Los escenarios de conflicto del siglo XXI incluir\u00e1n operaciones de Ciberguerra en las cuales, las plataformas de armas y de apoyo ser\u00e1n atacadas. Los sistemas militares son vulnerables y se necesita tener en cuenta que, las nuevas armas y equipos que se incorporen, incluyan las contramedidas para responder adecuadamente a los ciberataques del enemigo, que ser\u00e1n la norma en el campo de batalla. Las armas no funcionar\u00e1n adecuadamente, los drones ser\u00e1n neutralizados en el aire, los abastecimientos no llegar\u00e1n en tiempo, etc.<\/p>\n
\u201cIf you think any of these systems are going to work as expected in wartime, you\u2019re fooling yourself.\u201d<\/p>\n<\/div>\n
That was Bruce\u2019s response at a conference hosted by U.S. Transportation Command in 2017, after learning that their computerized logistical systems were mostly unclassified and on the internet. That may be necessary to keep in touch with civilian companies like FedEx in peacetime or when fighting terrorists or insurgents. But in a new era facing off with China or Russia, it is dangerously complacent.<\/p>\n<\/div>\n
Any 21st century war will include cyber operations. Weapons and support systems will be successfully attacked. Rifles<\/a> and pistols<\/a> won\u2019t work properly. Drones will be hijacked<\/a> midair<\/a>. Boats won\u2019t sail<\/a>, or will be misdirected<\/a>. Hospitals won\u2019t function<\/a>. Equipment and supplies will arrive late<\/a> or not at all.<\/p>\n<\/div>\n Our military systems are vulnerable<\/a>. We need to face that reality by halting the purchase of insecure weapons and support systems and by incorporating the realities of offensive cyberattacks into our military planning.<\/p>\n<\/div>\n Over the past decade, militaries have established cyber commands<\/a> and developed<\/a> cyberwar<\/a> doctrine<\/a>. However, much of the current discussion is about offense. Increasing our offensive capabilities without being able to secure them is like having all the best guns in the world, and then storing them in an unlocked, unguarded armory. They just won\u2019t be stolen; they\u2019ll be subverted.<\/p>\n<\/div>\n During that same period, we\u2019ve seen increasingly<\/a> brazen<\/a> cyberattacks<\/a> by everyone<\/a> from criminals<\/a> to governments<\/a>. Everything is now a computer, and those computers are vulnerable<\/a>. Cars, medical devices, power plants, and fuel pipelines have all been targets. Military computers, whether they\u2019re embedded inside weapons systems or on desktops managing the logistics of those weapons systems, are similarly vulnerable. We could see effects as stodgy as making a tank impossible to start up, or sophisticated as retargeting a missile midair.<\/p>\n<\/div>\n Military software is unlikely to be any more secure than commercial software. Although sensitive military systems rely on domestically manufactured chips as part of the Trusted Foundry<\/a> program, many military systems contain the same foreign chips and code that commercial systems do: just like everyone around the world uses the same mobile phones, networking equipment, and computer operating systems. For example, there has been serious concern<\/a> over Chinese-made 5G networking equipment that might be used by China to install \u201cback doors\u201d that would allow the equipment to be controlled. This is just one of many risks to our normal civilian computer supply chains<\/a>. And since military software is vulnerable to the same cyberattacks as commercial software, military supply chains have many of the same risks.<\/p>\n<\/div>\n This is not speculative. A 2018 GAO report<\/a> expressed concern regarding the lack of secure and patchable U.S. weapons systems. The report observed that \u201cin operational testing, the [Department of Defense] routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.\u201d It\u2019s a similar attitude to corporate executives who believe that they can\u2019t be hacked\u2014and equally naive.<\/p>\n<\/div>\n An updated GAO report<\/a> from earlier this year found some improvements, but the basic problem remained: \u201cDOD is still learning how to contract for cybersecurity in weapon systems, and selected programs we reviewed have struggled to incorporate systems\u2019 cybersecurity requirements into contracts.\u201d While DOD now appears aware of the issue of lack of cybersecurity requirements, they\u2019re still not sure yet how to fix it, and in three of the five cases GAO reviewed, DOD simply chose to not include the requirements at all.<\/p>\n<\/div>\n Militaries around the world are now exploiting these vulnerabilities in weapons systems to carry out operations. When Israel in 2007 bombed a Syrian nuclear reactor, the raid was preceded by what is believed to have been a cyber attack<\/a> on Syrian air defenses that resulted in radar screens showing no threat as bombers zoomed overhead. In 2018, a 29-country NATO exercise, Trident Juncture<\/a>, that included cyberweapons was disrupted<\/a> by Russian GPS jamming. NATO does try to test cyberweapons outside such exercises, but has limited scope in doing so. In May, Jens Stoltenberg, the NATO secretary-general, said<\/a> that \u201cNATO computer systems are facing almost daily cyberattacks.\u201d<\/p>\n<\/div>\n The war of the future will not only be about explosions, but will also be about disabling the systems that make armies run. It\u2019s not (solely) that bases will get blown up; it\u2019s that some bases will lose power, data, and communications. It\u2019s not that self-driving trucks will suddenly go mad and begin rolling over friendly soldiers; it\u2019s that they\u2019ll casually roll off roads or into water where they sit, rusting, and in need of repair. It\u2019s not that targeting systems on guns will be retargeted to 1600 Pennsylvania Avenue; it\u2019s that many of them could simply turn off and not turn back on again.<\/p>\n<\/div>\n So, how do we prepare for this next war? First, militaries need to introduce a little anarchy into their planning. Let\u2019s have wargames where essential systems malfunction or are subverted\u2014not all of the time, but randomly. To help combat siloed military thinking, include some civilians as well. Allow their ideas into the room when predicting potential enemy action. And militaries need to have well-developed backup plans, for when systems are subverted. In Joe Haldeman\u2019s 1975 science-fiction novel The Forever War,<\/em> he postulated a \u201cstasis field\u201d that forced his space marines to rely on nothing more than Roman military technologies, like javelins<\/a>. We should be thinking in the same direction.<\/p>\n<\/div>\n NATO isn\u2019t yet allowing<\/a> civilians not employed by NATO or associated military contractors access to their training cyber ranges where vulnerabilities could be discovered and remediated before battlefield deployment. Last year, one of us (Tarah) was listening to a NATO briefing after the end of the 2020 Cyber Coalition<\/a> exercises, and asked how she and other information security researchers could volunteer to test cyber ranges used to train its cyber incident response force. She was told that including civilians would be a \u201cwelcome thought experiment in the tabletop exercises,\u201d but including them in reality wasn\u2019t considered. There is a rich opportunity for improvement here, providing transparency into where improvements could be made.<\/p>\n<\/div>\n Second, it\u2019s time to take cybersecurity seriously in military procurement, from weapons systems to logistics and communications contracts. In the three year span from the original 2018 GAO report to this year\u2019s report, cybersecurity audit compliance went from 0% to 40% (those 2 of 5 programs mentioned earlier). We need to get much better. DOD requires<\/a> that its contractors and suppliers follow the Cybersecurity Maturity Model Certification<\/a> process; it should abide by the same standards. Making those standards both more rigorous and mandatory would be an obvious second step.<\/p>\n<\/div>\n Gone are the days when we can pretend that our technologies will work in the face of a military cyberattack. Securing our systems will make everything we buy more expensive\u2014maybe a lot more expensive. But the alternative is no longer viable.<\/p>\n<\/div>\n