September 22, 2015
To Cyber the Kill Chain, Cyber the Supply Chain
When safeguarding the global commons, should we rely on it less?
By James Hasik
At the same time, Carter pretty much wants to wrap electronics around everything, proliferating precision and combat-networking down to every Iron Man suit in the force. But does that make navigation and communication and everything else more or less secure? Note the contrast with the US Office of Personnel Management—after losing all the data, new management decided that all new security clearance work would be done with pens-on-paper. I can guarantee that the Chinese can’t hack my slide rule or my notebook, and to follow Patrick Tucker's recent advice, anything more “could get you killed”. So which is it?
There’s a long litany of scary stories to take for inspiration. Recall that opening scene of Tom Clancy’s Red Storm Rising (G. P. Putnam's Sons, 1986), in which saboteurs destroy a Soviet petroleum facility by hay-wiring the control center. Think about the possibly less fictional story, from former Air Force Secretary Tom Reed, about how the US did that to a Soviet gas pipeline in 1982 by booby-trapping the control software the KGB was stealing. Or forego the stories, and just think about the havoc Stuxworm wrought on a uranium enrichment plant. Or how those two characters hacked into a moving Jeep Cherokee back in July. It’s enough to make you want to throw away your smartphone, and grab some paper maps and ledgers.
Adversaries with long view might thus be well advised to aim upstream, in part because the new Western war of war is so predicated upon protection. Fighting in southwest Asia has been greatly constrained with judicious rules of engagement. Profound concern for collateral damage has almost returned the micromanagement of the Johnson Administration in southeast Asia. With 98 percent of JDAMs and Brimstones hitting their targets, the statistical noise of occasional guidance failures rises to flag officer attention. But as bad as the Hanoi Hilton was, when allied aviators go down now, they get torched in a cage. One side here is playing total war, but the other isn’t and shouldn’t.
That means that a savvy adversary could try to muck with that kill chain by invading Boeing or MBDA’s supply chain. There are plenty of entry points—physical attacks against plant and personnel, cyber attacks against production equipment, or corrupting the operating software of the weapons themselves. With the JDAM and Brimstone lines working at full burn, interruptions could propagate quickly. What then, if the Coalition air forces could only use unguided bombs? Or even just laser-guided bombs? Either the rules of engagement would need to change—with a concomitant surrender of that moral high ground—or the adversary would gain sanctuary in time and space.
Safeguarding the global commons of the 21st century is a big job. Just safeguarding Mount Sinjar or lifting the Siege of Kobanî can seem a harder job, if you’re trying to do it entirely from the air. Pondering how long Volkswagen’s bogus engine control software escaped regulatory gaze can lead to a certain queasiness about the potential distribution of zero-day exploits. These sorts of problems aren’t going to get easier, and realistically assessing the threats is challenging. But it’s probably time again to consider the robustness that comes with multiple weapons, multiple sources, backup production sites, backup operating modes, and all sorts of Pearl Harbor file manual interventions for shaking off the unexpected.
James Hasík is a senior fellow at the Brent Scowcroft Center on International Security, and co-author of Precision Revolution: GPS and the Future of Aerial Warfare (Naval Institute Press, 2002). He thanks David Foster of Naval Air Systems Command for insights which led to this essay.