminal overseas, if that seemed to be the best or only practical way to stop him from making fraudulent use of British credit card numbers or banking details.
Enlarge / A photo of a North Korean ballistic missile launch that partly failed shortly after launch. Maybe GCHQ and the military cyberforce can do more, or a lot more. Maybe they could make a North Korean ballistic missile (“satellite launch”) test rocket fail and crash into the Pacific. Maybe they could make Iranian-operated, Russian-built air defences go down temporarily in Operation Orchard style. It’s been reported that Iran may finally be getting the vaunted S-300 missile system at last, so that might be handy one day.
Maybe the Queen’s military/spy hacker forces can’t achieve these tasks; maybe they don’t know whether they can or not. Being able to do such things right now doesn’t mean one will still be able to do them in a week’s time after a password change, or a personnel transfer, or a crypto upgrade.
Who cybers the cyberers?
At this point, then, we don’t yet know if the UK’s cyber-strike capability is actually operational, only that it will—at some point—be used against hostile governments, terrorists, criminal gangs, and “hackers." It would certainly be nice, then, to know what rules govern the UK’s use of cyber strikes.
Who can tell the National Offensive Cyber Programme to brick someone’s devices and wipe their backups? Under what circumstances will it be OK to nobble someone’s Internet-of-Things gas meter and cause their house to explode? Who has the cyber Double-O licence to kill?
In an attempt to find out, we posed the following questions to GCHQ, the acknowledged lead authority on the National Offensive Cyber Programme:
“Assuming British cyber strike is operational, has it been used / how often is it being used? And in general against what classes of target?”
“Who can authorise a cyber strike? Against what classes of target? It is hard to believe that the Prime Minister personally will authorise every case of action against lone hackers or criminals if indeed the government is to strike such targets. Who does decide in such cases? Is there a process as with surveillance warrants?”
“Can the national cyber strike capability be used completely secretly/unattributably, or is it subject to independent or public scrutiny in any way?”
In due course we received the following answer:
“After further consideration, GCHQ does not wish to comment on the questions you have raised.”
Perhaps it’s just as well that the UK's offensive cyber capabilities have received limited funding so far.
No comments:
Post a Comment