26 October 2016

Cyber Support to Corps and Below: Digital Panacea or Pandora’s Box?

October 19, 2016

Michael Klipstein and Michael Senft

The thunder of artillery interrupts the frenzied activity in the Stryker Brigade Tactical Operations Center. Moments before, the video feed from an InstantEye® Unmanned Aerial Vehicle confirmed the presence of a Buk-M3 Target Acquisition Radar (TAR) hidden in a makeshift refugee camp. The courses of action developed during the abbreviated military decision making process to address this threat leaves the Brigade Commander troubled. A direct assault or kinetic strike will result in numerous civilian casualties, but the third option is fraught with uncertainty. The Brigade Cyber Electromagnetic Activities (CEMA) cell recommends disabling the radar using Offensive Cyber Operations (OCO). A similar scenario was exercised during pre-deployment training; however, the dynamic nature of the current operation leaves doubts if the multi-agency coordination required can be completed in the expedited timeline required.

The unrelenting tempo of combat operations at the Corps and below level in the Army creates unique challenges for the execution of (OCO). U.S Army Cyber Command’s efforts to provide cyber support to Corps and below have already generated significant successes integrating operational cyberspace capabilities at the tactical level during multiple National Training Center rotations. [1] While OCO conducted to support Corps and below operations may provide desired effects at the tactical level of war, there is potential for this OCO support to have significant negative strategic, operational and tactical ramifications. A primary concern surrounding the conduct of OCO at the tactical level focuses on how operations with potentially strategic effects can be executed in the rapid, decentralized manner required by the breakneck operational tempo (OPTEMPO) typified at the tactical level of war. There are also secondary concerns regarding the loss of capabilities and access, and always present risks of digital fratricide and OCO retaliation that must be considered.

The ephemeral nature of targets at the Corps level and below creates a new paradigm for OCO compared to traditional OCO missions, which are conducted against strategic targets and have typical mission timeframes lasting weeks, months, or even years. The rapid pace of operations at the tactical level greatly limits the extensive, in-depth planning characteristic of traditional OCO against strategic targets. Strategic targets typically require long lead times to identify vulnerabilities, develop capabilities to exploit these vulnerabilities and execute missions against these targets. The lengthy duration of strategic operations allows extensive testing and verification of these payloads to minimize potential for collateral damage. In contrast, targets at the Corps and below level are typically opportunistic or time sensitive, greatly accelerating the cyber kill chain; reconnaissance, weaponization, delivery, exploitation, installation, command and control and actions on objective. [2]

JP 3-12 (R) Cyberspace Operations defines OCO as “cyber operations intended to project power by the application of force in and through cyberspace.” From a technical perspective OCO are “actions that provide instructions not intended by the operator to a processor." [3] The tailorable lethality and potential reversibility of OCO make the use of such capabilities highly desirable from a mission command perspective, given that most other alternatives to achieve similar effects are kinetic in nature. However, in contrast with traditional kinetic and non-kinetic capabilities, the use of OCO capabilities to support tactical operations carries a significantly greater risk of negative strategic ramifications. These unintended consequences can include the loss of the capability, loss of adversary network access in other geographic combatant commands, risk of digital fratricide, and risk of adversary retaliation. An additional concern is the lack of experience by tactical commanders and their staffs in the execution of OCO in support of Corps and below operations, which could also lead to unanticipated and unintended consequences.

OCO capabilities are the combination of software, hardware and other access tools required to successfully execute each step in the cyber kill chain, ultimately culminating with achieving desired effects on a targeted system. While detailed discussion about OCO capabilities is outside the scope of this article, with each OCO mission executed, there is a risk that the OCO capability used during each stage of the cyber kill chain is discovered, deciphered and used in retaliation. [4] Much like the use of kinetic capabilities, which leave identifiable fingerprints indicating the capability used, the use of OCO capabilities creates a digital bread-crumb trail that astute adversaries can use to create unique digital fingerprints, or signatures, to detect similar OCO activity occurring elsewhere in the world.

Once signatures are created by an adversary to detect and identify OCO activity, it is a matter of time before the payload creating the actions on the objective is deciphered, the command and control infrastructure is identified, the vulnerability enabling the weaponization becomes known, the delivery and exploitation is discovered, and potentially the reconnaissance methodology is uncovered. A number of commercial cyber security companies have used digital bread-crumbs to great effect to detect targets and command and control infrastructure of prior OCO activity. One such company, Mandiant, tracked a sophisticated cyber threat actor named Advanced Persistent Threat 1 (APT1) linked to the Chinese People’s Liberation Army Unit 61398. [5] In the Mandiant APT1 report, Mandiant identified APT1 victims, detailed the network domains and servers used by APT1 for command and control, and provided indicators of compromise to detect their activity across the globe. Presumably, both nation-states and commercial cybersecurity companies have the capability to conduct similar analysis on OCO missions supporting Corps and below operations, potentially resulting in the compromise of one or more capabilities utilized in the cyber kill chain.

This type of in-depth analysis enables an adversary to inhibit access to targeted systems and networks by securing potential attack vectors. Fundamentally, there are only three attack vectors against computing systems: close access, remote access and wireless access. Close access involves manipulation of targeted systems by manually entering commands on the system or delivering a desired payload via physical media (typically CD/DVD or USB drive). Remote access involves accessing the targeted system via network connections from the system to the wider Internet. Remote access covers a wide range of attack vector vulnerabilities including spearfishing, exploiting unpatched software and unauthorized use of valid credentials through password theft or brute-force password attacks. Wireless access involves accessing the targeted system via vulnerabilities in wireless connections such as Wi-Fi, Bluetooth or cellular network. Each capability compromised generally compromises the attack vector used, as highlighted in the Mandiant APT1 report. Targeted systems have a limited number of vulnerabilities within each attack vector which would allow a desired payload to be delivered undetected. 

Additionally, OCO capabilities rely upon flaws within the software code or unique circumstances that force software to perform in an unintended manner. Consider the Linux operating system flaw disclosed in 2015, which allowed system authentication to be bypassed by pressing the backspace key repeatedly. [6] Each capability compromised leads to a decreased attack space in which to leverage software flaws. The reduction in both target system access and attack space in the event of a compromised capability is a significant concern, worthy of strategic level cost/benefit analysis. However, the rapid, decentralized execution of OCO in support of Corps and below missions precludes lengthy scrutiny. 

Capabilities that are used for OCO also provide adversaries an opportunity to reverse engineer both the attack and the tool used, potentially providing adversaries with new cyber weapons. These cyber weapons may be turned back on the United States critical infrastructure, which is outside of the purview of the DoD. Consider the example of criminal elements using techniques garnered from the analysis of Stuxnet. [7] In this example, criminals demonstrated both the capability and willingness to use faked or stolen certificates from legitimate networks to execute an attack by bypassing authentication controls. 

The risk of an adversary retaliating using their own OCO capabilities, or those identified from U.S. operations, is another significant risk. Regardless of accurate attribution of OCO missions, the use of OCO capabilities to support Corps and below operations during training exercises provides adversaries with plausible cover to conduct OCO against United States military, government or commercial targets. Given the challenges of accurate attribution, this plausible cover opens a Pandora’s Box of retaliation by both adversaries actively engaged in the conflict involving Corps and below units and adversaries capable of obfuscating attribution for their operations. The unrelenting pace of Corps and below operations is glacial compared with the speed of cyber. Cyber support to Corps and below has the potential to be overwhelmed by adversary OCO actions against strategic targets within the United States.

With the rapid planning cycle required by the OPTEMPO of Corps and below operations, the risk of digital fratricide is significant, especially given the highly compartmented nature of sensitive cyber operations. In 2008, Joint Task Force – Global Network Operations conducted OCO against an Al-Qaeda website responsible for inciting violence in Iraq. [8] The operation successfully destroyed data on webservers hosting content for the website in three countries, but the website in question was, in fact, a joint CIA and Saudi Intelligence Service website used to lure and monitor terrorist activities and movements. [9] While coordination between U.S. government agencies conducting OCO has improved significantly since 2008, the rapid planning cycle required, combined with the lack of unity of command for U.S. cyber operations, presents substantial challenges in preventing digital fratricide during cyber support to Corps and below operations. Traditional tools to prevent fratricide including distinct operational boundaries, fire support coordination measures, vehicle and equipment markings, and detailed situational awareness simply don’t exist in cyberspace.

With the potential decentralization of authority to conduct OCO below the national-level, commanders enter a realm where they and their staffs are inexperienced and lack sufficient expertise to fully assess the risks associated with OCO. This situation is complicated by both nation-state and non-state actors conducting full spectrum cyber operations against military, government and commercial targets. [10][11] Current military doctrine describes the requirements for commanders and their representative staffs to be proficient in the art of command. This proficiency, which is in short supply across the Department of Defense, is the product of years of education, self-development, and operational and training experiences. [12][13] These commanders and their respective staffs need to understand the hurdles ahead of them to make timely and appropriate decisions. [14][15] Today, military organizations below the national and even combatant command-level lack the personnel with the experience, education, and expertise to advise a commander in the possibilities, risks, and costs of OCO. Cognitive understandings that work in day-to-day life are inadequate for making risk assessments and decisions in new and unfamiliar operations. Additionally, the current risk assessment methodologies are qualitative, ambiguous in nature, and therefore, inadequate for informing decision makers. These risks are magnified by the lack of Cyber officers within Corps and below units.

In People, Preparation, Process: The Three P’s to Integrate Cyber at the Tactical Level, MAJ Charlie Lewis, Chief of the Cyber Leader College at Fort Gordon, identifies the need to “place expert and experienced cyber operators into tactical units”. [16] In Fiscal Year 2017 there are no authorizations for Cyber Branch (17A) officers in Modification Table of Organizational Equipment (MTOE) units, although Electronic Warfare Officers (Functional Area 29) are being used as Cyber Planners. [17] MTOE units are typically the go-to-war units of the Army such as Brigade Combat Teams, Divisions and Corps. Even with the pending transition of Electronic Warfare officers into the Cyber Branch, less than 25% of the total Cyber officer authorizations are located in MTOE units. This is in sharp contrast with Space Operations (Functional Area 40), which has over 50% of its officers assigned to MTOE units. [18] The Space Operations Functional Area is analogous to the Cyber Branch as it is responsible for support to Army operations within a warfighting domain with its mission to leverage space-related assets that deliver space capabilities to the Warfighter and develop and integrate space capabilities. The lack of Cyber Branch officer positions within MTOE units creates knowledge gaps concerning Corps and below operations and capabilities. When Cyber Branch officers from external organizations augment the staff of MTOE units, which often occurs on short notice, the newly assigned officers may lack a full grasp of the tactical environment.

There are several initiatives the U.S. Army should undertake to address many of the issues outlined. These efforts should focus on augmenting professional education, positively enhancing operational training, refining current OCO policies and doctrine, and engaging in frank discourse on the role of OCO supporting Corps and below operations. Augmenting professional education should include sponsoring OCO support courses for Officers, Warrant Officers and Senior Non-Commissioned Officers in Corps and below units, adding CEMA instruction across professional military education (PME) at all ranks, adding OCO support instruction to the Maneuver Captain’s Career Course and adding, an OCO support briefing to the Maneuver, Fire and Effects (MFE) Battalion and Brigade Pre-Command Courses (PCC). Enhancing operational training should focus on developing additional full-immersion training sites similar to Muscatatuck Urban Training Center that replicate contemporary operating environments with complex cyber terrain linked with real-world infrastructure and enhancing the current National Training Center (NTC), Joint Readiness Training Center (JRTC) and Combat Maneuver Training Center (CMTC) with similar capabilities. [19] This complex, real-world linked cyber terrain is needed for Commanders and their staffs to become familiar with not only the opportunities, but also the capabilities and limitations of OCO support to Corps and below operations. Current OCO policies and doctrine needs to be refined to meet the rapid, decentralized requirements of Corps and below operations. The integration, control and de-confliction of Joint Fires provides a good starting point on developing a responsive, synchronized process for OCO support capable of rapidly coordinating across complex cross-Agency operations to deliver desired effects. Finally, frank discourse at all levels of Army leadership on the role of OCO supporting Corps and below operations is critical in forging the way ahead. Commanders require relevant, responsive, and reliable capabilities they are able to consistently utilize to deliver desired effects on the battlefield. Difficult questions must be answered regarding if OCO support to Corps and below operations are able to meet these requirements and if their prospective battlefield impact justifies the investment to develop and implement them.

OCO conducted to support Corps and below holds the potential to be a non-kinetic, digital panacea capable of temporarily disabling enemy weapon systems and critical infrastructure to minimize death and destruction on the modern battlefield. Alternatively, OCO conducted to support Corps and below could open wide a digital Pandora’s Box of unforeseen and unexpected events unleashed at the speed of cyber on ill-prepared strategic, operational and tactical environments. Given the tremendous resources devoted to developing and procuring OCO capabilities by nation-state and non-state actors, the “Guns of August” echo faintly in binary strings of zeros and ones being routed around the world.

The views and opinions expressed are those of the author and not necessarily the positions of the U.S. Army, Department of Defense, or the U.S. Government.

End Notes

[1] U.S Army Cyber Command. (2016). Integration of cyberspace capabilities into tactical units. Retrieved fromhttps://www.army.mil/article/163156/Integration_of_cyberspace_capabilities_into_tactical_units/

[2] Lockheed Martin. (2014). Cyber Kill Chain. Retrieved fromhttp://cyber.lockheedmartin.com/solutions/cyber-kill-chain

[3] Leed, M. (2013). Offensive Cyber Capabilities at the Operational Level. Retrieved from https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/130916_Leed_OffensiveCyberCapabilities_Web.pdf

[4] Lockheed Martin. (2014). Cyber Kill Chain. Retrieved fromhttp://cyber.lockheedmartin.com/solutions/cyber-kill-chain

[5] Mandiant. (2013). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved fromhttps://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

[6] Adhikari, R. (2015). Backspace Flaw Enables Linux Zero-Day Attack. LinuxInsider. Retreived fromhttp://www.linuxinsider.com/story/82915.html

[7] Simonite, T. (2012). Stuxnet Tricks Copied by Computer Criminals. MIT Technology Review. https://www.technologyreview.com/s/429173/stuxnet-tricks-copied-by-computer-criminals/

[8] Jarmon, J. A. (2014). The new era in U.S. national security: An introduction to emerging threats and challenges. Rowman & Littlefield.

[9] Ibid.

[10]Duggan, P. (2015). Strategic Development of Special Warfare in Cyberspace. U.S. Army War College, Pennsylvannia.

[11] Flemming, P. & Stohl M., (2000). Myths and Realities of Cyberterrorism. Perdue University, Indiana.

[12] Department of Defense. (2011). Department of Defense Strategy for Operating in Cyberspace.Retrieved from http://csrc.nist.gov/groups/SMA/ispab/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf

[13] Department of Defense. (2012). Joint Publication 2-01 - Joint and National Intelligence Support to Military Operations. Retrieved from http://dtic.mil/doctrine/new_pubs/jp2_01.pdf

[14] Eisenhardt, K. (1989). Making Fast Strategic Decisions In High-Velocity Environments. Academy of Management Journal, 32(3)

[15] Fox, C. & Tversky, A. (1995). Ambiguity Aversion and Comparative Ignorance. The Quarterly Journal of Economics, 110(3)

[16] Lewis, C. (2016). People, Preparation, Process: The Three P’s to Integrate Cyber at the Tactical Level.Cyber Defense Review. Retrieved fromhttp://www.cyberdefensereview.org/2016/01/19/people-preparation-process/

[17] Force Management System Web Site. (2016). FMSWeb TDA and MTOE Documents. Retrieved fromhttps://fmsweb.army.mil/

[18] Ibid.

[19] Muscatatuck Urban Training Center. (2016). MUTC Overview. Retrieved fromhttps://www.atterburymuscatatuck.in.ng.mil/Ranges/MuscatatuckUrbanTrainingCenter/MUTCOverview.aspx

Major Michael Klipstein is a Functional Area 26A Information Network Engineer. Mike has deployed to both Iraq and Afghanistan as part of a Division Cavalry and an Airborne Reconnaissance Squadron. He has also worked at USCYBERCOM, NSA, and in the Cyber National Mission Force. He holds a Master’s Degree in Telecommunications from the University of Maryland, College Park and is currently a doctoral candidate at the Naval Postgraduate School where his research is on quantifying risk for offensive cyber operations.


Major Michael Senft is a Functional Area 26A Information Network Engineer. Michael has deployed multiple times as a Network Engineer supporting Joint and Special Operations units. He holds a Master's Degree in Computer Science from the Naval Postgraduate School, a Master's Degree in Engineering Management from Washington State University, and a Bachelor's Degree in Mining Engineering from Virginia Tech.

No comments: