21 June 2017

Information Warfare: THAAD The Hack Attack Magnet


June 11, 2017: In May 2017 the United States revealed that it had sent one of its few cyber protection teams to defend the THAAD (Terminal High Altitude AreaDefense) battery sent to South Korea earlier and declared operational in April. This anti-missile unit is considered a major target for hackers. Each THAAD battery consists of two or more launcher vehicles (each with eight missiles stored in canisters they are fired from), a fire control and communications system and a TPY-2 X-Band radar (or equivalent radar or radars). THAAD missiles weigh 836 kg (1,400 pounds) and are about the same size as the Patriot anti-aircraft missile and have a range of 200 kilometers and max altitude is 150 kilometers. THAAD is intended for stopping short (like SCUD) or medium range (up to 2,000 kilometer) range ballistic missiles. To work properly the battery depends a lot of networks for quickly transmitting target and other data. Since China, Russia and North Korea all have excellent network hacking capabilities and have been hostile to the stationing of a THAAD battery in South Korea, it was expected that the THAAD networks would be subject to penetration and disruption attempts by foreign hackers.

Neither the THAAD nor the cyber protection teams have had any real combat experience. THAAD has been successful in tests but the army is still seeking a realistic way to test the effectiveness of the cyber protection teams. The tense situation in South Korea could be the first real test of both new systems. At the moment THAAD seems more likely to succeed, but only if the untried cyber protection teams can keep numerous and determined hackers out.

The army knows it has a major problem with cyber protection as do the other services (air force, navy and marines). This was made clear after U.S. Army established its first Cyber Protection Brigade in late 2014. There were plans to create two more brigades by 2016. That did not happen because the army in particular and the military in general could not create or recruit enough qualified personnel. There were other problems but the key difficulty was a shortage of qualified people to staff the key units; the cyber protection team.

This cyber protection team was created to provide quick and competent personnel for setting up and maintaining network defenses, as well as experienced personnel to investigate and deal with intrusions. The core of the brigade is the twenty cyber protection teams. Each team was to contain 39 military and civilian network security experts. To provide the military personnel the army had already created a special MOS (Military Occupational Specialty) so qualified personnel can make a career of this work. This MOS (25D, Cyber Network Defender) was open to all qualified military personnel. In 2014 the army had about 700 troops with the 25D MOS and have found it difficult to find many more, or even hold on to the ones it had. The 25Ds are in high demand and they are supplemented by qualified civilians who are much more expensive. Since highly skilled 25Ds will always be tempted to leave the army and take better paying civilian jobs the army will, as it does with other specialists (like Special Forces troops) offer big cash reenlistment bonuses to 25Ds they want to keep. That has not been working because civilian firms can offer more money and other benefits than the military.

At first the army though recruiting, screening, training and organizing the 25Ds would be how Special Forces troops in that way. The Special Forces brigades (called groups) are smaller (1,500 troops) than regular combat brigades (over 4,000 personnel). The Cyber Protection Brigades were also small (1,100 or so personnel) and based on small teams of highly trained Special Forces troops common called “operators.” The army already knew that it was going to be more difficult to obtain Cyber War operators than Special Forces ones and from the beginning were prepared to hire expensive civilians willing to serve in what could sometimes be a physically dangerous situation (as in a combat zone). The army has lots of experience finding and using contractor personnel for dangerous situations but these contractors are usually military veterans. Few qualified civilian Cyber War operators are military veterans. From the beginning the army realized that the Cyber Protection Brigade would be unique is the integration of so many civilian contractors with military personnel in the key elements (the cyber protection teams).

On the plus side, an effort to create smaller cyber protection teams for the army National Guard (a reserve organization that answers to state governors in peacetime) was successful and appears to have (as expected) attracted higher quality personnel. That’s because many men and women with Internet security skills have served in the military and many were attracted to join the National Guard after 2001 and that provided a pool of potential 25Ds in the reserves. The problem with this is that you cannot send National Guard troops overseas without putting them on active duty (called “federalizing”) and the army has learned to use that sparingly because extended terms of overseas service discourages new recruits and causes existing National Guard troops to leave.

Nevertheless there is an effort to entice National Guard 25Ds to join the active army. There is also an effort to persuade civilians with the right technical skills to join the military. Additional inducements like cash bonuses and being able to skip most of the basic military training have been added. That has long been done with medical and other technical personnel. But that precedent was established during wartime when conscription was in effect and the “direct commission” (to officers) was an attractive alternative to getting conscripted.

The new Cyber Protection Brigade and their cyber protection teams are part of an army effort that includes the new U.S. Cyber Command (USCYBERCOM) and the Army Cyber Command. The Department of Defense is seeking to develop both offensive and defensive teams that will benefit from Cyber Command intelligence and monitoring operations as well as a big budget for keeping the software library stocked with effective tools (including zero day exploits, which are not cheap at all). Cyber Command also has contacts throughout the American, and international, software engineer community. This was supposed to provide crucial expertise when needed. The effectiveness of these teams will vary a great deal because one highly skilled Internet software whiz on a team can make a huge difference. The main problem is that the people with the best Cyber War skills tend to least interested in military service.

USCYBERCOM became operational in late 2010 and is still working on an official (approved by the government) policy stipulating how Internet based attacks can be responded to. Meanwhile there have been a lot of unofficial attacks. The 2013 cyber-teams announcement implied that attacks are now allowed, but not what kind of attack. The NSA leaks confirmed that attacks are going on. While Cyber Command has long been asking for permission to fight back, technical, legal, and political problems have delayed agreement on how that can be done. It's not for want of trying. In 2012 the U.S. Congress approved a new law that allows the Department of Defense to conduct offensive Cyber War operations in response to Cyber War attacks on the United States. That is, the U.S. military was now authorized to make war via the Internet. The new law stipulates that all the rules that apply to conventional war also apply to Cyber War. This includes the international law of armed conflict (meant to prevent war crimes and horrid behavior in general) and the U.S. War Powers Resolution (which requires a U.S. president to get permission from Congress within 90 days of entering into a war). Meeting with all the fine print has so far delayed actually allowing a legal counterstrike to a Cyber War attack. The NSA doesn’t have all those restrictions because it comes out of the intelligence world, where there have always been fewer rules. While this approach to Cyber War makes sense to the NSA, the Department of Defense is frustrated at being held to conventional war standards.

Meanwhile, there was the seemingly unsolvable problems with finding qualified people to carry out such counterattacks. Headquartered in Fort Meade (outside Washington, DC), most of the manpower and capabilities for USCYBERCOM come from the Cyber War operations the services have already established. U.S. Cyber Command has some smaller organizations of its own that coordinate Cyber War activities among the services, as well as with other branches of the government and commercial organizations that are involved in network security. But most of Cyber Command manpower actually works for the Cyber War organizations of the four services.

Of the four services the U.S. Air Force is the most experienced in Cyber War matters. Back in 2008 the air force officially scrapped its own planned Cyber Command, which was supposed to operate more like USCYBERCOM. That new air force organization was supposed to officially begin operating by the end of 2008. Instead, many of the personnel that were sent to staff the new command were sent to the new Nuclear Command. This change was made in response to growing (at the time) problems with the management of air force nuclear weapons. Despite that, the air force continued trying to establish some kind of new Cyber War operation and use it to gain overall control for all Department of Defense Cyber War activities. The other services were not keen on this. That resistance, plus the nuclear weapons problems, led to the Cyber Command operation being scaled back to being the 24th Air Force. This organization handles electronic and Internet based warfare.

The U.S. Army, following the example of the air force, also established a Cyber War operation. Some 21,000 soldiers were pulled from a large variety of signal and intelligence outfits to form ARFORCYBER (Army Forces Cyber Command). It became fully operational in 2012 with its headquarters at Ft. Belvoir, Virginia.

In 2009 the U.S. Navy created an "Information Domination Corps", in the form of a new headquarters (the 10th Fleet), with over 40,000 people reassigned to staff it. While the new Cyber War command dealt mainly with intelligence and network security, it also included meteorology and oceanography. These last two items are very important for deep water navies, especially since a lot of the information about oceans, and the weather, is kept secret. The fleet calls upon the talents of 45,000 sailors and civilians. Most (44,000) of these personnel are reorganized into 10th Fleet jobs or will contribute from within other organizations. A thousand new positions were created, mainly for 10th Fleet. All this gave the navy a more powerful and secure position in cyberspace. The navy does not want to repeat the mistakes of the air force in this area.

The U.S. Marine Corps established a Forces Cyberspace Command in 2010, with about 800 personnel, to help provide network security for marine units. The marines are accustomed to doing more with less.

The Americans aren’t the only ones preparing for cyber war. In 2013 Russia revealed that it is organizing a Cyber War organization within the Defense Ministry. This would be a separate branch of the army, joining more traditional branches like infantry, armor, artillery and signal (where Cyber War operations already exist in most countries). Noting what’s going on in China and the United States, the Russians have decided to catch up.

The Chinese military already has a growing number of formal Cyber War units, as well as military sponsored college level Cyber War departments and extensive course offerings. These Cyber War units, plus the volunteer organizations and Golden Shield (Internet censors and monitors) bureaucrats apparently work closely with each other and have provided China with a formidable Cyber War capability. NET Force, with only a few thousand personnel, appears to be the controlling organization for all this. With the help of RHU and Golden Shield, they can mobilize formidable attacks, as well as great defensive potential. No other nation has anything like it.

No comments: