How to Protect the Digital Achilles Heel of Military Capability

Our demographics and the moral value that we place on life as a society mean that our military must rely on technology to an ever increasing degree in order to exploit its advantages. However, the increased dependence on support from suppliers transforms the supply chain into an extended part of the networked battlespace, and thus its security and resilience has become a critical concern.

Capabilities with a Competitive Advantage also Bring New Vulnerabilities

In general, any new capability that has given our military a competitive edge also brings with it new vulnerabilities. A recent example is the introduction of GPS and other navigation systems. When these became widespread in the 90s, the risk of getting ‘geographically embarrassed’ was reduced, and thus members of the army bought consumer GPS receivers for personal use on exercise and operations. Thus, this capability represented a significant advance, and the joke that ‘the most dangerous thing in the combat zone is an officer with a map’ became less relevant. 

However, skills like map reading need to be learned and practised, and as such the more we rely on technological aids, the more we atrophy muscle memory. How many of us follow phone directions, only to realise we haven’t learned the route and have no feel for the environment we have just travelled through?

This effect is organisational as well as individual. The strive for achieving efficiency through digital transformation has led to fragility, with the loss of capacity and capability when digital services are disrupted. The global IT failure caused by CrowdStrike overnight on the 18-19th July demonstrates this clearly; in just a few hours, a software update crashed 8.5m computers globally, severely disrupting banks, airlines, rail services, healthcare, and other critical services. 

Maintaining full capacity in a reversionary mode is not economically viable once core business processes have been digitally optimised. However, reducing the likelihood and impact of a systemic incident like this requires systems to be designed with resilience from the outset.

Good Cyber and Data Security is about Much More than Preventing Data Leaks

It is natural to assume that maintaining data security is primarily about preventing someone from stealing confidential information. Granted, this has been an important consideration since spies first operated; this is why we classify and compartmentalise information.

However, confidentiality is only a part of the problem. If we look back at the trends over the last decade, many of the most damaging attacks have been ransomware. In these incidents, the attackers deny their victims the ability to access their own information until they pay a fee.

It is also vital to ensure that information is not modified covertly. It is an intriguing aspect of human nature that people frequently assume the information presented on a computer is completely accurate, when they would not have the same trust in information provided by a human. 

When serving, I saw staff officers assume that a unit’s location displayed on a digital map was accurate to within metres and always up to date. They knew, though, that the underlying information had been reported by a human to another human, over the radio, sporadically, and as an approximate six-figure grid reference. That instinctive belief in digital accuracy contrasts with the physical map table, where the information was recognised as inherently vague and out of date.

Protecting the availability of information and preventing its modification is just as important as preventing it from falling into the wrong hands.

Why do we need to care? What is the threat?

What must we protect to preserve our fighting power and freedom of manoeuvre on military operations? How could malicious actors undermine military capability? We first need to step above the world of ‘bits and bytes’ and decide what maligned intents might target us. The following are just a few examples, but they illustrate that the systemic nature of our digital landscape makes the risks far more complex and nuanced than they first appear.

Espionage

Espionage is as old as human conflict. Two and a half thousand years ago, Sun Tzu wrote a whole chapter on the importance of espionage and the use of spies. It is practiced across all contexts from the grand strategic and political levels, down to the compromise of tactical communications and devices. Espionage is also rife across the defence industrial base to gain insight and intellectual property about future weapon systems so that they can be countered and copied. 

Capability Denial

Even with Mission Command to empower and delegate, any operation relies on the efficient flow of information and commands to exploit opportunities and achieve the desired effects. This makes Command and Control capabilities a ripe target. One hour before Russia launched its full-scale invasion, it attempted to disrupt Ukraine’s C2 capabilities by executing a cyber-attack on the communications company Viasat. Disruption of communications bearers is an obvious approach, but a widespread attack on networked computers would be more complicated to recover from. And, as we realise the vision of an ‘Internet of Military Things’, described recently by the UK Chief of General Staff, by networking all elements of battlefield equipment, digital denial could extend across those platforms, disrupting intelligence, logistics, mobility, and fires.

Subversion & Deception

Subversion and deception are already directed at our personal lives; phishing attacks, spoofed websites, fake news, trolls, and bots all attempt to manipulate the way we think and act. A notable case involved an AI-generated deep-fake of a company CFO on a video conference call, leading to criminals defrauding Arup, a UK Engineering firm, by HK$200m (US$25m). 

It may be a while before we see Microsoft Teams in the trenches, but reachback from formation headquarters to the home-base is nothing new. Are we prepared for remote support into theatre, provided by partners and suppliers, being used as a vector to conduct highly realistic live deception and socially engineered attacks like the one Arup experienced?

Degradation of the Moral Component

The moral component – the ability to get people to fight – is the pre-eminent of the three essential elements that make up fighting power according to the UK defence doctrine. Many things would influence it, but a sense of confidence in the security and wellbeing of a soldier’s family at home is a key one. What if the family at home couldn’t access money because the military payroll system had been attacked? How quickly would force motivation and cohesion on operations deteriorate?

What is Being Done, and What More Should We Do?

The UK government has recognised the threats and risks for some time, and it has done a lot to reduce them. Cyber security has been recognised as a fundamental part of national security for over a decade, with the Defence Industrial Sector identified as critical national infrastructure. The Ministry of Defence’s (MOD) recent shift in governance policy to demand that systems are Secure by Design, and that a programme’s Senior Responsible Officer takes ownership and responsibility for risk, is significant progress. 

However, threat and risks are not static. Foreign state hacks, both covert and overt, have risen with geopolitical instability. In the most recent National Cyber Security Centre’s annual review, they specifically described the intensity and pervasive nature of the cyber threat from Russia. Cyber-attacks against our information, digital services, and infrastructure, will be a core component of any hybrid war, not least because of their deniability. We can see this today with attacks that closely correlate with the Kremlin’s interests and motivations, such as the recent attack by Russian hackers on NHS partners in London.

Fragile networks are only as strong as their weakest link. For some time, the defence ‘network’ has spanned the wider defence enterprise, which extends deep into the supply chain. Our need to maintain technological advantage and agility means we will need to source innovation far beyond the traditional Defence OEMs, and we will need to get updates into theatre quickly and frequently. This makes the supplier of a digital ‘widget’ part of the operational network, even if they’re not connected to it. 

So, the extended network is expanding and becoming increasingly operationally critical, and the capabilities and motivations of the geopolitical threats we face are evolving. What was adequate five years ago is unlikely to be sufficient for the next five. There are many steps that can be taken to respond to this change, and the following three focus on resilience in the extended defence network: 

Threat Escalation Contingency Planning

All networks have non-critical capabilities that deliver softer benefits and efficiency. However, every piece of software, network segment, or service presents a part of the surface that can be attacked. When the threat escalates, we can reduce our attack service by pre-emptively switching off non-core services, and further segmenting critical capabilities, all at the expense of efficiency. There is evidence that Ukraine’s resilience in the face of Russian cyber-attacks in 2022 benefitted from this preparation. Preparing and testing these measures takes time and imposing it on suppliers will also have commercial consequences. 

Enhanced Continuous Supplier Assurance

Supplier assurance for cyber risk has been an element of MOD risk management for some time, albeit the tools to facilitate it have been limited since the Octavian Supplier Cyber Protection Service was retired without replacement in 2021. However, when the scope of the networks at risk increases and the threats evolve, we need to change our posture. This will affect the suppliers to focus on, the questions we ask, and the standards we expect. Assurance needs to be flexible and dynamic; threat changes may require targeted or widespread reviews at short notice, with commercial as well as practical implications.

Cyber Stress Testing

The Bank of England introduced its Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST) in 2014 to assure operational resilience in the UK financial sector. Implementing the Defence equivalent of CBEST would take some significant time and effort to deliver results. However, without this type of activity, there is insufficient objective evidence that risk and resilience are tolerable.

Conclusions

Our demographics and the moral value we place on life as a society mean our military’s ability to deter and, if necessary, defeat a belligerent nation-state, will rely on it exploiting technological advantage. The evolution of conflict in Ukraine also demonstrates that industries will need to be able to deliver digital enhancements to that technology rapidly into theatre to maintain an advantage. But this introduces vulnerabilities well beyond the boundaries of Government departments and their Tier 1 suppliers. If the enemy can exploit these vulnerabilities, the impact would be significantly greater than the equivalent several decades ago.

The increased dependence on agile reachback support from suppliers makes the supply chain an extended part of the networked battlespace, and their security and resilience are critical components of the risk calculus. A lot of progress has been made over the last ten years. But this period has also demonstrated that we should expect a cyber-capable adversarial state to do against us. To prevent and, if necessary, prosecute a war in the future, we need to not just maintain, but significantly enhance our management of risk in the defence supply chain.

To find out more about our Cyber Security services and security philosophy, check out our service page.

To contact Tom Burton and arrange a free consultation, use the form below or email Tom at tburton@cambridgemc.com.