There Will Be Cyberwar

or

The Internet of Military Things (IoMT)

Richard StiennonChief Research AnalystIT-Harvest

twitter.com/cyberwar

Keynote, CyberSecurity World, Washington DC, October 28, 2015

Book Launch: October 29, National Press Club 4 PM. All welcome

twitter.com/cyberwarhttp://www.amazon.com/There-Will-Be-Cyberwar-Network-Centric/dp/0985460784

Purchase on Amazon

The Revolution in Military Affairs

• Roman centuries • Long bow and battle of Crecy• Napoleon’s staff command• Machine guns• Mechanized armor, blitzkrieg

The Modern RMA

• Operation Desert Storm leads to:

• Russian assessment of precision weapons ISR, C&C as force multiplier, which leads to

• Andrew Marshall

IT-Harvest Confidential

Andrew Marshall: Enigmatic Strategist

Andrew W. Marshall (born September 13, 1921) just retired director of the United States Department of Defense's Office of Net Assessment.

1996 Taiwan Straits Crisis "Admiral Clemens was able to use e-mail, a very graphic-

rich environment, and video teleconferencing to achieve the effect he wanted", which was to deploy the carrier battle groups in a matter of hours instead of days.” -Arthur Cebrowski

USS Nimitz and USS Independence deployto Taiwan.

Admiral Archie Clemins

Father of Network Centric Warfare

Clemins’ Apple Powerbook 160

9.8 inch greyscale LCD Display

Up to 14 MB RAM (smaller than this slide deck)

40MB SCSI Hard Disk Drive

8 pounds

USS Blue Ridge command ship of the US Navy 7th Fleet

A Lasting LegacySame Inmarsat satellite constellation still in use

N21 initiative launched

Pentagon Office of Force Transformation led by Arthur Cebrowski

Arthur Cebrowski: Evangelist

“Network Centric Warfare should be the cornerstone of transformation. If you are not interoperable you are not on the net.You are not benefiting from the information age”.

The NCW Dream

Total Situational Awareness eliminates “the fog of war”

Red Team - Blue Team identification

Central Command and Control. Distributed battle command.(The Global Information Grid, or GIG)

Networked Intelligence, Surveillance Reconnaissance (ISR) -a sensor grid

IT-Harvest Confidential

Network Centric Warfare

Everything connected (like the Internet)

Satellite-Planes-Drones-Ground-Sea based sensor grid

Instant communication over a Global Grid

Deja vu all over again

We’ve seen this story payed out before in the enterprise.

First, network everything. Take advantage of connectivity and ubiquity to re-invent commerce, social interactions, and communications.

Second: succumb to attacks from hackers, cyber criminals, hacktivists, and nation states.

Finally: Layer in security

How the Military Failed in SecurityApril 1, 2001 a Navy EP-3E was forced down and captured by China. Top secret OS compromised

In 2008 China blatantly flooded communication channels known to be monitored by the NSA with decrypted US intercepts, kicking off a major re-deployment. SEVEN years too late.

How the Military Failed in SecurityFirst, the Pentagon email servers p0wned 2007

Then terabytes of data exfiltrated to China from the Defense Industrial Base. The target? Joint Strike Fighter design data.

Military IT Security Failures

The Wake Up Call

BUCKSHOT YANKEE

Agent.btz introduced via thumb drive in a forward operations command (Afghanistan?)

EVERY Windows machine re-imaged in the entire military (3 million +) at a cost of $1 Billion.

Drone madness 1

Drone madness 2

Drone madness 3

IT-Harvest Confidential

SATCOM Vulns

• “We uncovered what would appear to be multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms.” -IOActive

Software Assurance maturity came after most new weapons platforms were sourced.

One Air Force study of 3 million lines of code revealed:

One software vulnerability per 8 lines of code

One high vulnerability per 31 lines of code

One critical vulnerability for 70 lines of code

The F-35 Joint Strike Fighter

“JSF software development is one of the largest and most complex projects in DOD history.”

-Michael J. Sullivan, Director Acquisition and Sourcing Management for the DoD:

The F-35 Joint Strike Fighter• Nine million lines of onboard

code could mean 128,000 critical vulns

• 15 million lines of logistics code could mean another 214,000 critical vulns

• What could possibly go wrong?

Taiwan Straits Crisis. 2018?

GPS hacks deflect jets away from tankers

Mission tasking subverted

Communications intercepts mislead commander

Radar jamming masks enemy movement

Result? Military defeat

A Working Definition of Cyberwar

The use of network and computer attack to support the operations of a military force.

IT-Harvest Confidential

Cyber Pearl Harbor Defined

An overwhelming defeat of US forces due to

enemy information dominance.

And it look like this…

IT-Harvest Confidential

email: richard@it-harvest.com

Twitter: twitter.com/cyberwar